Working with VSX Gateways

A VSX Gateway is a physical machine that serves as a container for Virtual Systems and other virtual network components.

This section has step-by-step procedures for creating and configuring standalone VSX Gateways.

Note - In Security Groups in Maestro and Scalable Chassis: The term VSX Gateway means a Security Group in the VSX mode. Some VSX features have a limited or no support. Virtual Routers are not supported (Known Limitation 01413513).

Changing VSX Gateway Definitions

After you create a VSX Gateway, you can modify the topology, other parameters, and advanced configurations in the VSX Gateway Properties window.

To open this window, double-click on the VSX Gateway object in SmartConsole.

The VSX Gateway Properties window opens.

VSX Gateway - General Properties

In the General Properties page, check and re-establish SIC trust, and activate Check Point products for this VSX Gateway.

You can change these properties:

• Comment - Free text description for the Object List and elsewhere.

• Color - Color of the object icon as it appears in the Object Tree.

• Secure Internal Communication - Check and re-establish SIC trust.

• Check Point Products - Select Check Point products for this VSX Gateway.

Secure Internal Communication (SIC)

You can test and reset SIC trust and also see the VSX Gateway Relative Distinguished Name.

To initialize SIC trust:

1. In Gateways & Servers view or Object Explorer, double-click the VSX Gateway.

   You can also search for the VSX Gateway in the Object Explorer.

2. In the VSX Gateway Properties window, click Communication.

3. In the Trusted Communication window, enter and confirm the SIC Activation Key.

4. Click Initialize.

Note - If you cannot establish trust, click Test SIC Status to see the reason for the failure. The most common issues are an incorrect activation key and connectivity problems between the Management Server and the VSX Gateway.

To reset SIC trust with the VSX Gateway:

1. From the VSX Gateway CLI, use the cpconfig utility to re-initialize the SIC.

2. In the Communication window, click Reset.

3. Click Yes in the confirmation window.

4. Enter and confirm the SIC authentication password.

5. Click Initialize.

6. Install the applicable policy (<Name of VSX Gateway Object>_VSX) on the VSX Gateway object only.

7. On the VSX Gateway CLI, run: cpstop;cpstart

Check Point Software Blades

Select the Check Point Software Blades to install on this VSX Gateway from the list. The items you see are available for the product version and your license agreement.

VSX Gateway - Physical Interfaces

The Physical Interfaces page lets you add or delete a physical interface on the VSX Gateway, and to define a VLAN trunk.

• To add a new physical interface, click Add and enter the interface name in the appropriate field.

• To remove a physical interface, select the interface and click Remove.

• To define an interface as a VLAN trunk, select VLAN Trunk for the interface.

VSX Gateway - Topology

The Topology page contains definitions for interfaces and routes between interfaces and Virtual Devices.

Interfaces

The Interfaces section defines interfaces and links to devices. You can add new interfaces, and delete or modify existing interfaces.

To add an interface:

1. Click New and select one of these options:

   • Regular - Create a new interface

   • Leads to Virtual Router

   • Leads to Virtual Switch

   The Interface Properties window opens.

   Click Actions > Copy to Clipboard to copy the Interfaces table in CSV format.

2. Define the appropriate properties. See Working with Interface Definitions.

3. Click OK.

Routes

The Routes section of the Topology window defines routes between network devices, network addresses, and Virtual Devices. Some routes are defined automatically based on the interface definitions. You can add, change, and delete routes.

To add a default route to the routing table:

1. Click Add Default Route.

   The Default Gateway window opens.

2. Enter the default route IP address or select the default Virtual Router.

3. Click OK.

   The default route is added to the routing table.

4. Select the default route and click Edit.

   The Route Configuration window opens.

5. Configure the settings for the default route.

6. Click OK.

To add a new route to the routing table:

1. Click Add.

   The Route Configuration window opens.

2. Configure the Destination IP address and netmask.

3. Configure the next hop IP address or Virtual Router.

4. Optional: Select Propagate route to adjacent Virtual Devices to "advertise" the route to neighboring Virtual Devices, and enable connectivity between them.

5. Click OK.

To change a route:

1. Select the route.

2. Click Edit.

   The Route Configuration window opens.

3. Change the settings.

4. Click OK.

To delete a route:

1. Select the route.

2. Click Remove.

   A confirmation window opens.

3. Click OK.

Topology Calculation

Select the Calculating topology automatically based on routing information option to let VSX automatically calculate the network topology based on interface and routing definitions. When enabled, VSX creates automatic links, or connectivity cloud objects linked to existing internal or external networks.

• This option is not available in Bridge Mode.

• We recommend that you do not use this option with dynamic routing configurations.

Note - If you wish to enable Anti-Spoofing protection when there are no routes pointing to internal networks, disable the Calculating topology automatically based on routing information option. Modify the appropriate interface definitions to enable Anti-Spoofing.

Deleting a VSX Gateway

When you delete a VSX Gateway object, the operation automatically deletes all Virtual Systems and other Virtual Devices associated with that VSX Gateway from the management database.

To delete a VSX Gateway:

1. From the Gateways & Servers view or Object Explorer tree, right-click the VSX Gateway object on the Object Tree and select Delete.

2. In the window that opens, click Yes.

Backing up and Restoring VSX Gateway

In the event of a catastrophic VSX Gateway failure, you can restore the VSX Gateway configuration and its Virtual Device configuration.

Follow the instructions in the sk100395: How to backup and restore VSX Gateway.