Configuring VSX

In This Section: Rules & Security Policies Creating VSX Gateways Working with VSX Gateways Working with Virtual Systems Working with Virtual Switches Working with Virtual Routers CoreXL for Virtual Systems Dynamic Routing for Virtual Devices Adding a New Interface Changing an Interface Deleting an Interface Working with Authentication Tracking Activity with SmartView Monitor Working with Network Address Translation Using Application Control and URL Filtering with VSX Using Anti-Bot and Anti-Virus with VSX Using Threat Emulation with Security Gateways and VSX Gateways Licensing VSX

This chapter shows you how to use SmartDashboard to provision, configure and manage Virtual Devices in a VSX environment.

If you define or configure VSX objects in a Multi-Domain Security Management deployment: open the SmartDashboard of the Domain Management Server that manages the Virtual Devices. The Multi-Domain Security Management chapter explains these procedures.

To configure Virtual Devices, make sure that these preparations are ready:

• The management servers (Security Management Server or Multi-Domain Server) are configured and running.
• The GUI clients (SmartDashboard or SmartDomain Manager) are installed on the appropriate computers.

This chapter assumes that you are familiar with SmartDashboard and how to configure standard Security Gateway objects and security policies. Many Virtual Device and policy operations are the same as physical Security Gateways and these standard procedures are not in this Administration Guide.

Rules & Security Policies

You use the same procedures to define and install security policies on a VSX gateway or Virtual System as for a physical Security Gateway. This statement also applies to the use of IPv6 in security policies. These procedures are not included in this Administration Guide.

Important - The Revision Control feature is not supported when the Security Management Server database contains VSX objects. You must not select the Create database version option in SmartDashboard when you install a policy.

Creating VSX Gateways

Creating a New VSX Gateway

This section explains how to create a new VSX Gateway using the VSX Gateway Wizard. After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from SmartDashboard. For example, you can add or delete interfaces, or configure existing interfaces to support VLANs.

To start the VSX Gateway wizard:

1. Open SmartDashboard.

   If you are using Multi-Domain Security Management, open SmartDashboard from the Domain Management Server of the VSX Gateway.

2. From the Network Objects tree, right-click Check Point and select VSX > Gateway.

   The General Properties page of the VSX Gateway Wizard opens.

Wizard Step 1: Defining VSX Gateway General Properties

Configure these parameters on the General Properties page:

• VSX Gateway Name: Unique, alphanumeric name for the VSX Gateway. The name cannot contain spaces or special characters except the underscore.
• VSX Gateway IPv4 Address: Management interface IPv4 address.
• VSX Gateway IPv6 Address: Management interface IPv6 address.
• VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.

Wizard Step 2: Selecting Virtual Systems Creation Templates

The Creation Templates page lets you provision predefined, default topology and routing definitions to Virtual Systems. This makes sure Virtual Systems are consistent and makes the definition process faster. You always have the option to override the default creation template when you create or change a Virtual System.

The default Creation Templates are:

• Shared Interface: Virtual Systems share one external interface, but maintain separate internal interfaces.
• Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface (DMI) by default.

If the default templates are not appropriate, you can create a custom configuration:

• Custom Configuration: Define Virtual System, Virtual Router, Virtual Switch, and Interface configurations.

Wizard Step 3: Establishing SIC Trust

Initialize SIC trust between the VSX Gateway and the management server. The gateway and server cannot communicate without Trust.

Initializing SIC Trust

When you create a VSX Gateway, you must enter an Activation Key. Enter and confirm the activation key and then click Initialize. If you enter the correct activation key, the Trust State changes to Trust established.

Troubleshooting SIC Trust Initialization Problems

If SIC trust was not successfully established, click Check SIC Status to see the reason for the failure. The most common issues are an incorrect activation key and connectivity problems between the management server and the VSX Gateway.

Troubleshooting to resolve SIC initialization problems:

• Re-enter and re-confirm the activation key.
• Verify that the IP address defined in General Properties is correct.
• Ping the management server to verify connectivity. Resolve connectivity issues.
• From the VSX Gateway command line, use the cpconfig utility to re-initialize SIC. After this process completes, click Reset in the wizard and then re-enter the activation key.

For more about resolving SIC initialization, see the R77 Security Management Administration Guide.

Wizard Step 4: Defining Physical Interfaces

In the VSX Gateway Interfaces window, define physical interfaces as VLAN trunks. The window shows the interfaces currently defined on the VSX Gateway.

To define an interface as a VLAN trunk, select VLAN Trunk for the interface.

Wizard Step 5: Virtual Network Device Configuration

If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens. In this window, define a Virtual Device with an interface shared with the VSX Gateway. If you do not want to define a Virtual Device at this time, click Next to continue.

To define a Virtual Device with a shared interface:

1. Select Create a Virtual Device.
2. Select the Virtual Network Device type (Virtual Router or Virtual Switch).
3. Select the shared physical interface to define a non-DMI gateway.

   Do not select the management interface if you want to define a Dedicated Management Interface (DMI) gateway. If you do not define a shared Virtual Device, a DMI gateway is created by default.

   Important - This setting cannot be changed after you complete the VSX Gateway Wizard. If you define a non-DMI gateway, you cannot change it to a DMI gateway later.

4. Define the IP address and Net Mask for a Virtual Router.

   These options are not available for a Virtual Switch.

5. Optional: Define a Default Gateway for a Virtual Router (DMI only).

Wizard Step 6: VSX Gateway Management

In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway. This policy is installed automatically on the new VSX Gateway.

Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules for these services:

• UDP - SNMP requests
• TCP - SSH traffic
• ICMP - Echo-request (ping)
• TCP - HTTPS traffic

Completing the VSX Wizard

Click Next to continue and then click Finish to complete the VSX Gateway wizard.

This may take several minutes to complete. A message shows successful or unsuccessful completion of the process.

If the process ends unsuccessfully, click View Report to see the error messages. See the Troubleshooting chapter.

Configuring the Gateway Security Policy

1. Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.

   For example, to be able to ping the gateway from the management server, allow ICMP echo-request traffic.

2. Source: Click the arrow and select a Source Object from the list.

   The default value is *Any. Click New Source Object to define a new source.