Virtual System in Bridge Mode

Core Network Security

Many Enterprise environments are based on core networks. Situated adjacent to core network backbone switches, VSX protects the internal network by providing security at layer-2, layer-3 or both. VSX communicates with the core network using the existing infrastructure. With Virtual Systems in the Bridge Mode, VSX can protect departmental networks, while simultaneously preventing network segmentation. In this case, switches are located at the entrance to each department's network.

Item	Description		Item	Description
1	Internet		8	LAN Switches
2	Core Network Backbone switch		9	Sales
3	VSX Cluster		10	Finance
4	Router			Sync Network
5	VLAN			Physical Interface
6	Member 1			VLAN Trunk
7	Member 2

VSX ensures connectivity between the core network and the Internet or external networks, while providing perimeter security. Security can be configured on a per VLAN basis.

Three Layer Hierarchical Model

A three-layer hierarchical model is used in large, high-traffic network environments.

1. A core network, with high-speed backbone switches that direct traffic to and from the Internet and other external networks.
2. A distribution layer, with routers, for connectivity between the core and the access layer.
3. An access layer, with redundant LAN switches, that forward traffic to and from internal networks.

VSX in Active/Standby Bridge Mode is incorporated in the distribution layer, enforcing the security policy.

The routers direct external traffic to the appropriate Virtual System through a segregated VLAN. Inspected traffic exits the Virtual System through a separate segregated VLAN, to the routers and then to internal destinations.

Configuring Virtual Systems for Active/Standby Bridge Mode

To configure a Virtual System in Bridge Mode, define it as such when you first create the Virtual System object.

To configure a Virtual System for the Active/Standby Bridge Mode:

1. In the Virtual System General Properties page of the new Virtual System object, select Bridge Mode.
2. Click Next.

   The Virtual System Network Configuration window opens.

3. Configure the external and internal interfaces for the Virtual System.
4. Optional: Select Enable Layer-3 Bridge Interface Monitoring.

   The IP address must be unique and on the same subnet as the protected network.

5. Click Next.
6. Click Finish.

Enabling Active/Standby Bridge Mode for a New VSX Cluster Member

1. In the Gaia First Time Configuration Wizard Products page, select ClusterXL.
2. After the First Time Configuration Wizard is complete, from the VSX Gateway CLI, run: cpconfig
   • If you enabled the Per Virtual System State feature (required for VSLS), the Active/Standby Bridge Mode is enabled automatically.
   • If you chose not to enable the Virtual System Load Sharing, an option to enable Active/Standby Bridge Mode appears.

     Enter y and continue with the gateway configuration.

Enabling Active/Standby Bridge Mode for Existing Cluster Members

1. Connect to the command line on each VSX Cluster Member.
2. Log in to the Expert mode.
3. Run: cpconfig
4. Select Enable ClusterXL for Bridge Active/Standby.
5. Reboot each VSX Cluster Member.

Enabling Active/Active Bridge Mode for Existing VSX Cluster Members

1. Connect to the command line on each VSX Cluster Member.
2. Log in to the Expert mode.
3. Run: cpconfig
4. Select Enable ClusterXL membership for this member.
5. Select Disable ClusterXL for Bridge Active/Standby.
6. Reboot each VSX Cluster Member.

Custom Configuration or Override in Bridge Mode

If you used the Custom Configuration template to create the VSX Gateway, or if you selected the Override Creation Template option for a Virtual System in Bridge Mode, then manually define the network interfaces.

Interfaces: To configure the external and internal interfaces, define interfaces and links to devices in the Interfaces table. You can add, change, and remove interfaces. To add an interface, click Add. The Interface Properties window opens. Select an interface from the list and define is properties.

VLAN Shared Interface Deployment

In this deployment, each member connects to pair of redundant switches through a VLAN Trunk. All Virtual Systems in a given VSX Cluster Member share the same VLAN Trunk.

Item	Description		Item	Description
1	Internet		9	Virtual System 3 is Backup
2	Redundant switches (external)		10	Redundant switches (internal)
3	VSX Cluster		11	VLAN Switch
4	VSX Cluster Member 1		12	Internal Networks
5	VSX Cluster Member 2			Sync Network
6	Virtual Systems in Bridge Mode			Physical Interface
7	Virtual System 1 is Active			VLAN Trunk
8	Virtual System 2 is Standby

With Active/Standby Bridge Mode in High Availability mode, VSX Cluster directs traffic to VSX Cluster Members according to administrator-defined priorities and status.

In Virtual System Load Sharing deployments, the system distributes the traffic load amongst VSX Cluster Members according to the Virtual System Load Sharing configuration.

VSX Clusters

A VSX Cluster has two or more identical, interconnected VSX Gateways for continuous data synchronization and transparent failover. Virtual System Load Sharing (VSLS) enhances throughput by distributing Virtual Systems, with their traffic load, among multiple, redundant machines.

