topic Re: Purpose of Checkpoint VSX technology in Firewall and Security Management

Purpose of Checkpoint VSX technology

Kakarot — Wed, 20 Dec 2023 16:39:43 GMT

Hello All,

I am trying to understand the reason for using Checkpoint's VSX technology. If you already have employed concepts such as, Multi-Domain management and have gateways installed on some Open Server. Do you really need VSX service or license? Will you not get the same functionality of VSX by implementing Multi-Domain and Virtual gateways on an open server?

See below extract from included link in checkpoint's community:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topics-FWG/VSX.htm

Extract:

VSX

Virtual System eXtension product runs several virtual firewalls on the same hardware. Each Virtual System works as a Security Gateway

Re: Purpose of Checkpoint VSX technology

the_rock — Wed, 20 Dec 2023 17:37:08 GMT

I think below explains it real well.

Andy

https://www.eginnovations.com/documentation/CheckPoint-Smart-Appliance/CheckPoint-Virtual-System.htm#:~:text=VSX%20(Virtual%20System%20Extension)%20is,or%20VLANs%20within%20complex%20infrastructures.

Re: Purpose of Checkpoint VSX technology

Alex- — Wed, 20 Dec 2023 18:15:01 GMT

In a nutshell:

Multi-domain is management virtualisation. Each domain is independent of the other so you can manage clients from the same multi-domain management server without mixing their data, each one has their own domain.

VSX is gateway virtualisation: you can use a dedicated appliance or server to run virtual firewalls which have their own IP space and each can use a different set of blades. Unlike virtual machines, the OS and patches are common since they run at the appliance/server level. So a single cluster could run for example 10 VS which do each their own routing and have their own policy.

You can use VSX with a multi-domain manager or an SMS. With an MDS, you could have each VS or multiple VS in a dedicated domain and some others in other ones. Without MDS, with SMS, you have one base domain and all VS share all objects but still have their own IP/blades configuration.

Please note this is really a basic explanation, the CCVS course for instance goes into much details of what VSX is.

Re: Purpose of Checkpoint VSX technology

Kakarot — Wed, 20 Dec 2023 19:06:50 GMT

@Alex-

Much thanks for this. I believe i understand better now. Multi-domain is for management and VSX is for gateways. I guess where I am at now is, If I have a server and want to install several gateways on that server. Do I need to use VSX technology to accomplish this?

Also,

Thanks for the suggested training. I will add that to my list of training to complete after I sit the CCSE.

https://training-certifications.checkpoint.com/#/courses/VSX%20Specialist%20R81.1%20(CCVS)

Re: Purpose of Checkpoint VSX technology

Kakarot — Wed, 20 Dec 2023 19:08:33 GMT

@the_rock ,

Thanks for replying Rock. I think I need some more clarity though.

Re: Purpose of Checkpoint VSX technology

the_rock — Wed, 20 Dec 2023 19:10:51 GMT

Personally, I would say no. If you are dealing with several gateways, regular mgmt is 100% fine. P-1 (MDS) and VSX are way more relevant for large-scale deployments where you wish to separate policies/objects. Its sort of like VDOMs with Fortinet, if you are familiar with that.

Essentially, every virtual "entity" would have their own policy as @Alex- indicated.

Andy

Re: Purpose of Checkpoint VSX technology

Kakarot — Wed, 20 Dec 2023 19:18:18 GMT

@the_rock

That is exactly what I was comparing the VSX and multi-domain concept to. The Fortinet VDOMs. So i really don't need to implement VSX then. @Alex- you also agree here right?

Re: Purpose of Checkpoint VSX technology

the_rock — Wed, 20 Dec 2023 19:21:23 GMT

Lets start with basics...how many locations? Gateways? Users? Approximate numbers would help.

Andy

Re: Purpose of Checkpoint VSX technology

Kakarot — Wed, 20 Dec 2023 19:25:34 GMT

@the_rock

See below approximate figures.

Locations: 3

Gateways: 12

users: no more than 1000

Re: Purpose of Checkpoint VSX technology

the_rock — Wed, 20 Dec 2023 19:28:03 GMT

Personally, I would not bother with VSX in that case. I had seem customers run way more than 12 gateways on single mgmt server and there was never an issue. Just make sure management is powerful enough (as far as memory, cpu, space). I would say if its VM, I always reocmmend SSH hdd, at least 12 or 16 GB of ram and 8 cores, but you can always scale it.

Just my honest opinion.

Andy

Re: Purpose of Checkpoint VSX technology

Kakarot — Wed, 20 Dec 2023 19:32:03 GMT

@the_rock ,

Much thanks for this. Well appreciated.

Re: Purpose of Checkpoint VSX technology

the_rock — Wed, 20 Dec 2023 19:34:51 GMT

Any time. Again, thats just my honest feedback, but you are certainly welcome to verify via an official TAC case or through your local Sales person.

Best regards and happy holidays

Andy

✌️

Re: Purpose of Checkpoint VSX technology

Bob_Zimmerman — Wed, 20 Dec 2023 20:08:24 GMT

I personally think "virtualization" is a deeply misleading term to use in marketing for VSX. It has nothing to do with VMs as most people think of them.

It's exactly like OpenBSD rdomains, Linux network namespaces (in fact, this is the exact technology which backs VSX), Arista/Cisco/Extreme/Juniper VRFs, Fortinet vdom, Palo Alto vsys, and so on. It gives you the ability to run multiple routing tables on a single physical firewall or cluster. As @Alex- mentioned, all VSs have the same view of the same OS and the same hardware. You can't patch or upgrade one VS at a time. Logs from all VSs go to the same volume on the drive.

There are four fundamental types of VS:

Layer 2 with no firewalling - virtual switch
Layer 2 with firewalling - bridge mode VS
Layer 3 with no firewalling - virtual router
Layer 3 with firewalling - normal VS

Switches do not consume a license slot. The other three types all consume license slots.

All firewall licenses come with the ability to run one VS. This is so you can separate to-traffic routing (i.e, traffic to the firewall to manage it) from through-traffic routing (i.e, routing for traffic the firewall handles but doesn't terminate).

Re: Purpose of Checkpoint VSX technology

the_rock — Wed, 20 Dec 2023 20:25:38 GMT

All excellent and valid points @Bob_Zimmerman 👍