Working with VSX Gateways

A VSX gateway is a physical machine that serves as a container for Virtual Systems and other virtual network components. This section has step-by-step procedures for creating and configuring standalone VSX gateways.

Included Topics Changing VSX Gateway Definitions Deleting a VSX Gateway Backing up and Restoring VSX Gateway

Changing VSX Gateway Definitions

After you create a VSX Gateway, you can modify the topology, other parameters, and advanced configurations in the VSX Gateway Properties window. To open this window, double-click on the VSX Gateway object in SmartDashboard. The VSX Gateway Properties window opens, showing the General Properties page.

VSX Gateway - General Properties

In the General Properties page, check and re-establish SIC trust, and activate Check Point products for this VSX Gateway.

You can change these properties:

• Comment - Free text description for the Object List and elsewhere.
• Color - Color of the object icon as it appears in the Object Tree.
• Secure Internal Communication - Check and re-establish SIC trust.
• Check Point Products - Select Check Point products for this gateway.

Secure Internal Communication (SIC)

You can test and reset SIC trust and also see the VSX Gateway Relative Distinguished Name.

To initialize SIC trust:

1. Open SmartDashboard.
2. From the Network Objects tree, right-click the VSX Gateway and select Edit.

   The VSX Gateway Properties window opens.

3. Click Communication.

   The Trusted Communication window opens.

4. Enter and confirm the SIC authentication password.
5. Click Initialize.

Note - If you cannot establish trust, click Test SIC Status to see the reason for the failure. The most common issues are an incorrect activation key and connectivity problems between the management server and the VSX Gateway.

To reset SIC trust with the VSX Gateway:

1. From the VSX Gateway CLI, use the cpconfig utility to re-initialize the SIC.
2. In the Communication window, click Reset.
3. Click Yes in the confirmation window.
4. Enter and confirm the SIC authentication password.
5. Click Initialize.
6. Install policy to VS0 only.
7. On each member, run: cpstop;cpstart

Check Point Software Blades

Select the Check Point Software Blades to install on this VSX Gateway from the list. The items you see are available for the product version and your license agreement.

VSX Gateway - Creation Templates

The Creation Templates page displays the creation template used to create the Virtual Systems for this VSX Gateway. You can change from the current creation template to the Custom Configuration template and change the shared physical interface if the Shared Interface template is active.

• Select Custom Configuration to change from the Shared Interfaces or Separate Interfaces templates. You cannot change back from the Custom Configuration template once you have completed the definition and saved it to the VSX Gateway.
• For a Shared Interface template, click Settings to change the shared interface.

VSX Gateway - Physical Interfaces

The Physical Interfaces page lets you add or delete a physical interface on the VSX Gateway, and to define a VLAN trunk.

• To add a new physical interface, click Add and enter the interface name in the appropriate field.
• To remove a physical interface, select the interface and click Remove.
• To define an interface as a VLAN trunk, select VLAN Trunk for the interface.

VSX Gateway - Topology

The Topology page contains definitions for interfaces and routes between interfaces and Virtual Devices.

Interfaces

The Interfaces section defines interfaces and links to devices. You can add new interfaces, and delete or modify existing interfaces.

To add an interface:

1. Click New and select one of these options:
   • Regular - Create a new interface
   • Leads to Virtual Router
   • Leads to Virtual Switch

   The Interface Properties window opens.

   Click Actions > Copy to Clipboard to copy the Interfaces table in CSV format.

2. Define the appropriate properties.
3. Click OK.

Routes

The Routes section of the Topology window defines routes between network devices, network addresses, and Virtual Devices. Some routes are defined automatically based on the interface definitions. You can add, change, and delete routes.

To add a default route to the routing table:

1. Click Add Default Route.

   The Default Gateway window opens.

2. Enter the default route IP address or select the default Virtual Router.
3. Click OK.

   The default route is added to the routing table.

4. Select the default route and click Edit.

   The Route Configuration window opens.

5. Configure the settings for the default route and click OK.

To add a new route to the routing table:

1. Click Add.

   The Route Configuration window opens.

2. Configure the Destination IP address and netmask.
3. Configure the next hop IP address or Virtual Router.
4. Optional: Select Propagate route to adjacent Virtual Devices to "advertise" the route to neighboring Virtual Devices, and enable connectivity between them.
5. Click OK.

To change a route:

1. Select the route.
2. Click Edit.

   The Route Configuration window opens.

3. Change the settings.
4. Click OK.

To delete a route:

1. Select the route.
2. Click Remove.

   A confirmation window opens.

3. Click OK.

Topology Calculation

Select the Calculating topology automatically based on routing information option to let VSX automatically calculate the network topology based on interface and routing definitions. When enabled, VSX creates automatic links, or connectivity cloud objects linked to existing internal or external networks.

• This option is not available in Bridge Mode.
• We recommend that you do not use this option with dynamic routing configurations.

Note - If you wish to enable Anti-Spoofing protection when there are no routes pointing to internal networks, disable the Calculating topology automatically based on routing information option. Modify the appropriate interface definitions to enable Anti-Spoofing.

Deleting a VSX Gateway

When you delete a VSX Gateway object, the system automatically deletes all Virtual Systems and other Virtual Devices associated with that gateway from the management database.

To delete a VSX Gateway:

1. From the Network Objects tree, right click the VSX Gateway object on the Object Tree and select Delete.
2. Click Yes in the confirmation box.

Backing up and Restoring VSX Gateway

In the event of a catastrophic VSX Gateway failure, you can restore the VSX Gateway configuration and its Virtual Device configuration.

For VSX Gateway that runs on SecurePlatform OS:

1. Install the gateway again.
2. Configure the IP address, net mask, and default gateway.
3. Make sure all management interfaces have the same IP addresses as before.
4. Connect to the command line on the Security Management Server or Domain Management Server that manages this VSX Gateway.
5. Log in to Expert mode.
6. Run:

   vsx_util reconfigure

   See the description of this command.

7. Follow the instructions on the screen.

For VSX Gateway that runs on Gaia OS:

Follow the instructions in the sk100395: How to backup and restore VSX gateway.