Virtual Devices
This section describes virtual network components and their characteristics:

A Virtual System Virtual Device on a VSX Gateway or VSX Cluster Member that implements the functionality of a Security Gateway. Acronym: VS. is a virtual security and routing domain that provides the functionality of a Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with full Firewall and VPN facilities.
Multiple Virtual Systems can run concurrently on a single VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0..
Each Virtual System functions independently.
Each Virtual System maintains its own Software Blades, interfaces, IP addresses, routing table, ARP table, and dynamic routing configuration. Each Virtual System also maintains its own:
-
State Tables: Each Virtual System has its own kernel tables with configuration and runtime data, such as active connections and IPsec tunnel information.
-
Security and VPN policies: Each Virtual System enforces its own security and VPN Policies (including INSPECT code). Policies are retrieved from the Management Server
Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and stored separately on the local disk and in the kernel. In a Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. environment, each Domain database is maintained separately on the Management Server and on the VSX
Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateway.
-
Configuration Parameters: Each Virtual System maintains its own configuration, such as IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). settings and TCP/UDP time-outs. Different Virtual Systems can run in Layer 2 or Layer 3 mode and co-exist on the same VSX Gateway.
-
Logging Configuration: Each Virtual System maintains its own logs and runs logging according to its own rules and configuration.

A Virtual Router is an independent routing domain within a VSX Gateway that performs the functionality of physical routers.
Virtual Routers are useful for connecting multiple Virtual Systems to a shared interface, such as the interface leading to the Internet, and for routing traffic from one Virtual System to another. Virtual Routers support dynamic routing.
Virtual Routers perform the following routing functions:
-
Packets arriving at the VSX Gateway through a shared interface to the designated Virtual System based on the source or destination IP address.
-
Traffic arriving from Virtual Systems directed to a shared interface or to other Virtual Systems.
-
Traffic to and from shared network resources such as a DMZ.
As with physical routers, each Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR. maintains a routing table with a list of route entries describing known networks and directions on how to reach them.
Depending on the deployment requirements, multiple Virtual Routers can be configured.
To protect themselves, Virtual Routers inspect all traffic destined to, or emanating from themselves (for example, an ICMP ping to the Virtual Router IP address) based on the security policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection.. Traffic that is not sent to, or coming from the Virtual Router is not inspected by the Virtual Router policy and is sent to its destination.

By providing Layer 2 connectivity, a Virtual Switch connects Virtual Systems and facilitates sharing a common physical interface without segmenting the existing IP network. As with a physical switch, each Virtual Switch Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical switch. Acronym: VSW. maintains a forwarding table with a list of MAC addresses and their associated ports.
In contrast to a Virtual Router, when sharing a physical interface via a Virtual Switch there is no need:
-
To allocate an additional subnet for IP addresses of Virtual Systems connected to the switch.
-
To manually configure the routing on the routers adjacent to the shared interface.
You can create multiple Virtual Switches in a virtual network topology.
|
Note - When sharing a physical interface via a Virtual Switch, the IP addresses for Virtual Systems connected to a Virtual Switch should be allocated from the same subnet as the shared interface. If the only function the Virtual Switch performs is to connect Virtual Systems, then the Virtual Switch can be defined without interfaces (unless Virtual System Load Sharing |