https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259196#M43825 <P>You could perhaps cobble something together, but like Val, I would prefer to expand the management network and configure a clean setup instead of living with some makeshift crutches.</P> Tue, 07 Oct 2025 08:53:46 GMT Vincent_Bacher 2025-10-07T08:53:46Z https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259193#M43822 <P>Hi,</P><P>we have a setup of<BR />- 1 Management-Server<BR />- 2 Node HA-Cluster<BR />- Management-Network /29 size (don't ask...)<BR />1.1.1.1: Cluster IP<BR />1.1.1.2: Node 1<BR />1.1.1.3: Node 2<BR />1.1.1.4: Management-Server</P><P>Obviously this leaves two IP addresses unused within the subnet. I have added a drawing to show the setup.</P><P>Now the situation is:<BR />We need to add a 2-Node VSX-Cluster, which will be managed by the existing Management-Server. Since there is only two IP addresses left in the /29, we have patched an additional NIC and gave the Management-Server an additional IP address (2.2.2.6/28), in order to manage the VSX-Cluster via this additional network.</P><P>My question:<BR />IMHO there are two options to go proceed:</P><OL><LI><P>Go with the setup described above. This is also shown in the drawing (blue color is "new"). Has anybody done this setup and are there any caviats? As far as I remember, Check Point recommends having a single Management-network that contains all CP appliances.</P></LI><LI><P>Resize the existing /29 to a /28, which could be done with little effort, since the second half of the future /28 only containts idrac-Cards, which could be migrated easily into a new IP space.</P></LI></OL><P>Thank you very much in advance, appreciate your help!</P> Tue, 07 Oct 2025 08:19:27 GMT https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259193#M43822 Robert135242 2025-10-07T08:19:27Z https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259194#M43823 <P>The main issue that I see with the proposed setup is that you might cut off the VSX cluster from MGMT if the wrong policy is installed on the HA cluster, routing from Net 1 to Net 2.</P> <P>I would indeed recommend extending the MGMT subnet to accommodate the new VSX cluster management IPs as an alternative.</P> <P>&nbsp;</P> Tue, 07 Oct 2025 08:42:18 GMT https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259194#M43823 _Val_ 2025-10-07T08:42:18Z https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259195#M43824 <P>But the VSX Cluster is directly connected to the network (2.2.2.0/28) where also the management-server is directly connected. So in theory, this should not be a routing/policy issue?</P> Tue, 07 Oct 2025 08:50:33 GMT https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259195#M43824 Robert135242 2025-10-07T08:50:33Z https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259196#M43825 <P>You could perhaps cobble something together, but like Val, I would prefer to expand the management network and configure a clean setup instead of living with some makeshift crutches.</P> Tue, 07 Oct 2025 08:53:46 GMT https://community.checkpoint.com/t5/General-Topics/Management-Server-Addition-NIC-or-VSX-Cluster/m-p/259196#M43825 Vincent_Bacher 2025-10-07T08:53:46Z