Showing results for 
Search instead for 
Did you mean: 
Create a Post

Check Point's Virtual System Security Solution, otherwise known as VSX.

net-harry inside VSX Friday
views 104 3

Management interface on virtual systems

Hi,We have just enabled SNMP access to virtual systems on VSX hosts using direct SNMP access:set snmp mode vsset snmp vs-direct-access onWe have confirmed that this is working with both SNMP v2 and v3 using the internal interface of the virtual systems that is used for data traffic.We are now planning to create a separate management interface for each vs, so that the SNMP traffic is separated and routed correctly. Would you recommend using the same VLAN for this interface as the management interface of the VSX hosts or do you see any advantage of using a separate monitoring VLAN on the virtual systems?Thanks for your help!Harry
Ricki_S inside VSX 2 weeks ago
views 164 2

Create 2 or more vsx Gateway

Hello Check Mates, Can I create 2 or more VSX gateway from one gatewayan I create 2 or more VSX gateway from cluster gatewayif yes, how can I create ? have proccess SIC?  Thanks and Regards,Ricki
Harald_Hansen inside VSX 2 weeks ago
views 205 3

CPinfo for Virtual System

TAC sometimes asks for CPinfo for certain Virtual Systems, though the CPinfo since R80 do not support any -vs flags. When asking for guidance I usually get a non answer, so we end up using vsenv <vsid> and run cpinfo again.Is this the correct way of doing it? Why so cumbersome?We often have to send cpinfo files for multiple virtual systems, having one command collecting data for all of these will reduce both time and file size significantly. 
Maik inside VSX 3 weeks ago
views 2980 8 1

Different DNS server per VS

Hello guys,I'm pretty new when it Comes to VSX deployments and the related VS configuration. I have a quite Basic setup with one VSX cluster consisting out of two physical devices. On top of the VSX cluster we have two VS running (VS #1 and #2). Each VS has two dedicated interfaces. So currently there is not virtual switch or router in place, as there was no need for VS-to-VS communication or shared interfaces.Now to my issue:Basically I just want each VS to use a different DNS server, as per default the DNS config (as well as some other GAiA paramaters) are getting synched from VS0. The issue is, that once a change in clish of VS2 is made (regarding DNS) this is also getting synched to all the other VS (including VS0). So basically I assume that there is not way to have a different dns server entries for each VS...? I found a SK that mentions this problem and offers a solution - but this is only related for the remote access vpn blade and can't be used by any other feature. Without the possibility of configuring one or multiple different dns Servers for each VS I do not see a way to get any updates or the proxy feature working, as the gateway itself needs to send dns queries here.It is also not wanted to have a shared dns in this environment as each VS should work completely independent from the other. So even if I adjust the routing so that VS2 can reach the DNS of VS0 no solution is met.I read the VSX admin guide and could not find any word regarding this issue - so it could be the case that I overlooked something. Hopefully someone can point me in the right direction. 🙂Regards,Maik
Kaland inside VSX 3 weeks ago
views 564 10 3

Jumbo on Check Point R80.30 with Gaia 3.10 Take 273 or Take300

Hi, Has anyone tried installing Jumbo Take_50 or Take_76 on Open Server with R80.30 3.10 kernel running VSX? Take does not show up in CPUSE at all. CPUSE Agent is at required build 1786 maybe we have overlooked something, but can`t seem to find any answer this.Hope someone can help. We`re moving from project into production soon, and I want to make sure at we have patched for potential bugs that may appear when load is put on the cluster.  Best regardsBjørn Andre Kaland 
Enyi_Ajoku inside VSX 3 weeks ago
views 206 4

Clish/Expert Access with TACACS

 Hi,I've got TACACS+ set up (VSX Cluster). I can use my AD credentials to log in to Smart Dashboard but i cant do the same for CLI or Expert on my gateways.I believe i need to do some configuration on the CLI but i cant get the appropriate SK to get this done.Would appreciate some direction/help. I tried creating a User/rba but it requires setting up a password on the gateway which defeats the purpose of syncing with AD and TACACS serverThank You
Sanjay_S inside VSX 4 weeks ago
views 196 3


Hi All, We have setup a new VPN from Checkpoint R80.10 to AWS. We are getting the below message in tracker though the packet is accepting.Firewall - Protocol violation detected with protocol:(IKE-UDP), matched protocol sig_id:(4), violation sig_id:(13). (500)I have created the new UDP IKE service with Protocol signature enabled and allowed the access to peer but still the same. May i know what could be the reason?Thanks in Advance.
Sanjay_S inside VSX 2019-11-08
views 284 4

VPN Stability Issue

Hi All,We have a VPN tunnel between R80.10 to R65 Checkpoint devices. The VPN is not stable, we ran the debug during the issue and found that the R65 device is Deleting the Negotiation for Phase 1 at first few times and then it accepts and create the SA.NegotiationTable::NegotiationUpdated: Updating indices for: NegotiationTable::DeleteNegotiation: Invoked for:>The debug logs from R80.10 says the below:NegotiationTable::MatchPeerMethodsIDs: No match found.NegotiationTable::MatchPeerP1Neg: No match found. However, after few negotiation it will come up automatically. Is there any know limitations in R65? Thanks in Advance.
Firewallteam_DE inside VSX 2019-11-06
views 332 4

What "set vsx on/off" actually does under hood?

