Management Server Connections

A Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. (Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS.) connects to the VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. and provides provisioning and configuration services for Virtual Devices located on the VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway.

You can connect the Management Server to the VSX Gateway using one of the scenarios below.

Notes:

It is not supported to manage a VSX Gateway / VSX Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. in these cases:
- When the Management Server is behind NAT
- When the VSX Gateway / VSX Cluster is behind NAT
It is not supported to manage a VSX Gateway / VSX Cluster when the management traffic passes through a Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. on the same VSX Gateway / VSX Cluster.

Only VS0 can communicate directly with the Management Server.
From R81, configuration with a Non-Dedicated Management Interface Shared physical interface on VSX Gateway or VSX Cluster Members (supported only in versions R80.40 and lower), which carries user "production" traffic and through which Check Point Security Management Server or Multi-Domain Server connects to VSX Gateway or VSX Cluster Members. Non-DMI configuration requires the use of a Virtual Router or Virtual Switch. Acronym: Non-DMI. (Non-DMI, shared interface) is deprecated and not supported.

Local Management Connection

The Management Server connects directly to the VSX Gateway using a dedicated VSX management interface.

When using a local Management Server (Security Management Server or Multi-Domain Server), all management traffic is handled by a Dedicated Management Interface Separate physical interface on VSX Gateway or VSX Cluster Members, through which Check Point Security Management Server or Multi-Domain Server connects directly to VSX Gateway or VSX Cluster Members. DMI is restricted to management traffic, such as provisioning, logging and monitoring. Acronym: DMI. (DMI) that connects the VSX Gateway to the Management Server. The IP address of this dedicated management interface can be either private or public.

Item	Description	Item	Description
1	Network 1	6	VSX Gateway
2	Network 2	7	Router
3	Network 3	8	Internet
4	Network 4	9	Management Server
5	Switch	10	SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.

Remote Management Connection

The Management Server connects to the VSX Gateway by means of a router connected to a VSX management interface.

This method ensures segregation of management traffic from all other traffic.

When using a remote Management Server (Security Management Server or Multi-Domain Server), management traffic travels via an internal or external network to a VSX Gateway to the management interface.

This architecture segregates management traffic from all other traffic passing through the VSX Gateway.

Check Point recommends that remote management connections use a dedicated management interface (DMI) that connects directly to a router or switch that leads to the external network or the Internet.

Item	Description	Item	Description
1	SmartConsole	9	Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW.
2	Management Server	10	Warp Link Logical interface that is created automatically in a VSX topology between: (1) Virtual System and Virtual Switch (2) Virtual System and Virtual Router. Acronym: WRP.
3	Management traffic	11	Virtual System 1
4	Internet	12	Virtual System 2
5	Router	13	Switch
6	Dedicated management interface (eth0)	14	Network 1
7	External interface	15	Network 2
8	VSX Gateway

When management traffic passes through a Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR. or Virtual Switch, you must ensure that the associated Warp Link IP address originates from the remote network.

Furthermore, if the remote management connection arrives via the Internet, you must assign a routable, public IP address.