This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kris_Pellens
Collaborator
‎2018-10-27 02:26 AM
Jump to solution

R80.20: vsx, vsx_provisioning_tool, anti-spoofing

Dear Check Mates,

Recently we started with the provisioning of virtual systems using the provisioning tool, because the Check Point API (version 1.3) does not support VSX/VSLS (yet). We have to provision 50+ virtual systems.

One of the features in R80.20 is Network defined by routes: it really works well (compared with the specific option). See screenshot.

Unfortunately, the Network defined by routes can't be configured using the vsx_provision_tool:

add interface vd <vd name>[name <physical or VLAN interface name>] [leads_to <Virtual Router|Virtual Switch>] [ip <ipv4 address>[/<ipv4 prefix>]] [netmask <IPv4 netmask>] [prefix <IPv4 prefix>]] [propagate <true|false>] [ip6 <ipv6 address>[/<ipv6 prefix>]] [netmask6 <IPv6 netmask>] [prefix6 <IPv6 prefix>]] [propagate6 <true|false>] [topology <external|internal_undefined|internal_this_network|internal_specific>] specific_group <group name>]] [mtu MTU]

We have to update the topology settings for 50+ virtual systems. A cumbersome task that can easily take two hours, which only is rewarding when you are paid per hour!

Hence: automation/orchestration becomes a manual tasks.

We would appreciate if Check Point can add the following features to its next release of R80:

  • Update the vsx_provisioning_tool (can be done rather quickly)
  • Full API support for VSX/VSLS; at the moment there are too many repetitive tasks that have to be done manually. In reality you don't want to use the vsx_provisioning_tool but tools like Ansible.

Many thanks.

Kind regards,

Kris

1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-10-18 05:12 PM
In response to DZ_KB
Jump to solution

Does it not work for you or is it simply missing from the documentation, what do you see in the output of the following?

[Expert@hostname:0]# vsx_provisioning_tool -h | grep defined_by_routes

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
(1)
9 Replies
PhoneBoy
Admin
Admin
‎2018-10-27 07:24 AM
Jump to solution

Gateway objects in general (including VSX) need better API support and I know it’s planned.

Updating vsx_provisioning_tool in the meantime seems reasonable but not sure if/when that’s planned.

Norbert_Bohusch
Advisor
‎2018-10-28 06:13 AM
Jump to solution

But just to mention: 

VSX is using routing information for anti-spoofing anyway!

That's nothing new and available for a long time as routing is configured through management.

Just make sure the checkbox is active on the virtual system.

(On by default, but can be changed with parameter calc_topo_auto in provisioning tool)

genisis__
MVP Silver
MVP Silver
‎2022-05-13 10:57 AM
In response to Norbert_Bohusch
Jump to solution

Jumping on to this thread.

How can I create an interface but ensure the anti-spoofing is set to detect and not prevent via the provisioning tool?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-05-14 02:49 AM
Jump to solution

R80.20 JHF T208

PRJ-32530, PMTR-74770

VSX: UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

R80.20 JHF T202

PRJ-21258, VSX-2520

VSX: Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.

CCSM R77/R80/ELITE
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2022-05-14 03:08 AM
In response to Chris_Atkinson
Jump to solution

I remember that! I was the one that raised it with TAC.

That said - my question related to just adding an interface and ensuring Anti-spoofing did not default to 'prevent'.  Is there a parameter for Anti-Spoofing that can set the mode to detect, rather then prevent?

0 Kudos
DZ_KB
Collaborator
‎2023-10-18 10:25 AM
In response to Chris_Atkinson
Jump to solution

Hi @Chris_Atkinson ,

in the VSX r81.10 admin guide there is no option to configure an interface with topology "defined by routes" with vsx provisonning tool. This is strange because it's written that is now available since r81.10 take 38 

PRJ-32534,
PMTR-74770

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10/R81.10/Take_38.htm

thank you in advance for your lights

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-10-18 05:12 PM
In response to DZ_KB
Jump to solution

Does it not work for you or is it simply missing from the documentation, what do you see in the output of the following?

[Expert@hostname:0]# vsx_provisioning_tool -h | grep defined_by_routes

CCSM R77/R80/ELITE
0 Kudos
(1)
DZ_KB
Collaborator
‎2023-10-18 11:23 PM
In response to Chris_Atkinson
Jump to solution

I find it with "vsx_provisioning_tool -h".

So it's only missed in the documentation.

 

0 Kudos
K_R_V
Collaborator
‎2023-11-09 04:13 AM
In response to DZ_KB
Jump to solution

THX !

topology defined_by_routes did the job !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events