Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bruno_Petronio
Contributor

VSX and VS in different domains ?

Hello All,

 

I've read somewhere, that would be possible to have a VSX Gateway inside a specific Domain (MDM environment) and create VS from that VSX Gateway in different Domains.

 

Is this something feasible ?

Inside the domain where i want to create the VS, i can see the VSX Gateways that reside in different domains, so i would guess its possible.

VS_creating_diff_Domain.png

Is this something that someone already tried ?

Pros/Cons would be grateful.

 

Thanks in advance !

Bruno Petrónio

0 Kudos
13 Replies
genisis__
Leader Leader
Leader

If the VSX is managed from a MDS setup then far as I'm aware the VSX appliances should be managed via the main domain, in this way this can then be seen by customer domains.

Bruno_Petronio
Contributor

Main Domain, implies that only one Domain could have the VSX Gateway ?

If i need 2 VSX Gateway (not cluster), is it possible/make sense to have it in different domains ?

0 Kudos
Bob_Zimmerman
Authority
Authority

The short explanation is this is how VSX and Provider-1 are meant to be used together in a managed service provider context. You, the service provider, own the MDS and the VSX chassis. You then provision a Customer Management Add-on for the customer, and a VS (or several) to go with it.

Bruno_Petronio
Contributor

Thanks for clarifying that.

We are not running different customers, but have business related needs and we are running VSX for the virtualization fun/benefits 🙂

Saying that, make sense to have VSXs together in one domain and all VSs spread by different Domains, right ?

No Pros having VSX and VSs per Domain, i would say. 

0 Kudos
Norbert_Bohusch
Advisor

As stated already one reason was separation in provider/customer scenario.

But this was also a best practice to have a separate domain for the VSX gateways, as changes to a VS also locked the domain of VSX gateway (before R80) and so you separated it.

Vincent_Bacher
Advisor
Advisor

We have many VSX and their vs separated in different CMA. I don't really see a disadvantage of doing that if there is a need to do so. 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
Bruno_Petronio
Contributor

You mean, many VSX in one domain (called main domain), and their VS inside the several other domains ?

0 Kudos
Vladimir
Champion
Champion

I've written something on this subject some time ago for R77.30

https://community.checkpoint.com/t5/General-Topics/MDSM-with-VSX-Configuration-Guide-and-Architectur...

Perhaps you'd find it useful.

Vincent_Bacher
Advisor
Advisor

Yes, we have several VSX one domain and their VS inside several other domains. We really have some vsx in a domain called main but several others in different domains.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
genisis__
Leader Leader
Leader

I believe VSX clusters in the main domain can be shared with other CMAs.  VSX Clusters controlled by a customer CMA, are only usable within that domain and not visible to other customer domains.

If you decided to implement a global level VPN then having a mixed installation may not work (Never done this but thought its worth considering if you ever intended to use this feature in MDS).

Cristian_F_CCSM
Contributor
Contributor

Hello, how we can verify that a domain is the "main"?

Also the "virtual switch" can be shared with two or more CMA?

 

Thanks

0 Kudos
genisis__
Leader Leader
Leader

I'm not sure what you mean by "main".  I would translate that to "the DMS that should have the VSX appliances and the virtual switches".  However all depends on your setup.

In general I would say the first DMS created is where the VSX appliance should be managed.  The virtual switches would be created here and would then be available for other DMS's to use.

Now keep in mind the DMS that controls the _VSX policy would generally be where you manage you VSX platform from.

HOST POLICY DATE
localhost POLICY_VSX 1Apr2023 22:39:44 : [>bond1] [<bond1] [>bond2] [<bond2]

Additionally you could have other VSX appliances controlled from Customer DMS, but they would be totally isolated to that customer.

Cristian_F_CCSM
Contributor
Contributor

Hello, OK, thanks a lot. Your explanation is clear.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Wed 01 May 2024 @ 02:00 PM (EDT)

    South US: HTTPS Inspection Best Practices

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    CheckMates Events