This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
smartfixes
Explorer
Wednesday

Policy error while adding VSX gateway to SmartConsole

Hi everyone, I am trying setup vsx gateway in a lab and while adding the vsx gateway i get this error:

Installing default Policy 'vsx_gw_VSX' on vsx_gw...

Layer : vsx_gw_VSX Network : There is only one interface defined for object gateway. At least one more interface must be configured for this object in order to use the Anti-Spoofing feature.
Policy verification failed.
Failed to install default policy vsx_gw_VSX on vsx_gw

Installing VSX default policy operation has finished with errors.
This could have happen due to time-out while installing security policy.
Check the modules to see if security policy is installed. if so discard
this error message.
If policy is not installed make sure that the failed Virtual System/Router
is accessible from the management server, and that you have a valid license.
Try to install security policy manually from the SmartDashboard.
If the problem persists contact Check Point Technical Support.

Operation has failed.

SIC trust established

I have multiple interface with IP configured on them

vsx mode enabled.

How can I fix this?

0 Kudos
17 Replies
Martijn
Advisor
Advisor
Thursday

Hi,

Are you trying to create a legacy VSX Gateway or a VSNext Gateway? Which version are you using.

Do not configure multiple IP-addressen on a gateway you are going to use as a Legacy VSX Gateway. IP-addresses are configured from SmartConsole. One IP for management is enough to connect to the SmartCenter.

Are Implied Rules disabled? If Implied Rules are disabled the first policy install will fail because control connections are lost.

Regards,
Martijn

 

 

0 Kudos
smartfixes
Explorer
Thursday
In response to Martijn

I am using R81.20. I have even tried it with just management interface. 

0 Kudos
AkosBakos
MVP Silver
MVP Silver
Thursday

Hi!

What is under the Topology section by the interfaces? (Internal, External, etc.)

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
smartfixes
Explorer
Thursday
In response to AkosBakos

It won't get to that point to check topology. Gives error while adding it the first time.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Thursday
In response to smartfixes

To me, below pretty much explains why this fails. How many interfaces do you have configured? Appears its only one, in which case you can NOT use anti spoofing. More less, thats how it works even on regular gateways, say if you have one interface + sync.

error:

Layer : vsx_gw_VSX Network : There is only one interface defined for object gateway. At least one more interface must be configured for this object in order to use the Anti-Spoofing feature.
Policy verification failed.
Failed to install default policy vsx_gw_VSX on vsx_gw

Best,
Andy
0 Kudos
smartfixes
Explorer
yesterday
In response to the_rock

I have added 2 more interfaces apart from the management one. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Saturday
In response to smartfixes

Are you able to paste the screenshot of the topology?

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday

Hey mate,

Were you able to sort this out?

Best,
Andy
0 Kudos
smartfixes
Explorer
yesterday
In response to the_rock

No still working 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to smartfixes

Did you open TAC case?

Best,
Andy
0 Kudos
smartfixes
Explorer
yesterday
In response to the_rock

No, as it is a test environment on VMWare. I have done same with physical equipment and didn't have any issues

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to smartfixes

Definitely sounds like vmware host settings. I had not dealt with vmware in some time, as we mostly use eve-ng for labs, but if you upload a screenshot of vm settings, I might be able to spot something that could be an issue. 

Best,
Andy
0 Kudos
smartfixes
Explorer
yesterday
In response to the_rock

Sorry it is eve-ng on esxi host. I have a lab in eve. Lab is very simple. I have one switch and local subnet where one management server is connected to the gateway and trying to add it as VSX gateway

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to smartfixes

Let me try this tomorrow morning and see what happens.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to smartfixes

Btw, quick question...Im trying to remember what options to select when going through first time wizard, as last time I just did vsnext option, not sure how you did it on your end? I want to make sure I did exactly the same as yourself.

Best,
Andy
0 Kudos
smartfixes
Explorer
yesterday
In response to the_rock

I have R81.20 and First time wizard I don't see any option to select vsx option. Once i have done the first time wizard, I go in clish and add set vxs on and then move to smart console and add VSX gateway option

0 Kudos
the_rock
MVP Platinum
MVP Platinum
yesterday
In response to smartfixes

Got it! Let me give it a try tomorrow in the lab and will let you know.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events