This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
josrime
Explorer
‎2022-11-18 03:46 PM
Jump to solution

Firewall Instances

Hi everybody!

Can a Check Point Appliance support virtualization of Firewall instances?

 

 

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-18 03:47 PM
Jump to solution

Yes we call it VSX and needs a specific license based on the number of Virtual Systems to be deployed.

Admin guide:

https://downloads.checkpoint.com/dc/download.htm?ID=103853

 

CCSM R77/R80/ELITE

View solution in original post

Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-11-18 04:50 PM
Jump to solution

One important thing to be aware of: VSX is VRFs (technically network namespaces). It doesn't run a bunch of firewall virtual machines. It's all one OS, one software version, one filesystem. When you upgrade, the whole box is upgraded at once. This is the same as Fortinet vdoms, Palo Alto vsys, and so on, but if you're coming from the virtualization world, it is emphatically not VMs.

This means that maintenance windows and outages affect every VS on the box or cluster. This isn't necessarily a problem, just something to include in your availability planning. If you don't, it's really easy to get yourself into a situation where you can't ever risk an outage for an upgrade.

If you want to implement VSX, ask around for issues people have hit and things they wish they had done if they could start over. My big one is interfaces. Only ever let VSX know about bonds. It cares a lot about the names of the interfaces it uses, which makes hardware swaps more complicated (the names don't always line up). By only letting VSX use bonds, you can change which physical interfaces are a part of the bond much more easily.

 

If you're talking about real VMs, you can run Check Point's software in a VM, for example on your ESXi farm. That has nothing to do with appliances.

View solution in original post

3 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-18 03:47 PM
Jump to solution

Yes we call it VSX and needs a specific license based on the number of Virtual Systems to be deployed.

Admin guide:

https://downloads.checkpoint.com/dc/download.htm?ID=103853

 

CCSM R77/R80/ELITE
the_rock
MVP Platinum
MVP Platinum
‎2022-11-18 03:48 PM
Jump to solution

Chris is right and for your reference below:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_VSX_AdminGuide/Topics-VSXG/Introdu...

Andy

Best,
Andy
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2022-11-18 04:50 PM
Jump to solution

One important thing to be aware of: VSX is VRFs (technically network namespaces). It doesn't run a bunch of firewall virtual machines. It's all one OS, one software version, one filesystem. When you upgrade, the whole box is upgraded at once. This is the same as Fortinet vdoms, Palo Alto vsys, and so on, but if you're coming from the virtualization world, it is emphatically not VMs.

This means that maintenance windows and outages affect every VS on the box or cluster. This isn't necessarily a problem, just something to include in your availability planning. If you don't, it's really easy to get yourself into a situation where you can't ever risk an outage for an upgrade.

If you want to implement VSX, ask around for issues people have hit and things they wish they had done if they could start over. My big one is interfaces. Only ever let VSX know about bonds. It cares a lot about the names of the interfaces it uses, which makes hardware swaps more complicated (the names don't always line up). By only letting VSX use bonds, you can change which physical interfaces are a part of the bond much more easily.

 

If you're talking about real VMs, you can run Check Point's software in a VM, for example on your ESXi farm. That has nothing to do with appliances.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events