Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Kris_Pellens
Collaborator
Jump to solution

R80.20: vsx, vsx_provisioning_tool, anti-spoofing

Dear Check Mates,

Recently we started with the provisioning of virtual systems using the provisioning tool, because the Check Point API (version 1.3) does not support VSX/VSLS (yet). We have to provision 50+ virtual systems.

One of the features in R80.20 is Network defined by routes: it really works well (compared with the specific option). See screenshot.

Unfortunately, the Network defined by routes can't be configured using the vsx_provision_tool:

add interface vd <vd name>[name <physical or VLAN interface name>] [leads_to <Virtual Router|Virtual Switch>] [ip <ipv4 address>[/<ipv4 prefix>]] [netmask <IPv4 netmask>] [prefix <IPv4 prefix>]] [propagate <true|false>] [ip6 <ipv6 address>[/<ipv6 prefix>]] [netmask6 <IPv6 netmask>] [prefix6 <IPv6 prefix>]] [propagate6 <true|false>] [topology <external|internal_undefined|internal_this_network|internal_specific>] specific_group <group name>]] [mtu MTU]

We have to update the topology settings for 50+ virtual systems. A cumbersome task that can easily take two hours, which only is rewarding when you are paid per hour!

Hence: automation/orchestration becomes a manual tasks.

We would appreciate if Check Point can add the following features to its next release of R80:

  • Update the vsx_provisioning_tool (can be done rather quickly)
  • Full API support for VSX/VSLS; at the moment there are too many repetitive tasks that have to be done manually. In reality you don't want to use the vsx_provisioning_tool but tools like Ansible.

Many thanks.

Kind regards,

Kris

1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

Does it not work for you or is it simply missing from the documentation, what do you see in the output of the following?

[Expert@hostname:0]# vsx_provisioning_tool -h | grep defined_by_routes

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
(1)
9 Replies
PhoneBoy
Admin
Admin

Gateway objects in general (including VSX) need better API support and I know it’s planned.

Updating vsx_provisioning_tool in the meantime seems reasonable but not sure if/when that’s planned.

Norbert_Bohusch
Advisor

But just to mention: 

VSX is using routing information for anti-spoofing anyway!

That's nothing new and available for a long time as routing is configured through management.

Just make sure the checkbox is active on the virtual system.

(On by default, but can be changed with parameter calc_topo_auto in provisioning tool)

genisis__
Leader Leader
Leader

Jumping on to this thread.

How can I create an interface but ensure the anti-spoofing is set to detect and not prevent via the provisioning tool?

0 Kudos
Chris_Atkinson
Employee Employee
Employee

R80.20 JHF T208

PRJ-32530, PMTR-74770

VSX: UPDATE: It is now possible to define interface topology as "defined by routes" using the VSX provisioning tool.

R80.20 JHF T202

PRJ-21258, VSX-2520

VSX: Allow the addition of routes with specific group of type "Group with Exclusion" when using VSX Provisioning tool.

CCSM R77/R80/ELITE
0 Kudos
genisis__
Leader Leader
Leader

I remember that! I was the one that raised it with TAC.

That said - my question related to just adding an interface and ensuring Anti-spoofing did not default to 'prevent'.  Is there a parameter for Anti-Spoofing that can set the mode to detect, rather then prevent?

0 Kudos
DZ_KB
Collaborator

Hi @Chris_Atkinson ,

in the VSX r81.10 admin guide there is no option to configure an interface with topology "defined by routes" with vsx provisonning tool. This is strange because it's written that is now available since r81.10 take 38 

PRJ-32534,
PMTR-74770

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.10/R81.10/Take_38.htm

thank you in advance for your lights

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Does it not work for you or is it simply missing from the documentation, what do you see in the output of the following?

[Expert@hostname:0]# vsx_provisioning_tool -h | grep defined_by_routes

CCSM R77/R80/ELITE
0 Kudos
(1)
DZ_KB
Collaborator

I find it with "vsx_provisioning_tool -h".

So it's only missed in the documentation.

 

0 Kudos
K_R_V
Collaborator

THX !

topology defined_by_routes did the job !

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events