Re: VSX VS0 Interfaces

Dor_Marcovitch · ‎2018-06-13

hey

is it possible that VS0 will have multiple interfaces (LAN and WAN)?
is it possible to route traffic through VS0?
has anyone deployed VSX on remote datacenter which VS0 has interface has interface to the itnernet

Kaspars_Zibarts · ‎2018-06-13

Never done it that way but I assume so - it's just a regular firewall in that sense. (traffic/interfaces)

We always had another VS in front of VS0 for traffic coming from internet. I guess you are worried if VSX goes down then you won't be able to reach VS0? Out of band option?

Dor_Marcovitch · ‎2018-06-13

exactly.

Kaspars Zibarts wrote:
I guess you are worried if VSX goes down then you won't be able to reach VS0? Out of band option?

i don't have spare interfaces on the VSX , currently bond1 is my dedicated management interface.

what should be the proccess of moving the ip from bond1 to bond1.10 and adding another interface to vs0 bond1.20 ?

thanks

Kaspars_Zibarts · ‎2018-06-13

In all honesty I don't see it as a big problem having VS0 exposed to internet directly - as long as you have good rulebase and password policy in place

It will be as good as having another firewall in front of it. Minus DDOS - you would be exposed unless you have some external device to protect you from floods.

Vladimir · ‎2018-06-13

Kaspars,

How do you access a VS0 policy post-installation?

I recall being presented with default VSX policy configuration options when converting gateways or clusters to VSX, but cannot figure out where it is hiding once you are operating the unit or cluster.

Kaspars_Zibarts · ‎2018-06-13

Hi Vlad! I'm not entirely sure if I understand your question. VS0 (VSX cluster object) policy is accessible just like any other, from appropriate CMA (in case you use MDM).

I might have misunderstood you

Vladimir · ‎2018-06-13

We may be speaking of different things, but just in case we are not, please verify this:

During initial VSX configuration you have an opportunity to define this policy:

Looking under the VSX Cluster object, you do not see the VS0 (at least I do not see it in the R77.30 demo mode and VSX is not available as an object in R80.10 demo):

So I m not sure how you could specify it as an installation target for the dedicated policy or rules in the common one.

Kaspars_Zibarts · ‎2018-06-13

VSX cluster object is your VS0

Kaspars_Zibarts · ‎2018-06-13

Here's view from command line

and install targets

Vladimir · ‎2018-06-14

That's what I thought, but the initial policy created during installation/conversion is not visible as a stand-alone name policy package.

So you are able to create an additional policy and use cluster object as a target, but where is the policy that was originally created?

If you are to create a new VSX object and look at it via CLI in the context of VS0, what policy will be shown?

Could it be opened and edited?

Kaspars_Zibarts · ‎2018-06-15

If you refer to this one (had to create a test VM just for you as our VSXes were created million years ago..)

and here's the policy it created "testvsx_VSX"

Vladimir · ‎2018-06-15

Thanks! Exactly what i was looking for.

It's just happen to be missing from the Demo Mode in R77.30 and there are no VSX objects in R80.10 Demo, hence the confusion.

Appreciate you going an extra mile to clear the fog

Are you a member of CheckMates?

VSX VS0 Interfaces