Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor

Routing between 2 Virtual Systems

Hello,

In my VSX environment on R80.10 CP 5900 , antibot,antivirys updates are going through internet gateway connected to VS0 , now i want to divert this traffic such that the GW updates through another internet gateway which is reachable through VS1.

How can this be achieved ? 

Thanks.

0 Kudos
5 Replies
Maarten_Sjouw
Champion
Champion

The only way to achieve what you want is by setting the default gateway on VS0 to point towards VS1.
Regards, Maarten
0 Kudos
mdjmcnally
Advisor

Note that all connections to Check Point for a VSX box will originate out from VS0 for the Box.

ie  AppCtrl/URL Checks checks as well.

So you end up looping round.

Seen it happen

 

Made a request to access a site and went through the VS.

VS0 then initiates a connection Out to the Internet that then went out via the VS to check the AppCtrl/URL allowed

Had numerous issues with the connectivity through the VS due to this that remarkably went away once the VS0 had direct Internet Connection.

Just something to think about before start trying to do this.

 

What is the actual requirement for having the updates go out via the VS as is no more or no less secure then VS0 doing this.

 

0 Kudos
LostBoY
Advisor

The issue is .. there are 2 internet gateways .. one through VS0 and other through VS1... now the requirement is to divert all updates from VS0 Internet Gateway to VS1... If possible , can you share a link where Checkpoint recommends VS0 for all patch and signature updates ?
0 Kudos
Maarten_Sjouw
Champion
Champion

This is not a routing issue, you want the VS1 to be the VS that initiates all update and checks, this is not possible. Only VS0 will initiate all updates and check into the cloud for all other VS's, this includes DNS requests.

This behaviour cannot be changed.

 

Regards, Maarten
mdjmcnally
Advisor

Isn't a recommendation.  Is simply where the traffic originates from when doing a Signature/Patch update in that it goes out from VS0.  

Same as ALL DNS requests for the VS on a VSX System originate from VS0.  ( There is a thread on here about it )

Authentication Requests from ALL VS by default originate from VS0.   You can select on the VSX Cluster to change that though by moving from Shared to Private.

If you then route the traffic from VS0 out via VS1 then any lookups that the box has to do will be sent out from VS0 and then back into VS1 so you then end up inspecting the lookups for the user connections on the same VS as the user connection is and then if that needs to do a lookup to allow the lookup is allowed then you can see the issue.

Isn't a recommendation that the traffic going from VS0 this simply how VSX architecturally works.

Had a customer insist on doing this whereby the traffic folded back into another VS running on the same VSX as the VS0 that originating the traffic and performance issues occurring.   Performance issues disappeared once gave the VS0 Connection without going out via another VS on the same Hardware.

VS0 should not be thought of as an Internet Gateway as it should only be used for VSX Management Traffic as a Dedicated VS used JUST for Management.

So basically should have a connection to allow you to SSH/SNMP into it for troubleshooting and monitoring along with a Connection towards the Management Server if not the same Interface, along with an Interface leading to the Internet so doesn't go via another VS on the same Hardware.

 

From the R80.30 VSX Admin Guide

When you configure Virtual Systems to use the Application Control and URL Filtering, make sure that the VSX Gateway (VS0) can connect to the Internet. Updates are done only through this Virtual System.

 

You really don't need to be inspecting traffic twice on the same hardware.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events