This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ivo_Marques
Contributor
‎2018-09-26 05:48 AM

MDS and VSX

Dear Mates,

We are starting a new MDS R80.10 with several VSX clusters and we also have two sites geographically distants, On R77.30 and below the logic was a DOMAIN for all the VSX Cluster and a Domain for each VS.

Someone suggest us to use the GLOBAL Domain to put the VSX Cluster. This is even possible? What are the advantages? Do anyone recommend it?

Regards,
Ivo

3 Replies
Maarten_Sjouw
Champion
Champion
‎2018-09-27 11:27 AM

No you can't use the global, why: you can't push any policy from global to the gateways.

The practice to use a separate domain for the physical cluster is that you cannot mess it up from any of the VS based domains.

We are an MSP that supply managed services to our customers, some of them use VSX and when they do and they are allowed to do management themselves you also need to allow them Write access to the domain containing the VSX boxes.

We have come to the following differentiation:

  • When the hardware is dedicated to a customer and all VS'es are managed from the same domain, put these boxes in the same domain. (we have a couple of these kind of customers)
  • When the hardware is dedicated to a customer and that customer wants to have multiple domains, we can set it up this way.
  • When we install a Shared environment with many different customers we put the VSX Boxes in a seperate domain with those VSX boxes in it only. (we have multiple clusters in 1 domain for this type of setup)
  • Last but not least, we also have situations where we need an additional FW but do not have the hardware within the contract to add another, we set the machine up as a VSX machine/cluster and use the ability within the Appliance license to add 1 VS. This way you have a Physical gateway and a VS on top of it. In a cluster you can even get the 2 boxes to run an instance each, so VS0 on FW1 and VS1 on FW2.

Hope this helps a bit?

Regards, Maarten
Ivo_Marques
Contributor
‎2018-10-22 01:34 AM
In response to Maarten_Sjouw

Thanks Marteen for your help and sorry for the late response.

We are on the same page - We are doing the VSX implementation in the same way but I didn't understand the last paragraph - somtimes you use the VS0 for a customer, that it?

Best regards,

Ivo

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-10-22 06:09 AM
In response to Ivo_Marques

When you need 2 firewalls for a customer and you cannot get the customer to pay for another you can use the same box with VSX and you use both VS0 and VS1.

All you need is sufficient interfaces. In one case I have a cluster running, where member 1 is handling traffic for VS0 and member 2 is handling all traffic for VS1.

Works all just fine.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events