VSX Management Overview
VSX supports two Check Point management models: Security Management Server and Multi-Domain Server.
Both models provide central configuration, management and monitoring for multiple VSX Gateways and Virtual Systems.
The choice of management model depends on several factors, including:
-
The scale of the current deployment and anticipated expansion
-
Administrative requirements
-
Physical and operational requirements
-
Licensing restrictions
You can use either management model to manage a "physical" Security Gateway together with a VSX Gateway and Virtual Systems.
You can also manage VPN communities and remote connections with either model.
|
|
Note - According to the Check Point EULA (End User License Agreement), a Security Gateway can only manage security policies for Virtual Systems belonging to a single legal entity. In order to manage Virtual Systems belonging to multiple legal entities, you need to deploy a Multi-Domain Security Management solution with a separate Domain Management Server for each legal entity. For more information regarding Licensing, refer to your Check Point Reseller. |
Security Management Server Model
The Security Management Server model is for enterprise deployments with many Virtual Systems, but one domain.
SmartConsole connects to the VSX Gateway, which contains the Virtual Systems, and directly manages each Virtual System.
Multi-Domain Security Management Model
With Multi-Domain Security Management, you centrally manage multiple networks, typically of different Domains, divisions, or branches.
The Multi-Domain Server is the central management node that controls the policy databases for each of these networks.
Each Domain network is managed by a Domain Management Server, which provides the full functionality of a Security Management Server and can host multiple Virtual Systems, virtual and physical devices.
The Domain Management Server that manages a VSX Gateway or VSX Cluster is the Main Domain Management Server.
A VSX Gateway or VSX Cluster can host Virtual Systems that are managed by different Domain Management Servers.
The Domain Management Server that manages a VSX Virtual System or VSX Virtual Router is the Target Domain Management Server.
|
Item |
Description |
|---|---|
|
1 |
SmartConsole |
|
2 |
Multi-Domain Server |
|
3 |
Domain Management Server |
|
4 |
Main Domain Management Server |
|
5 |
VSX Gateway |
|
6 |
Virtual Systems in Domain Management Servers |
From a SmartConsole connected to a Multi-Domain Server, provision and configure Domains and Domain Management Servers.
Each Domain Management Server uses its own SmartConsole instance to provision and configure its Virtual Systems, Virtual Devices, and policies.
Management Model Comparison
The following table summarizes the capabilities and differences between the two management models.
The capacity figures shown for Multi-Domain Server represent estimated, practical limits that will sustain acceptable performance levels under normal conditions.
Actual performance is dependent on many factors, including deployed hardware, network topology, traffic load and security requirements.
Management Server Communication - SIC
All communication between the Management Server and the VSX Gateway is accomplished by means of Secure Internal Communication (SIC), a certificate based channel that authenticates communication between Check Point components.
The Management Server uses SIC for provisioning Virtual Devices, policy installation, logging, and status monitoring.
SIC trust is initially established using a one-time password during configuration of the VSX Gateway or VSX Cluster Members.
For Multi-Domain Security Management deployments, SIC trust is established between the Domain Management Server associated with the VSX Gateway or VSX Cluster (Main Domain Management Server).
The Virtual Devices establish trust in a different manner than their physical counterparts.
When you create a Virtual Device, VSX automatically establishes SIC trust using the secure communication channel defined between the Management Server and the VSX Gateway.
The VSX Gateway uses its management interface for Secure Internal Communication between the Management Server and all Virtual Devices.