Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sanjay_S
Advisor

Communication between VSX environments

Hi All,

We have a VSX environment where there are 2 environments. One is management(From where we login to the firewalls: vsenv 0) and the other is production(No management and login with the help of management VSX: vsenv 1).

No we need to route a traffic from vsenv 0 to vsenv 1 as there is no interface we are not able to route the traffic. 

May i know is there any way we can get this working as the LDAP authentication is not working and the traffic is generated by the source in vsenv 0 and the destination is behind vsenv 1.

Any quick help is much appreciated.

 

0 Kudos
11 Replies
Maarten_Sjouw
Champion
Champion

The only way I can think of that this could work is when you use a seperate interface on VS0 in the same network as your VS1 connection to the AD.
You cannot use a vSwitch as you cannot use that on VS0.
Regards, Maarten
0 Kudos
Jerry
Mentor
Mentor

reply is NO, there is no quick solution for it unfortunately, you need to get through this first I guess:

https://community.checkpoint.com/t5/General-Topics/MDSM-with-VSX-Configuration-Guide-and-Architectur...
Jerry
0 Kudos
Wolfgang
Authority
Authority

You can create a new vswitch and create new interfaces in vs0 and vs1 connected to this vswitch. 

Add the relevant routes to both vs0 and vs1 and rules for allowing the needed traffic.

0 Kudos
Maarten_Sjouw
Champion
Champion

I stand corrected, on VS0 you can use a vSwitch, so yes this would be the simplest way to do this.
Regards, Maarten
0 Kudos
Sanjay_S
Advisor

Hi Maarten,

Creating vSwitch will have any impact for the current production? If not, could you please share any SK or any link that would help me in gaining the knowledge on how to create a vSwitch.
0 Kudos
Maarten_Sjouw
Champion
Champion

see: https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_VSX_AdminGuide/html_frameset...

Yes there will be an interruption, you will need to:
remove the interface from VS1
create the switch
add a interface to the switch on VS1 with the IP that you previously removed
add a new interface to the switch on VS0 with a new IP in the same network.
Regards, Maarten
0 Kudos
Norbert_Bohusch
Advisor

There is an easier solution for your issue!

You can change how a virtual-system is trying to reach the LDAP server:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

 

0 Kudos
Sanjay_S
Advisor

Hi Norbert,
This seems to be a good one. But one more problem is there we are actually enabling Mobile Access blade in the environment. We have MDS and the CMA IP of the VSX Production(vsenv 1) is trying to access the Radius which in turn is reaches the vsenv 0 and from there we again need to route the traffic to vsenv 1 for atleast this access.
0 Kudos
Norbert_Bohusch
Advisor

also Radius is possible as "private": https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...,

 

So this is not only relevant for LDAP Smiley Happy

0 Kudos
Sanjay_S
Advisor

Thats really a great one.
I will go through this and try to apply it. Will update you the outcome.
Just one more question, this will not affect any production environment right?
0 Kudos
Norbert_Bohusch
Advisor

It will affect only this one VS and there only authentication traffic like LDAP/Radius and so on
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events