Configuring Clusters for Active/Standby Bridge Mode

To enable the Active/Standby Bridge Mode for a cluster:

1. Connect with SmartConsole to the Security Management Server or Main Domain Management Server used to manage the VSX Cluster.
2. From the Gateways & Servers view or Object Explorer, double-click the VSX Cluster object.

   The VSX Cluster Properties window opens.

3. From the left tree, click Other > VSX Bridge Configuration.
4. Select Check Point ClusterXL.

   The Active/Standby Bridge Mode loop detection algorithms in ClusterXL are enabled.

5. Click OK.
6. Install the VSX Policy (<Name of VSX Cluster Object>_VSX) on the VSX Cluster object.

Configuring Clusters for Active/Active Bridge Mode

To enable the Active/Active Bridge mode for a cluster:

1. Connect with SmartConsole to the Security Management Server or Main Domain Management Server used to manage the VSX Cluster.
2. From the Gateways & Servers view or Object Explorer, double-click the VSX Cluster object.

   The VSX Cluster Properties window opens.

3. From the left tree, click Other > VSX Bridge Configuration.
4. Select Standard Layer-2 Loop Detection Protocols.
5. Click OK.
6. Install the VSX Policy (<Name of VSX Cluster Object>_VSX) on the VSX Cluster object.

Separate Interfaces in Bridge Mode

The Virtual System Network Configuration page for the Separate Interfaces template in the Bridge Mode opens.

To configure the external and internal interfaces:

1. Select the desired interfaces for the internal and external networks from the appropriate list.

   If the selected Interface is a VLAN interface, enter the same VLAN tag in both the external and internal VLAN Tag fields. This field is not available for non-VLAN interfaces.

2. Define the topology for the internal interface:
   • Select Not Defined if you do not wish to define an IP address.
   • Select Specific and then select an IP address definition from the list. IP address definitions can be based on object groups or predefined networks that define the topology.
3. To create a new IP address definition:
   1. Select Specific, and click New.
   2. Select Group to define an object group, or Network to define network properties.
4. Enable Layer-3 bridge interface monitoring to enable Layer 3 network fault detection for this Virtual System.

   Enter an IP address and subnet mask, which continuously monitors the specified network for faults or connectivity issues. The IP address/Subnet Mask define the network, on which the Virtual System resides.

5. Complete the definition process.

Virtual System Load Sharing (VSLS)

VSX Clusters can efficiently balance network traffic load by distributing active Virtual Systems amongst VSX Cluster Members. This capability is known as Virtual System Load Sharing (VSLS).

In a deployment scenario with three VSX Cluster Members, each with three Virtual Systems: an equalized Load Sharing deployment might have one Active Virtual System on each VSX Cluster Member.

Item	Description		Item	Description
1	VSX Cluster Member 1		8	Virtual System 2 is Backup
2	VSX Cluster Member 2		9	Virtual System 3 is Active
3	VSX Cluster Member 3		10	Virtual System 1 is Backup
4	Virtual System 1 is Active		11	Virtual System 2 is Active
5	Virtual System 2 is Standby		12	Virtual System 3 is Standby
6	Virtual System 3 is Backup			Sync Network
7	Virtual System 1 is Standby

A different member hosts the active peer for each Virtual System. This distribution spreads the load equally amongst the VSX Cluster Members. When you create a Virtual System, VSX automatically assigns Standby and Backup states to the appropriate peers and distributes them among the other VSX Cluster Members.

In the event that a VSX Cluster Member fails, VSLS directs traffic destined to affected Virtual Systems to their fully synchronized Standby peers, which then become Active. At the same time, a Backup Virtual System switches to Standby, and synchronizes with the newly Active Virtual System.

In the event that an individual active Virtual System fails, it immediately fails over to its Standby peer and one of its Backup peers becomes the Standby, synchronizing with the newly Active peer.

Converting from High Availability to VSLS

To convert an existing VSX Cluster from High Availability to VSLS:

1. Close all SmartConsole windows.
2. On each VSX Cluster Member:
   1. Run:

      cpconfig

   2. Enable the Per Virtual System State.
   3. Enable ClusterXL for Bridge Active/Standby.
   1. Restart the Check Point services:

      cpstop ; cpstart

3. On the Management Server:
   1. Connect to the command line.
   2. Log in to the Expert mode.
   3. Run:

      vsx_util convert_cluster

   4. Enter the IP address of the Security Management Server or Domain Management Server.
   5. Enter the Management Server administrator user name and password.
   6. Select the VSX Cluster.
   7. Enter:

      LS

   8. At the Proceed with conversion? prompt, enter: y
   9. Select an option to distribute Virtual Systems among VSX Cluster Members:
      • Distribute all Virtual Systems equally.
      • Set all Virtual Systems as Active on the same VSX Cluster Member.
4. Reboot each VSX Cluster Member.
5. On each VSX Cluster Member:
   1. Connect to the command line.
   2. Examine the VSX configuration:

      vsx state -v

   3. Examine the VSX Cluster state and configuration:

      cphaprob state

Note - You cannot convert a VSX Cluster to the VSLS mode, if it contains Virtual Systems in the Active/Active Bridge mode or Virtual Routers.