Create a Post
Showing results for 
Search instead for 
Did you mean: 

R80.20: vsx, vsx_provisioning_tool, anti-spoofing

Dear Check Mates,

Recently we started with the provisioning of virtual systems using the provisioning tool, because the Check Point API (version 1.3) does not support VSX/VSLS (yet). We have to provision 50+ virtual systems.

One of the features in R80.20 is Network defined by routes: it really works well (compared with the specific option). See screenshot.

Unfortunately, the Network defined by routes can't be configured using the vsx_provision_tool:

add interface vd <vd name>[name <physical or VLAN interface name>] [leads_to <Virtual Router|Virtual Switch>] [ip <ipv4 address>[/<ipv4 prefix>]] [netmask <IPv4 netmask>] [prefix <IPv4 prefix>]] [propagate <true|false>] [ip6 <ipv6 address>[/<ipv6 prefix>]] [netmask6 <IPv6 netmask>] [prefix6 <IPv6 prefix>]] [propagate6 <true|false>] [topology <external|internal_undefined|internal_this_network|internal_specific>] specific_group <group name>]] [mtu MTU]

We have to update the topology settings for 50+ virtual systems. A cumbersome task that can easily take two hours, which only is rewarding when you are paid per hour!

Hence: automation/orchestration becomes a manual tasks.

We would appreciate if Check Point can add the following features to its next release of R80:

  • Update the vsx_provisioning_tool (can be done rather quickly)
  • Full API support for VSX/VSLS; at the moment there are too many repetitive tasks that have to be done manually. In reality you don't want to use the vsx_provisioning_tool but tools like Ansible.

Many thanks.

Kind regards,


5 Replies

Gateway objects in general (including VSX) need better API support and I know it’s planned.

Updating vsx_provisioning_tool in the meantime seems reasonable but not sure if/when that’s planned.


But just to mention: 

VSX is using routing information for anti-spoofing anyway!

That's nothing new and available for a long time as routing is configured through management.

Just make sure the checkbox is active on the virtual system.

(On by default, but can be changed with parameter calc_topo_auto in provisioning tool)


Jumping on to this thread.

How can I create an interface but ensure the anti-spoofing is set to detect and not prevent via the provisioning tool?

0 Kudos

R80.20 JHF T208

PRJ-32530, PMTR-74770

VSX: UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

R80.20 JHF T202

PRJ-21258, VSX-2520

VSX: Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.

0 Kudos

I remember that! I was the one that raised it with TAC.

That said - my question related to just adding an interface and ensuring Anti-spoofing did not default to 'prevent'.  Is there a parameter for Anti-Spoofing that can set the mode to detect, rather then prevent?

0 Kudos