This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bruno_Petronio
Contributor
‎2021-03-09 06:29 AM

VSX and VS in different domains ?

Hello All,

 

I've read somewhere, that would be possible to have a VSX Gateway inside a specific Domain (MDM environment) and create VS from that VSX Gateway in different Domains.

 

Is this something feasible ?

Inside the domain where i want to create the VS, i can see the VSX Gateways that reside in different domains, so i would guess its possible.

VS_creating_diff_Domain.png

Is this something that someone already tried ?

Pros/Cons would be grateful.

 

Thanks in advance !

Bruno Petrónio

0 Kudos
13 Replies
genisis__
Mentor Mentor
Mentor
‎2021-03-09 08:09 AM

If the VSX is managed from a MDS setup then far as I'm aware the VSX appliances should be managed via the main domain, in this way this can then be seen by customer domains.

Bruno_Petronio
Contributor
‎2021-03-09 03:12 PM
In response to genisis__

Main Domain, implies that only one Domain could have the VSX Gateway ?

If i need 2 VSX Gateway (not cluster), is it possible/make sense to have it in different domains ?

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-03-09 11:08 AM

The short explanation is this is how VSX and Provider-1 are meant to be used together in a managed service provider context. You, the service provider, own the MDS and the VSX chassis. You then provision a Customer Management Add-on for the customer, and a VS (or several) to go with it.

Bruno_Petronio
Contributor
‎2021-03-09 03:18 PM
In response to Bob_Zimmerman

Thanks for clarifying that.

We are not running different customers, but have business related needs and we are running VSX for the virtualization fun/benefits 🙂

Saying that, make sense to have VSXs together in one domain and all VSs spread by different Domains, right ?

No Pros having VSX and VSs per Domain, i would say. 

0 Kudos
Norbert_Bohusch
Advisor
‎2021-03-09 11:13 AM

As stated already one reason was separation in provider/customer scenario.

But this was also a best practice to have a separate domain for the VSX gateways, as changes to a VS also locked the domain of VSX gateway (before R80) and so you separated it.

Vincent_Bacher
Advisor
Advisor
‎2021-03-09 11:46 AM

We have many VSX and their vs separated in different CMA. I don't really see a disadvantage of doing that if there is a need to do so. 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Bruno_Petronio
Contributor
‎2021-03-09 03:03 PM
In response to Vincent_Bacher

You mean, many VSX in one domain (called main domain), and their VS inside the several other domains ?

0 Kudos
Vladimir
Champion
Champion
‎2021-03-09 05:15 PM
In response to Bruno_Petronio

I've written something on this subject some time ago for R77.30

https://community.checkpoint.com/t5/General-Topics/MDSM-with-VSX-Configuration-Guide-and-Architectur...

Perhaps you'd find it useful.

Vincent_Bacher
Advisor
Advisor
‎2021-03-10 06:46 AM
In response to Bruno_Petronio

Yes, we have several VSX one domain and their VS inside several other domains. We really have some vsx in a domain called main but several others in different domains.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
genisis__
Mentor Mentor
Mentor
‎2021-03-10 06:54 AM
In response to Vincent_Bacher

I believe VSX clusters in the main domain can be shared with other CMAs.  VSX Clusters controlled by a customer CMA, are only usable within that domain and not visible to other customer domains.

If you decided to implement a global level VPN then having a mixed installation may not work (Never done this but thought its worth considering if you ever intended to use this feature in MDS).

Cristian_F_CCSM
Contributor
Contributor
‎2023-06-23 01:40 AM
In response to genisis__

Hello, how we can verify that a domain is the "main"?

Also the "virtual switch" can be shared with two or more CMA?

 

Thanks

0 Kudos
genisis__
Mentor Mentor
Mentor
‎2023-06-23 01:53 AM
In response to Cristian_F_CCSM

I'm not sure what you mean by "main".  I would translate that to "the DMS that should have the VSX appliances and the virtual switches".  However all depends on your setup.

In general I would say the first DMS created is where the VSX appliance should be managed.  The virtual switches would be created here and would then be available for other DMS's to use.

Now keep in mind the DMS that controls the _VSX policy would generally be where you manage you VSX platform from.

HOST POLICY DATE
localhost POLICY_VSX 1Apr2023 22:39:44 : [>bond1] [<bond1] [>bond2] [<bond2]

Additionally you could have other VSX appliances controlled from Customer DMS, but they would be totally isolated to that customer.

Cristian_F_CCSM
Contributor
Contributor
‎2023-06-23 02:12 AM
In response to genisis__

Hello, OK, thanks a lot. Your explanation is clear.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events