Adding a Bridge Interface to a Virtual System

Description

Some Software Blades and features are not supported on a Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. in Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology., because it may not have an IP address.

For example: Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE., Identity Awareness Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA., Identity Awareness Captive Portal, and UserCheck Portal are not supported.

This command adds a Bridge interface to an existing regular Virtual System object that always has an IP address.

As a result, the Virtual System can support these Software Blades and features for the traffic that passes over the configured bridge interface.

Notes:

Names of bridge interfaces have a template "brX", where "X" is a digit.
It is necessary to add subordinate interfaces in pairs to a bridge interface.

To see the bridge interfaces you configured in the Virtual System object:

Connect to the command line on the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. (each VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Cluster Member Security Gateway that is part of a cluster.).
Log in to the Expert mode.

Go to the context of the Virtual System:

vsenv <VSID>

Examine the list of interfaces:

ifconfig

You can delete bridge interfaces from a Virtual System either in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., or with the "vsx_provisioning_tool" command (see Removing an Interface from a Virtual Device).

Syntax

attach bridge vd <Name of Virtual System Object> ifs1 <Name of First Subordinate Interface> ifs2 <Name of Second Subordinate Interface>

Parameters

Parameter

Value

Notes

vd <Name of Virtual System Object>

Object name

Specifies the name of the Virtual System object.

Mandatory parameter, if this is the first command in a transaction.

ifs1 <Name of First Subordinate Interface>

Interface name

Specifies the name of the physical interface to be the first subordinate interface of a bridge interface.

Note - This physical interface must not have an IP address

ifs2 <Name of First Second Interface>

Interface name

Specifies the name of the physical interface to be the second subordinate interface of a bridge interface.

Note - This physical interface must not have an IP address

Example 1 - Adding a Bridge interface with subordinate interfaces "eth2" and "eth3" in the Virtual System "VS1"

vsx_provisioning_tool -s localhost -u admin -p mypassword -o attach bridge vd VS1 ifs1 eth2 ifs2 eth3

Example 2 - Adding a Multi Bridge interface in the Virtual System "VS1"

In this example, we add pairs of VLAN interfaces to the Virtual System "VS1" to add a Multi Bridge interface (see Multi Bridge Interfaces):

VLANs eth2.403 and eth3.403 as the first bridge interface
VLANs eth2.504 and eth3.504 as the second bridge interface

The prerequisite is to configure both physical interfaces "eth2" and "eth3" as VLAN Trunks (see Configuring a Physical Interface as VLAN Trunk).

vsx_provisioning_tool -s localhost -u admin -p mypassword -o attach bridge vd VS1 ifs1 eth2.403 ifs2 eth3.403, attach bridge ifs1 eth2.504 ifs2 eth3.504