Print Download PDF Send Feedback

Previous

Next

Example 1: VSX Gateway managed by Security Management Server

This example shows:

Related documentation:

Topology

Action Plan

  1. Install the Security Management Server.
  2. Install the VSX Gateway.
  3. Create the VSX Gateway object in SmartConsole.
  4. Configure the VSX Gateway object in SmartConsole.
  5. Create the first Virtual System object in SmartConsole.
  6. Configure the first Virtual System object in SmartConsole.
  7. Create the second Virtual System object in SmartConsole.
  8. Configure the second Virtual System object in SmartConsole.

Step 1: Install the Security Management Server

Step

Description

1

Install a Check Point appliance or Open Server.

2

Install Gaia OS.

3

Run the Gaia First Time Configuration Wizard.

These settings are specific to the Security Management Server:

  1. On the Management Connection page, select the applicable interface and configure the applicable IPv4 address.

    In our example: eth0, 10.20.30.1/24

  2. On the Installation Type page, select Security Gateway and/or Security Management.
  3. On the Products page, select Security Management.

4

Install the applicable licenses.

5

Configure the Security Management Server:

  1. Connect with SmartConsole to the Security Management Server.
  2. Configure the applicable Management Software Blades and settings:
  3. Publish the session.

Step 2: Install the VSX Gateway

Step

Description

1

Install a Check Point appliance or Open Server.

2

Install Gaia OS.

3

Run the Gaia First Time Configuration Wizard.

These settings are specific to the VSX Gateway:

  1. On the Management Connection page, select the interface for the DMI management connection and configure the applicable IPv4 address.

    In our example: eth0, 10.20.30.2/24

  2. On the Internet Connection page, do not configure IP addresses on physical interfaces, to which your Virtual Systems connect directly.
  3. On the Installation Type page, select Security Gateway and/or Security Management.
  4. On the Products page, select Security Gateway.
  5. On the Dynamically Assigned IP page, select No.

4

Make sure to enable the applicable physical interfaces:

To enable a physical interface in Gaia Portal

  1. Connect to the Gaia Portal in your web browser.

    In our example: https://10.20.30.2

  2. Click Network Management > Network Interfaces.
  3. In the upper left corner, click the lock icon to obtain the configuration lock.
  4. Select the applicable physical interface > click Edit.
  5. Select Enable.
  6. Click OK.

To enable a physical interface in Gaia Clish, run:

  1. set interface <Name of Physical Interface> state on
  2. save config

5

Install the applicable licenses.

Step 3: Create the VSX Gateway object in SmartConsole

See Configuring VSX Gateways.

Step

Description

1

At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Gateway.

2

On the VSX Gateway General Properties (Specify the object's basic settings) page:

  1. In the Enter the VSX Gateway Name field, enter the desired name for this object.

    In our example: MyVsxGw

  2. In the Enter the VSX Gateway IPv4 field, enter the same IPv4 address you configured during the First Time Configuration Wizard of the VSX Gateway on the Management Connection page.

    In our example: 10.20.30.1/24

  3. In the Enter the VSX Gateway IPv6 field, enter the same IPv6 address you configured during the First Time Configuration Wizard of the VSX Gateway on the Management Connection page.
  4. In the Select the VSX Gateway Version field, select the Check Point version.

    In our example: R80.20

  5. Click Next.

3

On the Virtual Systems Creation Templates (Select the Creation Template most suitable for your VSX deployment) page:

  1. Select the applicable template.
  2. Click Next.

4

On the VSX Gateway General Properties (Secure Internal Communication) page:

  1. In the Activation Key field, enter the same Activation Key you entered during the First Time Configuration Wizard of the VSX Gateway.
  2. In the Confirm Activation Key field, enter the same Activation Key again.
  3. Click Initialize.
  4. Click Next.

 

If the Trust State field does not show Trust established, perform these steps:

  1. Connect to the command line on the VSX Gateway.
  2. Make sure there is a physical connectivity between the VSX Gateway and the Management Server (for example, pings can pass).
  3. Run: cpconfig
  4. Enter the number of this option: Secure Internal Communication
  5. Follow the instructions on the screen to change the Activation Key.
  6. On the VSX Gateway General Properties page, click Reset.
  7. Enter the same Activation Key you entered in the cpconfig menu.
  8. Click Initialize.

5

On the VSX Gateway Interfaces (Physical Interfaces Usage) page:

  1. Examine the list of the interfaces - it must show all the physical interfaces on the VSX Gateway.
  2. If you plan to connect more than one Virtual System directly to same physical interface, you must select VLAN Trunk for that physical interface.
  3. Click Next.

6

On the Virtual Network Device Configuration (Specify the object's basic settings) page:

  1. You can select Create a Virtual Network Device and configure the first desired Virtual Network Device at this time (we recommend to do this later) - Virtual Switch or Virtual Router.
  2. Click Next.

7

On the VSX Gateway Management (Specify the management access rules) page:

  1. Examine the default access rules.
  2. Select the applicable default access rules.
  3. Configure the applicable source objects, if needed.
  4. Click Next.

Important - These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

8

On the VSX Gateway Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

9

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 4: Configure the VSX Gateway object in SmartConsole

See Working with VSX Gateways.

Step

Description

1

From the left navigation toolbar, click Gateways & Servers.

