Configuring Mirror and Decrypt in VSX mode

Example topology for one Virtual System:

Item

Description

1

VSX GatewayClosed Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. (Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected.).

2

Recorder, or Packet-Broker that works in a monitor (promiscuous) mode.

3

Virtual System, through which your networks send and receive their traffic.

4

Flow of the decrypted and mirrored traffic from the VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway (Security Group) (1) to the Recorder, or Packet-Broker (2).

eth4

Designated physical interface on the VSX Gateway (Security Group) (1).

Virtual System (3) connects directly to this physical interface.

wrp128

One of the virtual interfaces on the Virtual System (3).

Example topology for several Virtual Systems:

Note - This topology requires you to configure a VLAN Trunk on the Recorder or Packet-Broker. The VLAN Trunk on the Recorder or Packet-Broker must accept all VLAN IDs that you configure in the objects of the applicable Virtual Systems in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Item

Description

1

VSX Gateway.

2

First Virtual System, through which your networks send and receive their traffic.

3

Second Virtual System, through which your networks send and receive their traffic.

4

Flow of the decrypted and mirrored traffic from the VSX Gateway (Security Group) (1) to the Recorder, or Packet-Broker (5).

5

Recorder, or Packet-Broker.

eth4

Designated physical interface on the VSX Gateway (Security Group) (1).

This interface is configured as VLAN Trunk in the VSX Gateway object in SmartConsole.

Virtual Systems (2 and 3) connect to this VLAN Trunk interface with VLAN interfaces.

eth4.55

VLAN interface on the first Virtual System (2).

eth4.66

VLAN interface on the second Virtual System (3).

wrp128

One of the virtual interfaces on the Virtual Systems (2 and 3).

Important - It is not supported to change the designated physical interface with the "vsx_util change_interfaces" command.

For information about this command, see the R81.20 VSX Administration Guide.

Workflow for configuring Mirror and Decrypt in VSX mode:

Step

Instructions

1

Read and follow the Mirror and Decrypt Requirements.

2

Prepare the VSX Gateway / each VSX Cluster MemberClosed Security Gateway that is part of a cluster. / Scalable Platform Security Group.

See Preparing the VSX Gateway, each VSX Cluster Member, Security Group.

3

Configure the Mirror and Decrypt in the Virtual System object in SmartConsole.

See: