Configuring VSX Gateways

Creating a New VSX Gateway

This section explains how to create a new VSX Gateway using the VSX Gateway Wizard. After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from SmartConsole. For example, you can add or delete interfaces, or configure existing interfaces to support VLANs.

To start the VSX Gateway wizard:

1. Connect with SmartConsole to the Security Management Server or Main Domain Management Server used to manage the VSX Gateway.
2. From the left navigation panel, click Gateways & Servers.
3. At the top, click New > VSX > Gateway.

   The General Properties page of the VSX Gateway Wizard opens.

Wizard Step 1: Defining VSX Gateway General Properties

Configure these parameters on the General Properties page:

• VSX Gateway Name: Unique, alphanumeric name for the VSX Gateway. The name cannot contain spaces or special characters except the underscore.
• VSX Gateway Addresses: Management interface addresses.

  Note: If you define an IPv6 IP address you must also define an IPv4 address.

• VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.

Wizard Step 2: Selecting Virtual Systems Creation Templates

The Creation Templates page lets you configure predefined, default topology and routing definitions for Virtual Systems. This makes sure that Virtual Systems are consistent and makes the definition process faster. You always have the option to override the default creation template when you create or change a Virtual System.

The Creation Templates are:

• Shared Interface - Not supported for the Security Group.
• Separate Interfaces: Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface (DMI) by default.
• Custom Configuration: Define Virtual System, Virtual Switch, and Interface configurations.

For this example, choose Custom configuration.

Wizard Step 3: Establishing SIC Trust

Initialize SIC trust between the VSX Gateway and the Management Server. They cannot communicate without Trust.

Initializing SIC Trust

When you create a VSX Gateway, you must enter the Activation Key that you defined in the installation wizard setup program. Enter and confirm the activation key and then click Initialize. If you enter the correct activation key, the Trust State changes to Trust established.

Troubleshooting SIC Trust Initialization Problems

If SIC trust was not successfully established, click Check SIC Status to see the reason for the failure. The most common issues are an incorrect activation key and connectivity problems between the management server and the VSX Gateway.

Troubleshooting to resolve SIC initialization problems:

• Re-enter and re-confirm the activation key.
• Verify that the IP address defined in General Properties is correct.
• Ping the management server to verify connectivity. Resolve connectivity issues.
• From the VSX Gateway command line, use the cpconfig utility to re-initialize SIC. After this process completes, click Reset in the wizard and then re-enter the activation key.

For more about resolving SIC initialization, see the R80.20 Security Management Administration Guide.

Troubleshooting SIC Reset in Security Groups

Resetting SIC takes 3-5 minutes.

If resetting of the SIC was interrupted (for example, by loss of network connectivity), run the g_all cp_conf sic state command to get the SIC state and follow these steps:

SIC state	Do this
Trust established	Repeat the SIC reset procedure.
Initialized, but Trust was not established	Reboot all Security Group Members. In SmartConsole, open the Security Group object. Go to General Properties page > Communication. Initialize SIC. Install the policy.

SIC Cleanup

To resolve other SIC issues, do a SIC cleanup in the Expert mode:

# asg_blade_config reset_sic -reboot_all <activation_key>

Wizard Step 4: Defining Physical Interfaces

In the VSX Gateway Interfaces window, define physical interfaces as VLAN trunks. The window shows the interfaces currently defined on the VSX Gateway.

To define an interface as a VLAN trunk, select VLAN Trunk for the interface.

Virtual Network Device Configuration

Note - If you chose Shared Interface or Separate Interface, proceed to Wizard Step 5.

If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens. In this window, define a Virtual Device with an interface shared with the VSX Gateway. If you do not want to define a Virtual Device at this time, click Next to continue.

To define a Virtual Device with a shared interface:

Important - Virtual Routers and Virtual Switches are not supported (see Known Limitations 01413513 and MBS-5214).

1. Select Create a Virtual Device.
2. Select the Virtual Network Device type (Virtual Router or Virtual Switch).
3. Select the shared physical interface to define a non-DMI gateway.

   Do not select the management interface if you want to define a Dedicated Management Interface (DMI) gateway. If you do not define a shared Virtual Device, a DMI gateway is created by default.

   Important - This setting cannot be changed after you complete the VSX Gateway Wizard. If you define a non-DMI gateway, you cannot change it to a DMI gateway later.

4. Define the IP address and Net Mask for a Virtual Router.

   These options are not available for a Virtual Switch.

5. Optional: Define a Default Gateway for a Virtual Router (DMI only).

Wizard Step 5: VSX Gateway Management

In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway. This policy is installed automatically on the new VSX Gateway.

Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy.

The security policy consists of predefined rules for these services:

• UDP - SNMP requests
• TCP - SSH traffic
• ICMP - Echo-request (ping)
• TCP - HTTPS traffic

To modify the Gateway Security Policy:

1. Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.

   For example, to be able to ping the gateway from the management server, allow ICMP echo-request traffic.

2. Source: Click the arrow and select a Source Object from the list.

   The default value is *Any. Click New Source Object to define a new source.

   You can modify the security policy rules that protect the VSX Gateway later.

3. Click Next.

Wizard Step 6: Completing the VSX Wizard

Click Next to continue and then click Finish to complete the VSX Gateway wizard.

This may take several minutes to complete. A message shows successful or unsuccessful completion of the process.

If the process ends unsuccessfully, click View Report to see the error messages. See Troubleshooting.

Configuring the Gateway Security Policy

1. Allow: Select to pass traffic on the selected services. Clear this option to block traffic on this service. By default, all services are blocked.

   For example, to be able to ping the gateway from the Management Server, allow ICMP echo-request traffic.

2. Source: Click the arrow and select a Source Object from the list.

   The default value is *Any. Click New Source Object to define a new source.

Configuring 64-Bit Virtual System Support

You can configure a Security System to run fwk as a 64 bit process. This lets VSX Virtual Systems use more than 4 GB of RAM, which significantly increases the concurrent connection capacity for each Virtual System.

Use the vs_bits command to configure fwk to run in the 64 or 32 bit mode. The system automatically reboots when you run the command.

Important: Run the vs_bits command only from a VS0 context.

For Security Groups: Important - This configuration requires maintenance windows because a full reboot is required for both Chassis.

Syntax:

vs_bits [-stat | 32 | 64 ]

Parameter	Description
stat	Shows the current fwk mode
32	Run fwk in the 32 bit mode
64	Run fwk in the 64 bit mode

Examples:

This example changes the fwk mode to 64 bits:

vs_bits 64

This example shows the fwk modes:

# vs_bits -stat

All VSs are at 64 bits

Known limitations:

• This feature only works on a 64 bit operating system.
• The VSX gateway will automatically run cpstop;cpstart.
• To change to 64-bit mode in a cluster, use the Connectivity Upgrade procedure.