Configuring VSX Gateways

Important:

Virtual Routers are not supported (Known Limitations 01413513).
Virtual Switches are supported only from R80.20SP Jumbo Hotfix Accumulator Take 178 (Known Limitation MBS-5214).

Creating a New VSX Gateway

This section explains how to create a new VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. using the VSX Gateway Wizard. After you complete the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway Wizard, you can change the VSX Gateway definition from SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. For example, you can add or delete interfaces, or configure existing interfaces to support VLANs.

To start the VSX Gateway wizard:

Connect with SmartConsole to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Main Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. used to manage the VSX Gateway.
From the left navigation panel, click Gateways & Servers.
At the top, click New> VSX> Gateway.

The General Properties page of the VSX Gateway Wizard opens.

Wizard Step 1: Defining VSX Gateway General Properties

Configure these parameters on the General Properties page:

VSX Gateway Name: Unique, alphanumeric name for the VSX Gateway. The name cannot contain spaces or special characters except the underscore.
VSX Gateway Addresses: Management interface addresses.

Note: If you define an IPv6 IP address you must also define an IPv4 address.
VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.

Wizard Step 2: Selecting Virtual Systems Creation Templates

The Creation Templates page lets you configure predefined, default topology and routing definitions for Virtual Systems. This makes sure that Virtual Systems are consistent and makes the definition process faster. You always have the option to override the default creation template when you create or change a Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS..

The Creation Templates are:

Shared Interface- Not supported for the Security Group A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..
Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface Separate physical interface on VSX Gateway or VSX Cluster Members, through which Check Point Security Management Server or Multi-Domain Server connects directly to VSX Gateway or VSX Cluster Members. DMI is restricted to management traffic, such as provisioning, logging and monitoring. Acronym: DMI. (DMI) by default.
Custom Configuration: Define Virtual System, Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW., and Interface configurations.

For this example, choose Custom configuration.

Wizard Step 3: Establishing SIC Trust

Initialize SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust between the VSX Gateway and the Management Server. They cannot communicate without Trust.

Initializing SIC Trust

When you create a VSX Gateway, you must enter the Activation Key that you defined in the installation wizard setup program. Enter and confirm the activation key and then click Initialize. If you enter the correct activation key, the Trust State changes to Trust established.

Troubleshooting SIC Trust Initialization Problems

If SIC trust was not successfully established, click Check SIC Status to see the reason for the failure. The most common issues are an incorrect activation key and connectivity problems between the management server and the VSX Gateway.

Troubleshooting to resolve SIC initialization problems:

Re-enter and re-confirm the activation key.
Verify that the IP address defined in General Properties is correct.
Ping the management server to verify connectivity. Resolve connectivity issues.
From the VSX Gateway command line, use the cpconfigutility to re-initialize SIC. After this process completes, click Reset in the wizard and then re-enter the activation key.

For more about resolving SIC initialization, see the R80.20 Security Management Administration Guide.

Troubleshooting SIC Reset in Security Groups

Resetting SIC takes 3-5 minutes.

If resetting of the SIC was interrupted (for example, by loss of network connectivity), run the g_all cp_conf sic state command to get the SIC state and follow these steps:

SIC state	Do this
`Trust established`	Repeat the SIC reset procedure.
`Initialized, but Trust was not established`	Reboot all Security Group Members. In SmartConsole, open the Security Group object. Go to General Properties page >Communication. Initialize SIC. Install the policy.

SIC Cleanup in Security Groups

To resolve other SIC issues, do a SIC cleanup in the Expert mode:

asg_blade_config reset_sic -reboot_all <activation_key>

Wizard Step 4: Defining Physical Interfaces

In the VSX Gateway Interfaces window, define physical interfaces as VLAN trunks. The window shows the interfaces currently defined on the VSX Gateway.

To define an interface as a VLAN trunk, select VLAN Trunk for the interface.

Virtual Network Device Configuration

Note - If you chose Shared Interface or Separate Interface, proceed to Wizard Step 5: VSX Gateway Management.

If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens. In this window, define a Virtual Device Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. with an interface shared with the VSX Gateway. If you do not want to define a Virtual Device at this time, click Next to continue.

To define a Virtual Device with a shared interface:

Select Create a Virtual Device.
Select the Virtual Network Device type (Virtual Router or Virtual Switch).
Select the shared physical interfaceto define a non-DMI gateway.

Do not select the management interface if it is necessary to define a Dedicated Management Interface (DMI) gateway. If you do not define a shared Virtual Device, a DMI gateway is created by default.

Important- This setting cannot be changed after you complete the VSX Gateway Wizard. If you define a non-DMI gateway, you cannot change it to a DMI gateway later.
Define the IP address and Net Mask for a Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR..

These options are not available for a Virtual Switch.
Optional: Define a DefaultGateway for a Virtual Router (DMI only).

Wizard Step 5: VSX Gateway Management

In the VSX Gateway Management window, define security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. rules that protect the VSX Gateway. This policy is installed automatically on the new VSX Gateway.

Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules for these services:

UDP - SNMP requests
TCP - SSH traffic
ICMP - Echo-request (ping)
TCP - HTTPS traffic

To modify the Gateway Security Policy:

Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.

For example, to be able to ping the gateway from the management server, allow ICMP echo-request traffic.
Source: Click the arrow and select a Source Object from the list.

The default value is *Any. Click New Source Object to define a new source.

You can modify the security policy rules that protect the VSX Gateway later.
Click Next.

Wizard Step 6: Completing the VSX Wizard

Click Next to continue and then click Finish to complete the VSX Gateway wizard.

This may take several minutes to complete. A message shows successful or unsuccessful completion of the process.

If the process ends unsuccessfully, click View Report to see the error messages. See Troubleshooting.

Configuring the Gateway Security Policy

Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.

For example, to be able to ping the gateway from the Management Server, allow ICMP echo-request traffic.
Source: Click the arrow and select a Source Object from the list.

The default value is *Any. Click New Source Object to define a new source.

Configuring 64-Bit Virtual System Support

You can configure a Scalable Platform to run fwk as a 64-bit process. This lets VSX Virtual Systems use more than 4 GB of RAM, which significantly increases the concurrent connection capacity for each Virtual System.

Use the "vs_bits" command to configure fwkto run in the 64-bit or 32-bit mode. The system automatically reboots when you run the command.

Important - Run the "vs_bits" command only from a VS0 context.

Important - On Scalable Platforms, this configuration requires maintenance windows because a full reboot is required.

Syntax:

vs_bits [{-stat | 32 | 64}]

Parameter	Description
`stat`	Shows the current `fwk`mode
`32`	Run `fwk` in the 32 bit mode
`64`	Run `fwk` in the 64 bit mode

Examples:

This example changes the fwk mode to 64 bits:

vs_bits 64

This example shows the fwk modes:

vs_bits -stat

All VSs are at 64 bits

Known limitations:

This feature only works on a 64 bit operating system.
The VSX gateway will automatically run cpstop;cpstart.
To change to 64-bit mode in a cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., use the Connectivity Upgrade procedure.