https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78607#M9477 <P>Hi ,</P> <P>&nbsp;</P> <P>Trying to create a Bridge Mode VS in a VSX HA Cluster. This Cluster contains other Layer 3 VS's. I have read the User Manual and bit confused what options I need to choose . I assume following are correct.</P> <P>&nbsp;</P> <P>VSX is running on R80.10 Take 203 Active/Standby</P> <P>1. Go to each Cluster member, cpconfig and&nbsp;&nbsp;Enable ClusterXL for Bridge Active/Standby, Reboot.</P> <P>2.&nbsp; Go to Smart Console, Cluster Object Properties, Other, VSX Bridge Configuration, Select "Check Point ClusterXL", install the VSX Policy</P> <P>3. Create a VS with Bridge Mode selected and configure 2 interfaces.</P> <P>Could you confirm above steps are correct ?</P> <P>&nbsp;</P> <P>Also which file contains the VSX Cluster specific configuration ( I mean file name in the VSX Member) ?&nbsp;</P> <P>Thanks for your help</P> <P>&nbsp;</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P> <P>&nbsp;</P> Tue, 17 Mar 2020 22:46:43 GMT AM_2019 2020-03-17T22:46:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78607#M9477 <P>Hi ,</P> <P>&nbsp;</P> <P>Trying to create a Bridge Mode VS in a VSX HA Cluster. This Cluster contains other Layer 3 VS's. I have read the User Manual and bit confused what options I need to choose . I assume following are correct.</P> <P>&nbsp;</P> <P>VSX is running on R80.10 Take 203 Active/Standby</P> <P>1. Go to each Cluster member, cpconfig and&nbsp;&nbsp;Enable ClusterXL for Bridge Active/Standby, Reboot.</P> <P>2.&nbsp; Go to Smart Console, Cluster Object Properties, Other, VSX Bridge Configuration, Select "Check Point ClusterXL", install the VSX Policy</P> <P>3. Create a VS with Bridge Mode selected and configure 2 interfaces.</P> <P>Could you confirm above steps are correct ?</P> <P>&nbsp;</P> <P>Also which file contains the VSX Cluster specific configuration ( I mean file name in the VSX Member) ?&nbsp;</P> <P>Thanks for your help</P> <P>&nbsp;</P> <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;</P> <P>&nbsp;</P> Tue, 17 Mar 2020 22:46:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78607#M9477 AM_2019 2020-03-17T22:46:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78608#M9478 Those steps look correct to me.<BR /><BR />As for the "VSX Cluster Specific Configuration" there isn't one specific file.<BR />All the necessarily details are pushed from the management.<BR />As long as that is appropriately backed up, you should be able to recover in case the gateway fails.<BR /> Tue, 17 Mar 2020 23:36:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78608#M9478 PhoneBoy 2020-03-17T23:36:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78618#M9479 <P>Suggest also reviewing&nbsp;<SPAN>sk121451 and the fwkern.conf parameters.</SPAN></P> Wed, 18 Mar 2020 02:16:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78618#M9479 Chris_Atkinson 2020-03-18T02:16:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78675#M9480 <P>Answering the last question in the post:<BR /><BR />There are several special provisioning files on each of VSX cluster members, called local.vs, local.vsall, local.vskeep.<BR /><BR />However, they are used and updated only in conjunction with management server operations. In a nutshell, if SIC is up and MDS/SMS available, VSX cluster members always contact management domain first to get most up to date provisioning info.<BR /><BR />For implementation part, I strongly suggest you following the admin manual for your VSX version.</P> Wed, 18 Mar 2020 11:29:36 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/78675#M9480 _Val_ 2020-03-18T11:29:36Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/91805#M9481 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;, I have similar setup but I just wanted to know if my interface configuration is correct. My intention is to allow all VLANs to pass through the firewall, now my interface config is non-trunk physical port (the trunk is not checked) for both of physical interface participating in the bridge link. So far, all it passes it all and well but I am just wondering if this is correct or do I need to tag the VLANs? However, if I tag each VLANs, VSX will not accept it because I am currently in Active/Standby mode. Is this how CP behaves in VSX bridge mode? Thanks a lot.</P> Fri, 17 Jul 2020 18:03:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/91805#M9481 CyberBreaker 2020-07-17T18:03:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/91815#M9482 <P>If you are talking about bridge mode, you need to create all interfaces with VLANs. there is not trunk mode there</P> Fri, 17 Jul 2020 20:31:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-Bridge-Mode-VS/m-p/91815#M9482 _Val_ 2020-07-17T20:31:02Z