Hello GuysI am having trouble finding what does turning on/off vsx mode does to firewall cluster. I have 2 members fully configured in cluster VSLS mode, running coreXL, few virtual-systems on it and soon in production. In many guides theres suggestion to turn off vsx mode before applying some commands which otherwise cannot be accepted. I only understand that vsx mode is "interface and routes configuration protection". But is there anything beyond human factor protection in CLI? Subsequently, I have this problem:automatic affinity on one cluster member is working fine, and it doesn't on another:A:eth1-01 : 8eth1-02 : 8eth1-03 : 0eth1-04 : 8eth2-01 : 0eth2-04 : 8eth2-05 : 0eth2-08 : 8eth3-01 : 0eth3-02 : 0 B:eth1-01 : 0eth1-02 : 0eth1-03 : 0eth1-04 : 0eth2-01 : 0eth2-04 : 0eth2-05 : 0eth2-08 : 0eth3-01 : 0eth3-02 : 0some CP article suggests checking "fw ctl multik get_mode" to see if dynamic dispatcher is on, but this command cannot be run in vsx mode:Option not supported in VSX mode.Edit: (there are 2 cores for vs:0 in my setup) after restarting and re-entering default affinity mode (automatic) all interfaces are assigned core 0 (I expected even distribution between cores 0, 8). There is no traffic passing interfaces yet.Thank youTomas
Sanjay_S inside VSX 2019-11-06
views 289 2

Can we install VSX in VMWare ESXi

We are planning to install VSX environment in VMWare ESXi. Is it possible to do? we are not getting proper documentation for it. Could someone help me with it?Thank you.
Christian_Koehl inside VSX 2019-11-04
views 444 11

Remove interface from VSX systems.

Dear CheckMates,I have running a VSX Cluster with VSLS with some bond interfaces in version R80.20. A couple of VLANs were added to bond1 and in each of my VS systems one of this bond1 VLAN interfaces is used.Now, the bond1 needs to be remove.Therefore, I have deleted the bond1 VLAN interface in every VS and installed the policy within that VS. A "show configuration" still shows the configuration for all the bond1 VLAN interfaces."vsx_utill show_interfaces" did't show them.How to remove the configuration for the bond1 interface completly?Best regards,Christian
jbfixurpc_cew inside VSX 2019-10-27
views 1001 4

VSX Clustering R80.20 DNS resolving error msg

Greetings!I am seeing constant Alert error messages in our logs with reason: Firewall - Domain resolving error. Check DNS configuration on the gateway (0) .Here are the statistics: R80.20, running on VSX, JHF Take 103 applied, Initially I thought the issue was being caused by the fact that in VSX the DNS servers for each context are the same (SK152873 - a large oversight if you ask me but) so with some redesign I was able to find 3 common DNS targets that would work in this scenario. Once that was applied, I still am seeing tons of these alert errors.From the CLI I am able to confirm that all of the VSX contexts resolve DNS using dig/nslookup etc so I am not sure why I would be seeing this behavior  
Antonio_M inside VSX 2019-10-23
views 256 2

Route-based VPN on virtual Systems

Hi, Can we create route-based VPNs on virtual systems? If so, he configuration should be done under the tenant VSX?Regards.
Enyi_Ajoku inside VSX 2019-10-16
views 309 4

BGP in VSX in Active/Established State

Hello, I have 3 virtual systems in a cluster of two 15400s running R80.30, i also have VSLS enabled. I have iBGP running between VS5 and VS6 as well as iBGP between VS6 and VS7. I recently noticed that the peer in VS5 shows an established state and VS6 shows an active state. I can confirm that the networks are fine as i can ping both interfaces when i have the VS in the same gateway or split between gateways.After some troubleshooting, i notices that when i do a cpstop and cpstart, VS6 becomes established. I also noticed that its only established for about 24hours before it goes back to active state.Has anyone come across this. Thank You
CPRQ inside VSX 2019-10-14
views 312 2

double vlan IP addresses

We are on R80.20 on VSX platform.when we add a new vlan with specific IP 10.x.x.x it also automatically assigned a new IP 192.168.x.x to same vlan as shown below.What is the purpose of those IPs 192.168.x.x ?Also when firewall try to resolve DNS, why it use source IP those 192.168.x.x. addresses Not real IP (10.x.x.x) assigned to vlan .How firewall can use its real IP 10.x.x.x as a source IP to resolve DNS?1> show interface bond0.300ipv4-address> show interface bond0.301ipv4-address> show interface bond0.302ipv4-address interface bond0.300 state onset interface bond0.300 mtu 1500set interface bond0.300 ipv4-address mask-length 28set interface bond0.301 state onset interface bond0.301 mtu 1500set interface bond0.301 ipv4-address mask-length 28set interface bond0.302 state onset interface bond0.302 mtu 1500set interface bond0.302 ipv4-address mask-length 28