Configuring a VSX Gateway Object in SmartConsole

A Chassis can work as a Security Gateway, or as a VSX Gateway.

This procedure describes the configuration of a VSX Gateway in SmartConsole.

Important - While running VSX Gateway Wizard, only one SGM (SMO) should be defined in the Security Group.

Before creating the VSX Gateway

It is important to know how VSX works, and understand the VSX architecture and concepts. It is also important to understand how to deploy and configure your security environment using VSX Virtual Devices:

  • Virtual System

  • Virtual System in Bridge Mode

  • Virtual Switch

To learn about how VSX works, architecture, concepts and Virtual Devices, see the R81 Scalable Platforms VSX Administration Guide.

The VSX Gateway Wizard

The VSX Gateway in this example has one Virtual System (VS0) and one dedicated management interface.

After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from SmartConsole.

For example, you can add Virtual Systems, add or delete interfaces, or configure existing interfaces to support VLANs.

Notes:

  1. Do not enable IPv6 before you create and configure a new VSX Gateway. This can cause system instability.

    You must first create the new VSX Gateway object, and then enable and configure IPv6 in Gaia gClish on the Security Group.

  2. There can be some variations in the wizard steps due to release updates.

    In these cases, follow the instructions on the screen.

To start the VSX Gateway wizard:

Step

Instructions

1

Connect with SmartConsole to your Management Server.

2

From the left navigation panel, click Gateways & Servers.

3

Create a new VSX Gateway object in one of these ways:

  • From the top toolbar, click the New () > VSX > Gateway.

  • In the top left corner, click Objects menu > More object types > Network Object > Gateways and Servers > VSX > New Gateway.

  • In the top right corner, click Objects Pane > New > More > Network Object > Gateways and Servers > VSX > Gateway.

The VSX Gateway Wizard opens.

Wizard Step 1: Defining VSX Gateway General Properties

On the VSX Gateway General Properties (Specify the object's basic settings) page:

  1. In the Enter the VSX Gateway Name field, enter the applicable name for this VSX Gateway object.

  2. In the Enter the VSX Gateway IPv4 field, enter the same IPv4 address that you configured on the Management Connection page of the Security Group's First Time Configuration Wizard.

  3. In the Enter the VSX Gateway IPv6 field, enter the same IPv6 address that you configured on the Management Connection page of the Security Group's First Time Configuration Wizard.

  4. In the Select the VSX Gateway Version field, select R81.

  5. Click Next.

Wizard Step 2: Selecting Virtual Systems Creation Templates

On the Virtual Systems Creation Templates (Select the Creation Template most suitable for your VSX deployment) page:

  1. Select the applicable template.

  2. Click Next.

The Creation Templates page determines predefined, default topology, and routing definitions for Virtual Systems.

This makes sure that Virtual Systems are consistent and makes the definition process faster.

You always have the option to override the default creation template when you create or change a Virtual System.

The creation templates are:

  • Shared Interface- Not supported for the Chassis.

  • Separate Interfaces - Virtual Systems use their own separate internal and external interfaces. This template creates a Dedicated Management Interface (DMI) by default.

  • Custom Configuration - Defines Virtual System, Virtual Switch, and Interface configurations.

This procedure describes the Custom Configuration template.

Wizard Step 3: Establishing SIC Trust

On the VSX Gateway General Properties (Secure Internal Communication) page:

  1. In the Activation Key field, enter the same Activation Key you entered during the Security Group's First Time Configuration Wizard.

  2. In the Confirm Activation Key field, enter the same Activation Key again.

  3. Click Initialize.

  4. Click Next.

If you entered the correct activation key, the Trust State changes to "Trust established".

Wizard Step 4: Defining Physical Interfaces

On the VSX Gateway Interfaces (Physical Interfaces Usage) page:

  1. Examine the list of the interfaces - it must show all the physical interfaces on the VSX Gateway.

  2. If you plan to connect more than one Virtual System directly to the same physical interface, you must select VLAN Trunk for that physical interface.

  3. Click Next.

Virtual Network Device Configuration

Notes:

  • If earlier you selected the Separate Interfaces template, proceed to Wizard Step 5: VSX Gateway Management.

  • If earlier you selected the Custom Configuration template, the Virtual Network Device Configuration window opens.

    In this window, define a Virtual Device with an interface shared with the VSX Gateway.

    If you do not want to define a Virtual Device at this time, click Next to continue.

To define a Virtual Device with a shared interface:

Step

Instructions

1

Select Create a Virtual Device.

2

Select the Virtual Network Device type > Virtual Switch.

3

Select the shared physical interface to define a non-DMI gateway.

Do not select the management interface, if it is necessary to define a Dedicated Management Interface (DMI) gateway.

If you do not define a shared Virtual Device, a DMI gateway is created by default.

Important - It is not possible to change this setting after you complete the VSX Gateway Wizard. If you define a non-DMI gateway, you cannot change it to a DMI gateway later.

4

The IP address and Net Mask options are not available for a Virtual Switch.

5

Optional: Define a Default Gateway for a Virtual Router (DMI only).

Wizard Step 5: VSX Gateway Management

On the VSX Gateway Management (Specify the management access rules) page:

Step

Instructions

1

Examine the default access rules.

2

Select the applicable default access rules.

Select Allow to pass traffic on the selected services.

Clear the Allow option to block traffic on this service.

By default, all services are blocked.

For example, to be able to ping the VSX Gateway from the Management Server, allow ICMP Echo-Request traffic.

3

Configure the applicable source objects, if needed.

Click the arrow and select a Source Object from the list.

The default value is *Any. Click New Source Object to define a new source.

You can modify the Security Policy rules that protect the VSX Gateway later.

4

Click Next

Important:

  • This policy is installed automatically on the new VSX Gateway. These access rules apply only to the VSX Gateway (context of VS0), which is not intended to pass any "production" traffic.

    Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy.

This Security Policy consists of predefined rules for these services:

  • TCP - SSH traffic and HTTPS traffic

  • UDP - SNMP requests

  • ICMP - Echo-Request (ping)

Wizard Step 7: Completing the VSX Wizard

On the VSX Gateway Creation Finalization page:

Step

Instructions

1

Click Finish and wait for the operation to finish.

This may take several minutes to complete.

2

Click View Report for more information.

3

Click Close.

Confirming the VSX Gateway Software Configuration

To make sure that the policy was successfully installed:

Step

Instructions

1

Connect to the Security Group over SSH or serial console.

2

Log in to the Expert mode.

3

Run:

asg monitor -vs all

This example shows the output for a Dual Chassis VSX Gateway.

Chassis 1 (Active) has 1 SGM in its Security Group.

--------------------------------------------------------------------------------
| System Status - 61000                                                        |
--------------------------------------------------------------------------------
| Up time                     | 22:38:58 hours                                 |
| SGMs                        | 1/1                                            |
| Virtual Systems             | 1                                              |
| Version                     | R80.20SP (Build Number 39)                     |
| FW Policy Date              | 04Dec18 10:27                                  |
| AMW Policy Date             | 04Dec18 10:27                                  |
--------------------------------------------------------------------------------
| SGM ID             Chassis 1                          Chassis 2              |
|                    ACTIVE                             STANDBY                |
--------------------------------------------------------------------------------
|  1                   ACTIVE                             ACTIVE               |
--------------------------------------------------------------------------------

4

You can now add more SGMs to the Security Group.

Run this command in Gaia gClish:

add smo security-group

5

After all SGMs are in the UP state and enforce the Security Policy again, you can add Virtual Systems to the VSX Gateway in SmartConsole.