Management Server Connections

A Management Server (Security Management Server or Multi-Domain Server) connects to the VSX Gateway and provides provisioning and configuration services for Virtual Devices located on the VSX Gateway.

You can connect the Management Server to the VSX Gateway using one of the scenarios below.

Notes:

  • It is not supported to manage a VSX Gateway / VSX Cluster in these cases:

    • When the Management Server is behind NAT

    • When the VSX Gateway / VSX Cluster is behind NAT

  • It is not supported to manage a VSX Gateway / VSX Cluster when the management traffic passes through a Virtual System on the same VSX Gateway / VSX Cluster.

    Only VS0 can communicate directly with the Management Server.

  • From R81, configuration with a Non-Dedicated Management Interface (Non-DMI, shared interface) is deprecated and not supported.

Local Management Connection

The Management Server connects directly to the VSX Gateway using a dedicated VSX management interface.

When using a local Management Server (Security Management Server or Multi-Domain Server), all management traffic is handled by a Dedicated Management Interface (DMI) that connects the VSX Gateway to the Management Server. The IP address of this dedicated management interface can be either private or public.

Item

Description

 

Item

Description

1

Network 1

 

6

VSX Gateway

2

Network 2

 

7

Router

3

Network 3

 

8

Internet

4

Network 4

 

9

Management Server

5

Switch

 

10

SmartConsole

Remote Management Connection

The Management Server connects to the VSX Gateway by means of a router connected to a VSX management interface.

This method ensures segregation of management traffic from all other traffic.

When using a remote Management Server (Security Management Server or Multi-Domain Server), management traffic travels via an internal or external network to a VSX Gateway to the management interface.

This architecture segregates management traffic from all other traffic passing through the VSX Gateway.

Check Point recommends that remote management connections use a dedicated management interface (DMI) that connects directly to a router or switch that leads to the external network or the Internet.

Item

Description

 

Item

Description

1

SmartConsole

 

9

Virtual Switch

2

Management Server

 

10

Warp Link

3

Management traffic

 

11

Virtual System 1

4

Internet

 

12

Virtual System 2

5

Router

 

13

Switch

6

Dedicated management interface (eth0)

 

14

Network 1

7

External interface

 

15

Network 2

8

VSX Gateway

 

 

 

When management traffic passes through a Virtual Router or Virtual Switch, you must ensure that the associated Warp Link IP address originates from the remote network.

Furthermore, if the remote management connection arrives via the Internet, you must assign a routable, public IP address.