hey bro, I wanted to thank you for the great contribution that you make, the truth that 2 years ago I had to implement a vsx there were no guides / tutorials like the ones you have shared in the way you explain things and that just to give an example. at the same time I wanted to tell you that It would be great in some of your future videos a lab on how to detect latencies or overloads of the intrefaces bandwidth in Checkpoint firewalls or another good lab could implement and troubleshoot Checkpoint firewall in the cloud. thanks again, your videos are of great value.
Thank you! I felt the same way when i started with check point almost 10 years ago, there was alot of content for cisco but more or less none for check point. And the content excisting for check point was all written, (like CPUG). Thankfully i work for a large company where there was some ppl that had work with check point for a long period of time and i also got the possibility to join some officiall courses. planning for alot of videos, but it will take some time to release them, so in regards to VSX the training lab its made to learn and not a guide on how it should be installed if you are deploying a new cluster. so there are misstakes in them to make the lab more interesting in the future videos :) I will release a video with a full installation on a production vsx cluster within our enviroment including how we normally specifiy the boxes and why. In regards to public cloud its nothing that i normally work with, as we have built our own "cloud" where we host customers. But i will think about it, if there is possibility for creating some videos on it. i belive there are some labs for that on check points website, that i could do and record them.
There's a few things about VSX you need to know if you are rebuilding due to failed hardware: 1) You only need an IP on your management interface because everything else will be fetched from the management during vsx_util reconfigure 2) You need to setup all bond interfaces as defined management "physical interfaces" section on the gateway object 3) If you are using bootp / dhcp relay you will need to reconfigure this per VS 4) If you are using dynamic routing you will need to reconfigure this per VS 5) You must ensure ports 18191, 18210, 18211 and 18264 between gateway and management
Vsx_util reconfigure is one of the prettiest things with VSX. There are some more things that need to be fixed aswell, but it get less the newer software that you are running (Thinking of things like multiq) This will be a dedicated video, same as dynamic routing :)
Wowwww. Anonymous sir and Magnus sir. It's great that u guys have listed some things down. What else we need to keep it in mind and what are the tools available for troubleshooting vsx ? Do we have any video or any specific link where I can go through from scratch ??
Thank you, just dont use lab1 as a reference for live environment :D there are some changes in the later labs that i recommend to have from start in a prod environment.
Wonderful explanation Magnus. Was waiting anxiously for the VSX videos from you. On another note, you mentioned that one cannot access GAIA portal when you turn on vsx mode for anything below R80.40. Does this mean R80.40 now supports access to the GAIA portal in VSX mode?
R80.40 release notes include the statement "Support for VSX upgrade with CPUSE in Gaia Portal." Am not sure how much features are available within R80.40 as i dont have any production clusters running r80.40 for VSX. So thats something that will be interesting to see :)
@@MagnusHolmberg-NetSec - I checked this on a new VSX cluster running R80.40 and can confirm that you can login to the GAIA portal. However, it only has the Overview and CPUSE tab to download and upgrade and nothing else. But still, this is a good start for the VSX. Maybe in future, they will have more options.
Hi Magnus, when working with VMware Distributed Switches (vCenter needed), you can set a port-group as a trunk interface and tag multiple VLANs through it, so if you later define an interface as a trunk interface during VSX Cluster configuration wizard, you'll be able to add sub-interfaces for the VS and even for the cluster itself. I know, you are working with VMware workstation, I'm just throwing my 2 cents here. Keep up the good work!
Yes, within standard esxi VMware you are able to have trunk ports to VM boxes that run check point software. So there is no need to have a lot of interfaces. I don’t think VSX is supported to run in VMware for production, but for lab and test it works really good.
some troubleshooting will be included in the videos, but am not planning to make anything dedicated for troubleshooting. but am pretty sure we will have some issues during the labs that need to be fixed :D
Yes it is :) Honestly i dont prepp very much when i do my videos and i actually think its better not to remove issues from the videos. Because everyone of us working with IT do misstakes and something always dosn´t go to plan. google is your best friend :) You learn from your failures!
Hello Magnus Your content is awesome!! Are you planning to make a video about upgrading a VSX VSLS cluster from r80.30,r80,40--->r81.10 using the MVC method? What is your opinion about VSX gateways on production running r81.10 (now the recommended version?) BR Kostas
Thank you :) Yea but I haven’t had the time to fix any labs for it the last weeks. My personal recommendation as of Q1 2022 is to run r80.40 for VSX Standard gateways is no problem to run R81. Mgmt servers I would aim for R81.10 Currently only have one prod MDS running r81.10
Your videos are very informative. I have a query & this may be off topic, i just want to know for doing SNMP configuration in VSX, do we have do it for VS0 only or we require to configure it individually to that virtual system in question. Thanks..!!
By default it’s to VS0 My recommendation is to do snmp per vs, especially if you going to do VSLS. Because then you can poll the VS IP directly. If you do for VS0 and VSLS you need to figure out where each VS is located. As they then can move around based on load etc. The configuration itself is by default same for all VS, (you need to use snmpv3 for per vs) then you specify what user can reach what VS id. I will make a video about it :)