2

Open the VSX Gateway object.

In our example: MyVsxGw

3

Enable the applicable Software Blades.

Refer to:

4

Configure other applicable settings.

5

Click OK to push the updated VSX Configuration.

Click View Report for more information.

6

Install policy on the VSX Gateway object:

  1. Click Install Policy.

    The Install Policy window opens.

  2. In the Policy field, select the default policy for this VSX Gateway object.

    This policy is called: <Name of VSX Gateway object>_VSX.

    In our example: MyVsxGw_VSX

  3. Click Install.

7

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 5: Create the first Virtual System object in SmartConsole

See Creating a New Virtual System.

Step

Description

1

At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual System.

2

On the VSX System General Properties (Define the object name and the hosting VSX) page:

  1. In the Name field, enter the desired name for this object.

    In our example: MyVs1

  2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway object.

    In our example: MyVsxGw

  3. You can select Override Creation Template (Create Custom VS), if you need to override the creation template that was used for the initial configuration of the VSX Gateway.
  4. Click Next.

3

On the Virtual System Network Configuration (Define Virtual System Interfaces and Routes) page:

In our example, this Virtual System connects directly to two physical interfaces on the VSX Gateway.

In the Interfaces section, add the "external" interface:

  1. Click Add > Regular.
  2. In the Interface field, select the applicable physical interface.

    In our example: eth1

  3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 192.168.10.1/24

    You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between neighboring Virtual Devices.

  4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between the neighboring Virtual Devices.

  5. Click OK.

 

In the Interfaces section, add the "internal" interface:

  1. Click Add > Regular.
  2. In the Interface field, select the applicable physical interface - this is the "internal" interface.

    In our example: eth2

  3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 172.30.10.1/24

    You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between the neighboring Virtual Devices.

  4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between the neighboring Virtual Devices.

  5. Click OK.

In the Routes section, click Add to configure the applicable static routes and the Default Route.

Click Next.

4

On the VSX System Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

5

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 6: Configure the first Virtual System object in SmartConsole

See Modifying a Virtual System.

Step

Description

1

From the left navigation toolbar, click Gateways & Servers.

2

Open the first Virtual System object.

In our example: MyVs1

3

Enable the applicable Software Blades.

In our example: IPsec VPN blade

Refer to:

4

Configure other applicable settings.

5

Click OK to push the updated VSX Configuration.

6

Configure and install the applicable policy on the first Virtual System object.

7

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 7: Create the second Virtual System object in SmartConsole

See Creating a New Virtual System.

Step

Description

1

At the top, click Objects > More object types > Network Object > Gateways and Servers > VSX > New Virtual System.

2

On the VSX System General Properties (Define the object name and the hosting VSX) page:

  1. In the Name field, enter the desired name for this object.

    In our example: MyVs2

  2. In the VSX Gateway / Cluster field, select the applicable VSX Gateway object.

    In our example: MyVsxGw

  3. You can select Override Creation Template (Create Custom VS), if you need to override the creation template that was used for the initial configuration of the VSX Gateway.
  4. Click Next.

3

On the Virtual System Network Configuration (Define Virtual System Interfaces and Routes) page:

In our example, this Virtual System connects directly to two physical interfaces on the VSX Gateway.

In the Interfaces section, add the "external" interface:

  1. Click Add > Regular.
  2. In the Interface field, select the applicable physical interface.

    In our example: eth1

  3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 192.168.20.1/24

    You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between Virtual Devices.

  4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between Virtual Devices.

  5. Click OK.

 

In the Interfaces section, add the "internal" interface:

  1. Click Add > Regular.
  2. In the Interface field, select the applicable physical interface - this is the "internal" interface.

    In our example: eth2

  3. In the IPv4 Configuration section, enter the applicable IP Address and Net Mask.

    In our example: 172.30.20.1/24

    You can select Propagate route to adjacent Virtual Devices (IPv4) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv4 connectivity between the neighboring Virtual Devices.

  4. In the IPv6 Configuration section, enter the applicable IPv6 Address and Prefix.

    You can select Propagate route to adjacent Virtual Devices (IPv6) to "advertise" this Virtual System to neighboring Virtual Devices. This enables IPv6 connectivity between the neighboring Virtual Devices.

  5. Click OK.

In the Routes section, click Add to configure the applicable static routes and the Default Route.

Click Next.

4

On the VSX System Creation Finalization page:

  1. Click Finish and wait for the operation to finish.
  2. Click View Report for more information.
  3. Click Close.

5

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v

Step 8: Configure the second Virtual System object in SmartConsole

See Modifying a Virtual System.

Step

Description

1

From the left navigation toolbar, click Gateways & Servers.

2

Open the second Virtual System object.

In our example: MyVs2

3

Enable the applicable Software Blades.

In our example: Mobile Access blade

Refer to:

4

Configure other applicable settings.

5

Click OK to push the updated VSX Configuration.

6

Configure and install the applicable policy on the second Virtual System object.

7

Examine the VSX configuration:

  1. Connect to the command line on the VSX Gateway.
  2. Log in to Gaia Clish, or Expert mode.
  3. Run: vsx stat -v
05 November 2019
Was this helpful?
Incorrect information Not what I'm looking for Too much information Confusing information
© 2019 Check Point Software Technologies Ltd. All rights reserved.