This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dayaana
Contributor
‎2025-03-28 02:34 AM

VSX gateway with two VS connecting to the internet through the same interface

Hello everyone! I am learning VSX and trying to make my first lab for it.

I want to try to implement the following configuration (I drew a picture for clarification):

A vsx gateway with physical interfaces eth0, eth1, eth2, eth3.
There are two virtual systems vs1 and vs2 on the gateway.
eth0 is the interface leading to the management server, which is not accessible to the virtual systems.
eth3 is the interface leading to the internet, accessible to both the vsx gateway and the virtual systems.
eth1 is the interface leading to LAN 1 via vs1.
eth2 is the interface leading to LAN 2 via vs2.
Virtual systems are not a cluster, as they lead to different local networks.

I tried to configure this several times, but I had problems.

The first problem. I have created windows machines in the lan1 and lan2 networks to check the functionality of the gateway. However, for some reason there is no ping from these win machines to the relevant vs.

The second problem, which causes the most questions. I don't know how to properly configure the interface leading to the Internet for use by both virtual systems. I've tried different methods, tried creating a virtual switch, tried without it. I even began to doubt whether such a configuration is workable.

Does anyone know if it is possible to work with such a scheme? If so, how to configure it correctly? I would be grateful for any help!

vsx.png

Labels
0 Kudos
6 Replies
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-03-28 03:00 AM

If you want two VSs to share an interface (be it physical or VLAN sub-interface) you must create a Virtual Switch.

  1. Create VSwitch
  2. Add shared interface to VSwitch
  3. On each VS, create an interface that leads to the VSwitch - each VS will have its own IP address configured on the shared subnet
  4. Install security policy to virtual systems (VSs must have a policy install after adding or changing any interface before it will work)
Dayaana
Contributor
‎2025-03-28 03:27 AM
In response to emmap

Thank you very much for your answer! I want to make sure that I understand correctly. Please tell me, should the interfaces leading to the VSwitch for each VS be in the same network as the address of the physical interface eth3?

For example, if in the settings of the VSX GW virtual machine, the address 10.10.10.130 is specified for eth3, I should make the interfaces for vs1 eth3.10 10.10.10.131 and for vs2 eth3.20 10.10.10.132, am I right?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-03-28 08:21 AM
In response to Dayaana

eth3 would belong to the virtual switch, which doesn't have any IP addresses, so eth3 wouldn't have any address.

The other VSs would have warp interfaces to the switch. The warp interfaces have the addresses.

Dayaana
Contributor
‎2025-04-01 03:00 AM
In response to Bob_Zimmerman

Thank you very much! Can you please tell me if I can specify eth3 as a vlan trunk and assign it an address for the vsx gateway itself, not for any of the virtual systems, or will this be wrong?

0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-04-01 06:10 AM
In response to Dayaana

First, a warning: VSX cares very deeply about the names of the interfaces it uses. It's exceptionally hard to move things from one logical interface to another after creation. Instead of using eth3 directly, you should create a bond in VS 0, add eth3 to the bond, and make all your subsequent configuration reference the bond. This lets you change what physical interface backs the bond very easily (e.g, to move it from a 1g interface to a 10g interface). As long as you don't use LACP (802.3ad) for the bond mode, adjacent switches and routers don't have to care that you are using a bond.

There are a few rules for allocating interfaces on VSX:

  1. Warp interfaces (interfaces connecting one VS to another fully inside the VSX box) do not support VLAN tagging.
  2. Physical interfaces and tagged subinterfaces of those physical interfaces count as separate interfaces for the rest of this.
  3. An interface may only be assigned to one VS. Thus, to get two VSs to both have an address on a given VLAN, you need to assign the interface for that VLAN to a switch and add warp interfaces between the VSs and the switch.
  4. VS 0 can have a warp interface connecting it to another VS. It's extremely rare for this capability to be used, so support will likely be confused about it. It works, though.

If you want VS 0 and two non-0 VSs to all have interfaces to a given network, you build a switch VS, give the interface to that network (tagged or not) to the switch, then build warp interfaces between the switch VS and each other VS you want to have an interface on the network.

If you want VS 0 to have an address on one VLAN and two other VSs to have addresses on another VLAN on the same physical interface, that's easy. You just mark the interface as usable for VLAN trunking in the VSX cluster object, add an interface to VS 0 for the VLAN you want it to use, then add a switch VS and give it the VLAN you want the switch to use.

Dayaana
Contributor
‎2025-04-02 06:23 AM
In response to Bob_Zimmerman

Thank you very much for the explanation!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events