Kris Pellens

R80.20: vsx, vsx_provisioning_tool, anti-spoofing

Discussion created by Kris Pellens on Oct 27, 2018
Latest reply on Oct 28, 2018 by Norbert Bohusch

Dear Check Mates,


Recently we started with the provisioning of virtual systems using the provisioning tool, because the Check Point API (version 1.3) does not support VSX/VSLS (yet). We have to provision 50+ virtual systems.


One of the features in R80.20 is Network defined by routes: it really works well (compared with the specific option). See screenshot.



Unfortunately, the Network defined by routes can't be configured using the vsx_provision_tool:


add interface vd <vd name>[name <physical or VLAN interface name>] [leads_to <Virtual Router|Virtual Switch>] [ip <ipv4 address>[/<ipv4 prefix>]] [netmask <IPv4 netmask>] [prefix <IPv4 prefix>]] [propagate <true|false>] [ip6 <ipv6 address>[/<ipv6 prefix>]] [netmask6 <IPv6 netmask>] [prefix6 <IPv6 prefix>]] [propagate6 <true|false>] [topology <external|internal_undefined|internal_this_network|internal_specific>] specific_group <group name>]] [mtu MTU]


We have to update the topology settings for 50+ virtual systems. A cumbersome task that can easily take two hours, which only is rewarding when you are paid per hour!


Hence: automation/orchestration becomes a manual tasks.


We would appreciate if Check Point can add the following features to its next release of R80:

  • Update the vsx_provisioning_tool (can be done rather quickly)
  • Full API support for VSX/VSLS; at the moment there are too many repetitive tasks that have to be done manually. In reality you don't want to use the vsx_provisioning_tool but tools like Ansible.


Many thanks.


Kind regards,