Configuring VSX Gateways
|
|
Note - In Security Groups in Maestro and Scalable Chassis:
|
Creating a New VSX Gateway
|
|
Notes:
|
This section explains how to create a new VSX Gateway using the VSX Gateway Wizard.
After you complete the VSX Gateway Wizard, you can change the VSX Gateway definition from SmartConsole.
For example, you can add or delete interfaces, or configure existing interfaces to support VLANs.
To start the VSX Gateway wizard:
-
Connect with SmartConsole to the Security Management Server or Main Domain Management Server that manages the VSX Gateway.
-
From the left navigation panel, click Gateways & Servers.
-
At the top, click New > VSX > Gateway.
The General Properties page of the VSX Gateway Wizard opens.
Wizard Step 1: Defining VSX Gateway General Properties
Configure these parameters on the General Properties page:
-
VSX Gateway Name: Unique, alphanumeric name for the VSX Gateway. The name cannot contain spaces or special characters except the underscore.
-
VSX Gateway Addresses: Management interface addresses.
Note - If you define an IPv6 IP address you must also define an IPv4 address.
-
VSX Gateway Version: Select the VSX version installed on the VSX Gateway from the drop-down list.
Wizard Step 2: Establishing SIC Trust
Initialize SIC trust between the VSX Gateway and the Management Server.
They cannot communicate without Trust.
Initializing SIC Trust
When you create a VSX Gateway, you must enter the same Activation Key you entered during the First Time Configuration Wizard.
Enter and confirm the activation key and then click Initialize.
If you enter the correct activation key, the Trust State changes to Trust established.
Troubleshooting SIC Trust Initialization Problems
If SIC trust was not successfully established, click Check SIC Status to see the reason for the failure.
The most common issues are an incorrect activation key and connectivity problems between the Management Server and the VSX Gateway.
Troubleshooting to resolve SIC initialization problems:
-
Re-enter and re-confirm the activation key.
-
Make sure that the IP address defined in General Properties is correct.
-
Ping the Management Server to test the connectivity. Resolve connectivity issues.
-
From the VSX Gateway command line, use the
cpconfigcommand to re-initialize SIC.After this process completes, click Reset in the wizard and then re-enter the activation key.
For more about resolving SIC initialization, see the R82 Security Management Administration Guide.
Troubleshooting SIC in a Scalable Platform Security Group
Troubleshooting SIC Reset in Security Groups
Resetting SIC takes 3-5 minutes.
If resetting of the SIC was interrupted (for example, by loss of network connectivity), run the Expert mode command "g_all cp_conf sic state" on the Security Group to get the SIC state and follow these steps:
|
SIC state |
Do this |
|---|---|
|
|
Repeat the SIC reset procedure. |
|
|
|
SIC Cleanup in Security Groups
To resolve other SIC issues, do a SIC cleanup in the Expert mode:
|
|
Wizard Step 3: Defining Physical Interfaces
In the VSX Gateway Interfaces window, define physical interfaces as VLAN trunks.
The window shows the interfaces currently defined on the VSX Gateway.
To define an interface as a VLAN trunk, select VLAN Trunk for the interface.
Wizard Step 4: Virtual Network Device Configuration
|
|
Note - Configuration with a Non-Dedicated Management Interface (Non-DMI, shared interface) is deprecated and not supported. |
If you chose the Custom Configuration option, the Virtual Network Device Configuration window opens.
In this window, define a Virtual Device with an interface shared with the VSX Gateway.
If you do not want to define a Virtual Device at this time, click Next to continue.
To define a Virtual Device with a shared interface:
-
Select Create a Virtual Device.
-
Select the Virtual Network Device type (Virtual Router or Virtual Switch).
-
Select the Shared physical interface to define a non-DMI VSX Gateway.
Do not select the management interface if you want to define a Dedicated Management Interface (DMI) VSX Gateway.
If you do not define a shared Virtual Device, a DMI VSX Gateway is created by default.
Important - This setting cannot be changed after you complete the VSX Gateway Wizard. If you define a non-DMI VSX Gateway, you cannot change it to a DMI VSX Gateway later.
-
Define the IP address and Net Mask for a Virtual Router.
These options are not available for a Virtual Switch.
-
Optional: Define a Default Gateway for a Virtual Router (DMI only).
Wizard Step 5: VSX Gateway Management
In the VSX Gateway Management window, define security policy rules that protect the VSX Gateway.
This policy is installed automatically on the new VSX Gateway.
|
|
Note - This policy applies only to traffic destined for the VSX Gateway. Traffic destined for Virtual Systems, other Virtual Devices, external networks, and internal networks is not affected by this policy. |
The security policy consists of predefined rules for these services:
-
UDP - SNMP requests
-
TCP - SSH traffic
-
ICMP - ICMP Echo (ping)
-
TCP - HTTPS traffic
Completing the VSX Wizard
Click Next to continue and then click Finish to complete the VSX Gateway wizard.
This may take several minutes to complete.
A message shows successful or unsuccessful completion of the process.
If the process ends unsuccessfully, click View Report to see the error messages.
Configuring the Security Policy
-
Allow: Select to pass traffic on the selected services.
Clear this option to block traffic on this service.
By default, all services are blocked.
For example, to be able to ping the VSX Gateway from the Management Server, allow ICMP traffic.
-
Source: Click the arrow and select a Source Object from the list.
The default value is *Any.
Click New Source Object to define a new source.