Working with VSX Gateways

A VSX Gateway Physical server that hosts VSX virtual networks, including all Virtual Devices that provide the functionality of physical network devices. It holds at least one Virtual System, which is called VS0. is a physical machine that serves as a container for Virtual Systems and other virtual network components.

This section has step-by-step procedures for creating and configuring standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Gateways.

Note - In Security Groups in Maestro and Scalable Chassis: The term VSX Gateway means a Security Group in the VSX mode. Some VSX features have a limited or no support. Virtual Routers are not supported (Known Limitation 01413513).

Changing VSX Gateway Definitions

After you create a VSX Gateway, you can modify the topology, other parameters, and advanced configurations in the VSX Gateway Properties window.

To open this window, double-click on the VSX Gateway object in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

The VSX Gateway Properties window opens.

VSX Gateway - General Properties

In the General Properties page, check and re-establish SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. trust, and activate Check Point products for this VSX Gateway.

You can change these properties:

• Comment - Free text description for the Object List and elsewhere.

• Color - Color of the object icon as it appears in the Object Tree.

• Secure Internal Communication - Check and re-establish SIC trust.

• Check Point Products - Select Check Point products for this VSX Gateway.

Secure Internal Communication (SIC)

You can test and reset SIC trust and also see the VSX Gateway Relative Distinguished Name.

To initialize SIC trust:

1. In Gateways & Servers view or Object Explorer, double-click the VSX Gateway.

   You can also search for the VSX Gateway in the Object Explorer.

2. In the VSX Gateway Properties window, click Communication.

3. In the Trusted Communication window, enter and confirm the SIC Activation Key.

4. Click Initialize.

Note - If you cannot establish trust, click Test SIC Status to see the reason for the failure. The most common issues are an incorrect activation key and connectivity problems between the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the VSX Gateway.

To reset SIC trust with the VSX Gateway:

1. From the VSX Gateway CLI, use the cpconfig utility to re-initialize the SIC.

2. In the Communication window, click Reset.

3. Click Yes in the confirmation window.

4. Enter and confirm the SIC authentication password.

5. Click Initialize.

6. Install the applicable policy (<Name of VSX Gateway Object>_VSX) on the VSX Gateway object only.

7. On the VSX Gateway CLI, run: cpstop;cpstart

Check Point Software Blades

Select the Check Point Software Blades to install on this VSX Gateway from the list. The items you see are available for the product version and your license agreement.

VSX Gateway - Physical Interfaces

The Physical Interfaces page lets you add or delete a physical interface on the VSX Gateway, and to define a VLAN trunk.

• To add a new physical interface, click Add and enter the interface name in the appropriate field.

• To remove a physical interface, select the interface and click Remove.

• To define an interface as a VLAN trunk, select VLAN Trunk for the interface.

VSX Gateway - Topology

The Topology page contains definitions for interfaces and routes between interfaces and Virtual Devices.

Interfaces

The Interfaces section defines interfaces and links to devices. You can add new interfaces, and delete or modify existing interfaces.

To add an interface:

1. Click New and select one of these options:

   • Regular - Create a new interface

   • Leads to Virtual Router

   • Leads to Virtual Switch

   The Interface Properties window opens.

   Click Actions > Copy to Clipboard to copy the Interfaces table in CSV format.

2. Define the appropriate properties. See Working with Interface Definitions.

3. Click OK.

Routes

The Routes section of the Topology window defines routes between network devices, network addresses, and Virtual Devices. Some routes are defined automatically based on the interface definitions. You can add, change, and delete routes.

To add a default route to the routing table:

1. Click Add Default Route.

   The Default Gateway window opens.

2. Enter the default route IP address or select the default Virtual Router Virtual Device on a VSX Gateway or VSX Cluster Member that functions as a physical router. Acronym: VR..

3. Click OK.

   The default route is added to the routing table.

4. Select the default route and click Edit.

   The Route Configuration window opens.

5. Configure the settings for the default route.

6. Click OK.

To add a new route to the routing table:

1. Click Add.

   The Route Configuration window opens.

2. Configure the Destination IP address and netmask.

3. Configure the next hop IP address or Virtual Router.

4. Optional: Select Propagate route to adjacent Virtual Devices to "advertise" the route to neighboring Virtual Devices, and enable connectivity between them.

5. Click OK.

To change a route:

1. Select the route.

2. Click Edit.

   The Route Configuration window opens.

3. Change the settings.

4. Click OK.

To delete a route:

1. Select the route.

2. Click Remove.

   A confirmation window opens.

3. Click OK.

Topology Calculation

Select the Calculating topology automatically based on routing information option to let VSX automatically calculate the network topology based on interface and routing definitions. When enabled, VSX creates automatic links, or connectivity cloud objects linked to existing internal or external networks.

• This option is not available in Bridge Mode Security Gateway or Virtual System that works as a Layer 2 bridge device for easy deployment in an existing topology..

• We recommend that you do not use this option with dynamic routing configurations.

Note - If you wish to enable Anti-Spoofing protection when there are no routes pointing to internal networks, disable the Calculating topology automatically based on routing information option. Modify the appropriate interface definitions to enable Anti-Spoofing.

Deleting a VSX Gateway

When you delete a VSX Gateway object, the operation automatically deletes all Virtual Systems and other Virtual Devices associated with that VSX Gateway from the management database.

To delete a VSX Gateway:

1. From the Gateways & Servers view or Object Explorer tree, right-click the VSX Gateway object on the Object Tree and select Delete.

2. In the window that opens, click Yes.

Backing up and Restoring VSX Gateway

In the event of a catastrophic VSX Gateway failure, you can restore the VSX Gateway configuration and its Virtual Device Logical object that emulates the functionality of a type of physical network object. Virtual Device can be on of these: Virtual Router, Virtual System, or Virtual Switch. configuration.

Follow the instructions in the sk100395: How to backup and restore VSX Gateway.