Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
naren_nd
Explorer

Virtual FW on 15400 appliance_urgent help needed

Business asked me to implement a single virtual firewall on Checkpoint 15400 appliance as per the attached network topology. The idea is to achieve end-to-end secure connectivity for O365 applications. In future, there will be additional virtual firewalls on the existing VSX and another VSX gateway for achieving HA. But as of now, only one virtual firewall.

 

I have the following concerns and do not have clarity whether it can be done or not. Appreciate if someone can throw some light.

 

1> Can I connect two physical ports from the Nexus 9000 switch (ACI switch) to the VSX gateway in bond?

2> Can I configure virtual firewall’s external segment in layer 3 and the internal segment as layer-2? As per the network topology, the virtual firewall running at DC will be connected to HQ over the point-to-point layer-2 link.

3> Does virtual firewall support IP sec VPN over Layer 2 point-to-point link (DC to HQ)?

4> Does virtual FW support dynamic routing if IP Sec VPN configured? What are the pros and cons?

5> your views and best practice around FW participating in the end-to-end BGP routing? Is any performance impact if BGP runs on Virtual FW?

6> While creating a virtual system on single VSX member, should I create virtual switch or router because the virtual firewall will be using a BGP routing protocol

7> Does Checkpoint FW support VPC between Nexus 9k switches and virtual FW to form Link Aggregation?

8> Do FW shape the traffic when it passes the traffic from its 10 Gbps interface to 1 Gbps layer 2 links?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

In general you might want to contact someone in your local Check Point office to assist with your VSX design.
To address your specific questions:

1. Yes, bonds are supported.

2. You can configure a specific VS as Layer 2, others as Layer 3.

3. Our VPN support assumes Layer 3, but you can probably encapsulate Layer 2 in some sort of Layer 3 protocol.

4. Yes, virtual systems support dynamic routing protocols irrespective of whether VPN is used. It's mostly a horses for courses discussion as to whether you want to/should run dynamic routing or not.

5. Performance while running dynamic routing in general isn't generally an issue.

6. Virtual switch/routers aren't necessarily required, but that depends a lot on your specific topology/redundancy requirements.

7. Seems like a repeat of #1.

8. Nothing above/beyond what a normal system does when passing traffic between different sized links. VSX does not do explicit QoS, but can tag certain packets. 

0 Kudos
Maarten_Sjouw
Champion
Champion

A few side remarks:
When starting with a single box running VSX, it is very hard to convert this into a cluster. Once you define it as a cluster it is easy enough to add more members though.
When running in cluster the VSLS mode allows you to share the load equally over the members, but Virtual routers are not supported in this mode.
Virtual switches are only needed when you need to connect more than 1 VS to a specific VLAN/network.
Regards, Maarten
0 Kudos
naren_nd
Explorer

many thanks for advising to create a cluster from the beginning and add a member as I go. So initially it would have one member but as the customer purchase additional VSX gateway, I can easily add another member.
0 Kudos
Maarten_Sjouw
Champion
Champion

There is one problem though, you cannot create a single node VSX Cluster, you need to either have a second Check Point box or install a VM and add it as the second cluster member, after which you can shut it down. From that point on you have a limb cluster which works just fine but during installs you need to disable the "Install on all members or do not install at all" option under advanced in the policy install window.
Regards, Maarten
0 Kudos
naren_nd
Explorer

Many thanks for the clarification and throwing some lights
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Regarding (4) please note route-based VPNs (VTIs) are not supported with VSX.

Whilst dynamic routing can be used on the system, you'll need to leverage domain based VPNs.

Regards,

Chris

 

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events