Post

Check Point VSX Cluster

Posted
By Sena Perdiana 2 min read

Check Point VSLS (Virtual System Load Sharing) is a feature within the VSX environment that allows load balancing of virtual systems (VSs) across multiple physical security gateways in a clustered configuration. In a VSLS cluster, each VS can be assigned to run on a specific gateway, allowing the distribution of traffic load across all available devices, rather than having all VSs active on a single gateway.

x


Installing MDS

MDS (Multi-Domain Security Management) is a centralized management solution designed for large-scale environments that require the management of multiple independent security domains. MDS allows administrators to manage multiple Check Point Security Management Servers (referred to as Domains or CMAs—Customer Management Add-ons) from a single, unified platform.

To deploy an MDS, select Multi-Domain Server on initial config

x

x

x

x


Access it on SmartConsole and we will see the default Global Domain. Lets create a new Main Domain

x


Then connect to the domain

x


Adding VSX Cluster

Before adding the CP into the cluster, first enable “Per Virtual System State” on both nodes

x


Next select New » VSX » Cluster, give it name and Virtual Management IP Address

x


Then add the members

x


Next select the Sync Interface and give it a Private Non-routable IP Addresses

x


Then select the desired policy rules to be enabled and hit finish

x

x


And now we have the VSX Cluster up and running with 2 members

x


Creating Site A Domain

Now we have the Cluster running on the Main Domain, lets create a new Domain for Site A

x


Here we create a new VS using the VSX Cluster created on Main Domain

x


Give it IP Addresses and Default Gateway

x


And after a while the VS will be up and running

x


Creating Site B Domain

Pretty much repeat the process for the Site B Domain

x

x


And on the MDS Gateways & Servers, we can see all the nodes we have configured

x


Load Sharing

At this time, if we run “cphaprob stat” on either VSX Member, we can see that only one node is active for both VS

x


To enable VS Load Sharing, go to MDS Expert Mode and change context to the Main Domain with command “mdsenv”

x


Then run “vsx_util convert_cluster” and select “Distribute All Virtual Systems”

x


And after that, now the VSes are running on each members with 50% load distribution

x


Additionally, we can run “vsx_utl vsls” to change the load sharing configuration, or just to see the current load sharing configuration

x


If we try shutting down the Node 1, Node 2 will take over to handle all the 100% load

x


Security, Check Point
Check Point
This post is licensed under CC BY 4.0 by the author.