cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

R80.20: vsx, vsx_provisioning_tool, anti-spoofing

Dear Check Mates,

Recently we started with the provisioning of virtual systems using the provisioning tool, because the Check Point API (version 1.3) does not support VSX/VSLS (yet). We have to provision 50+ virtual systems.

One of the features in R80.20 is Network defined by routes: it really works well (compared with the specific option). See screenshot.

Unfortunately, the Network defined by routes can't be configured using the vsx_provision_tool:

add interface vd <vd name>[name <physical or VLAN interface name>] [leads_to <Virtual Router|Virtual Switch>] [ip <ipv4 address>[/<ipv4 prefix>]] [netmask <IPv4 netmask>] [prefix <IPv4 prefix>]] [propagate <true|false>] [ip6 <ipv6 address>[/<ipv6 prefix>]] [netmask6 <IPv6 netmask>] [prefix6 <IPv6 prefix>]] [propagate6 <true|false>] [topology <external|internal_undefined|internal_this_network|internal_specific>] specific_group <group name>]] [mtu MTU]

We have to update the topology settings for 50+ virtual systems. A cumbersome task that can easily take two hours, which only is rewarding when you are paid per hour!

Hence: automation/orchestration becomes a manual tasks.

We would appreciate if Check Point can add the following features to its next release of R80:

  • Update the vsx_provisioning_tool (can be done rather quickly)
  • Full API support for VSX/VSLS; at the moment there are too many repetitive tasks that have to be done manually. In reality you don't want to use the vsx_provisioning_tool but tools like Ansible.

Many thanks.

Kind regards,

Kris

2 Replies
Admin
Admin

Re: R80.20: vsx, vsx_provisioning_tool, anti-spoofing

Gateway objects in general (including VSX) need better API support and I know it’s planned.

Updating vsx_provisioning_tool in the meantime seems reasonable but not sure if/when that’s planned.

Highlighted

Re: R80.20: vsx, vsx_provisioning_tool, anti-spoofing

But just to mention: 

VSX is using routing information for anti-spoofing anyway!

That's nothing new and available for a long time as routing is configured through management.

Just make sure the checkbox is active on the virtual system.

(On by default, but can be changed with parameter calc_topo_auto in provisioning tool)