This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kakarot
Participant
‎2023-12-20 08:39 AM
Jump to solution

Purpose of Checkpoint VSX technology

Hello All,

I am trying to understand the reason for using Checkpoint's VSX technology. If you already have employed concepts such as, Multi-Domain management and have gateways installed on some Open Server. Do you really need VSX service or license? Will you not get the same functionality of VSX by implementing Multi-Domain and Virtual gateways on an open server? 

 

See below extract from included link in checkpoint's community:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_NextGenSecurityGateway_Guide/Topic... 

 

 

Extract:

VSX

Virtual System eXtension product runs several virtual firewalls on the same hardware. Each Virtual System works as a Security Gateway

0 Kudos
(1)
2 Solutions

Accepted Solutions
Alex-
Advisor
Advisor
‎2023-12-20 10:15 AM
Jump to solution

In a nutshell:

Multi-domain is management virtualisation. Each domain is independent of the other so you can manage clients from the same multi-domain management server without mixing their data, each one has their own domain.

 

VSX is gateway virtualisation: you can use a dedicated appliance or server to run virtual firewalls which have their own IP space and each can use a different set of blades. Unlike virtual machines, the OS and patches are common since they run at the appliance/server level. So a single cluster could run for example 10 VS which do each their own routing and have their own policy.

 

You can use VSX with a multi-domain manager or an SMS. With an MDS, you could have each VS or multiple VS in a dedicated domain and some others in other ones. Without MDS, with SMS, you have one base domain and all VS share all objects but still have their own IP/blades configuration.

Please note this is really a basic explanation, the CCVS course for instance goes into much details of what VSX is.

View solution in original post

(2)
the_rock
Legend
Legend
‎2023-12-20 11:28 AM
In response to Kakarot
Jump to solution

Personally, I would not bother with VSX in that case. I had seem customers run way more than 12 gateways on single mgmt server and there was never an issue. Just make sure management is powerful enough (as far as memory, cpu, space). I would say if its VM, I always reocmmend SSH hdd, at least 12 or 16 GB of ram and 8 cores, but you can always scale it.

Just my honest opinion.

Andy

View solution in original post

(1)
13 Replies
the_rock
Legend
Legend
‎2023-12-20 09:37 AM
Jump to solution

I think below explains it real well.

Andy

https://www.eginnovations.com/documentation/CheckPoint-Smart-Appliance/CheckPoint-Virtual-System.htm....

0 Kudos
Kakarot
Participant
‎2023-12-20 11:08 AM
In response to the_rock
Jump to solution

@the_rock ,

Thanks for replying Rock. I think I need some more clarity though. 

0 Kudos
Alex-
Advisor
Advisor
‎2023-12-20 10:15 AM
Jump to solution

In a nutshell:

Multi-domain is management virtualisation. Each domain is independent of the other so you can manage clients from the same multi-domain management server without mixing their data, each one has their own domain.

 

VSX is gateway virtualisation: you can use a dedicated appliance or server to run virtual firewalls which have their own IP space and each can use a different set of blades. Unlike virtual machines, the OS and patches are common since they run at the appliance/server level. So a single cluster could run for example 10 VS which do each their own routing and have their own policy.

 

You can use VSX with a multi-domain manager or an SMS. With an MDS, you could have each VS or multiple VS in a dedicated domain and some others in other ones. Without MDS, with SMS, you have one base domain and all VS share all objects but still have their own IP/blades configuration.

Please note this is really a basic explanation, the CCVS course for instance goes into much details of what VSX is.

(2)
Kakarot
Participant
‎2023-12-20 11:06 AM
In response to Alex-
Jump to solution

@Alex- 

Much thanks for this. I believe i understand better now. Multi-domain is for management and VSX is for gateways. I guess where I am at now is, If I have a server and want to install several gateways on that server. Do I need to use VSX technology to accomplish this?

Also,

Thanks for the suggested training. I will add that to my list of training to complete after I sit the CCSE.

https://training-certifications.checkpoint.com/#/courses/VSX%20Specialist%20R81.1%20(CCVS) 

0 Kudos
the_rock
Legend
Legend
‎2023-12-20 11:10 AM
In response to Kakarot
Jump to solution

Personally, I would say no. If you are dealing with several gateways, regular mgmt is 100% fine. P-1 (MDS) and VSX are way more relevant for large-scale deployments where you wish to separate policies/objects. Its sort of like VDOMs with Fortinet, if you are familiar with that.

Essentially, every virtual "entity" would have their own policy as @Alex- indicated.

Andy

0 Kudos
Kakarot
Participant
‎2023-12-20 11:18 AM
In response to the_rock
Jump to solution

@the_rock 

That is exactly what I was comparing the VSX and multi-domain concept to. The Fortinet VDOMs. So i really don't need to implement VSX then. @Alex- you also agree here right? 

0 Kudos
the_rock
Legend
Legend
‎2023-12-20 11:21 AM
In response to Kakarot
Jump to solution

Lets start with basics...how many locations? Gateways? Users? Approximate numbers would help.

Andy

0 Kudos
Kakarot
Participant
‎2023-12-20 11:25 AM
In response to the_rock
Jump to solution

@the_rock 

See below approximate figures. 

Locations: 3 

Gateways: 12

users: no more than 1000

0 Kudos
the_rock
Legend
Legend
‎2023-12-20 11:28 AM
In response to Kakarot
Jump to solution

Personally, I would not bother with VSX in that case. I had seem customers run way more than 12 gateways on single mgmt server and there was never an issue. Just make sure management is powerful enough (as far as memory, cpu, space). I would say if its VM, I always reocmmend SSH hdd, at least 12 or 16 GB of ram and 8 cores, but you can always scale it.

Just my honest opinion.

Andy

(1)
Kakarot
Participant
‎2023-12-20 11:32 AM
In response to the_rock
Jump to solution

@the_rock ,

Much thanks for this. Well appreciated. 

0 Kudos
the_rock
Legend
Legend
‎2023-12-20 11:34 AM
In response to Kakarot
Jump to solution

Any time. Again, thats just my honest feedback, but you are certainly welcome to verify via an official TAC case or through your local Sales person.

Best regards and happy holidays

Andy

✌️

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-12-20 12:08 PM
Jump to solution

I personally think "virtualization" is a deeply misleading term to use in marketing for VSX. It has nothing to do with VMs as most people think of them.

It's exactly like OpenBSD rdomains, Linux network namespaces (in fact, this is the exact technology which backs VSX), Arista/Cisco/Extreme/Juniper VRFs, Fortinet vdom, Palo Alto vsys, and so on. It gives you the ability to run multiple routing tables on a single physical firewall or cluster. As @Alex- mentioned, all VSs have the same view of the same OS and the same hardware. You can't patch or upgrade one VS at a time. Logs from all VSs go to the same volume on the drive.

There are four fundamental types of VS:

  • Layer 2 with no firewalling - virtual switch
  • Layer 2 with firewalling - bridge mode VS
  • Layer 3 with no firewalling - virtual router
  • Layer 3 with firewalling - normal VS

Switches do not consume a license slot. The other three types all consume license slots.

All firewall licenses come with the ability to run one VS. This is so you can separate to-traffic routing (i.e, traffic to the firewall to manage it) from through-traffic routing (i.e, routing for traffic the firewall handles but doesn't terminate).

(1)
the_rock
Legend
Legend
‎2023-12-20 12:25 PM
In response to Bob_Zimmerman
Jump to solution

All excellent and valid points @Bob_Zimmerman 👍

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events