PO VSX Course 1 Introduction - v2

R75.
40VS
Introduction
2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and
Agenda
VSX introduction VSX Virtual Devices

What is VSX and How to integrate a
why should I VSX infrastructure
consider it? into my enterprise
network?
VSX Clustering VSX Management

Is my VSX
Is management of a
infrastructure
VSX infrastructure
robust, scalable
complex?
and fast?
Giza vs R67 VSX Giza
Whats new in Giza What is a

User Space VSX?
2010 Check Point Software Technologies Ltd. | 2

[Restricted] ONLY for designated groups and
2
Why Virtualization?
Hardware Cost Savings
Simplified Security Management
Better availability and scalability
Simplified Security Provisioning

3
VSX Virtual System Extension
What is VSX
A VSX is a Gateway
running several separate
firewalls each protecting
a different network
(customer).
A VSX is a Gateway with

the ability to virtualize
physical network
components into one
physical gateway.

4
What do we Virtualize?
Networking (IP, Routing table, IP stack)

INSPECT filter (and tables)
Kernel tables
Configuration (global) parameters
Policy (rules, anti-spoofing, etc.)
SIC entities
File handling
CP Registry
And more

5
Agenda

network?

Is my VSX
Is management of a
infrastructure
VSX infrastructure
robust, scalable
complex?
and fast?

User Space VSX?

6
Virtual Routing and Firewalling
VSX establishes a Virtual Network

Environment consists of multiple virtual
devices
Virtual System (VS) Firewall Module
Virtual System In Firewall Module In

Bridge Mode Bridge Mode
Virtual Router (VR) IP Router
Virtual Switch (V-SW) Switch
Virtual Cable (warp link) Network Cable

7
Virtual Devices
Virtual System (VS)
Virtualizing Check Points Firewall
Each Virtual System is a unique routing and security

domain
Each Virtual System has its own separate FW properties.

8
VSX virtual devices:
Firewall objects
Virtual System (VS) Virtual

System
Each VS functions as a stand-alone,

independent FW gateway VS1
Interface VS1
VS1
VS1
s list State Table
IP FW LayerSecurity
3 & Secure XL
Addresses VPN Policies
Routing Configuration
table Parameters
VPN LayerLogging
2 Cluster XL
ARP
table Configuration
Dynamic
Routing SSL VPN Dynamic
Configuration Routing VS2
Etc. VS2
Interface
VS2
VS2
s list State Table
IP AUTH Security &
Addresses (Client & VPN Policies
Routing Session) Configuration
table Parameters
ARP Logging
table Configuration
Dynamic
Routing
Configuration
Etc.
9
Layer 2 Virtual Devices
Virtual System in Bridge Mode (VSB)
Firewall capabilities of a Virtual System, Except NAT

&VPN
Easier configuration of Virtual Systems.
Does not segment an existing network.
Needs anti-spoofing to be manually defined.
2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups10
10
and
Layer 2 Virtual Devices
Virtual Switch (VSW)
L-2 connectivity between Virtual Systems, and to a

shared interface.
Maintains a forwarding table with a list of MAC

addresses and their associated ports.
Simplifies configuration of connected Virtual Systems.
11
and
Virtual Devices
Virtual Router (VR)
independent routing domains within a VSX Gateway
Designed to route traffic between interfaces connected

to it.
Protects itself from traffic directed to or originating from

it.
All other packets are forwarded according to the route

table entries.
12
and
warp Interfaces
Regular Interfaces
Physical interfaces
Virtual interfaces - VLANS
VSX Gateway introduces a new type of interfaces
warp links interface between component of the
VSX gateway
Eth1 (physical interface)
Wrp
Interface
Eth0.101 Eth0.100
Eth0 (VLAN Trunk interface)

13
and
Example: Physical Network
Layout
Internet
16
and
Example: VSX Deployment
VSX
Internet
VS
X
Swit
ch
17
and
Agenda

network?

Is my VSX
Is management of a
infrastructure
VSX infrastructure
robust, scalable
complex?
and fast?

User Space VSX?
18
and
Clustering
Virtual System Load Sharing
Distributes VS instances
between different VSX
gateways
Sync improvements
New state: Backup
Sync only between
active & standby
(unicast sync)
VS distribution
Performed
automatically or
manually (vsx_util
redistribute_vsls)
SYNC
19
and
Agenda

network?

Is my VSX
Is management of a
infrastructure
VSX infrastructure
robust, scalable
complex?
and fast?

User Space VSX?
20
and
VSX management
SMART
3-tier management
Console
s
architecture with either

SmartCenter or Provider-1 Provider-1
SmartCenter
CLI Management: vsx_util

# vsx_util vsls Mgm
Mgm Mgm
Mgm
tt tt
# vsx_util redistribute_vsls
# vsx_util reconfigure
# vsx_util add_member
VSX
Gateways
21
and
VSX management
Provider-1 focus
Main CMA manages the VSX infrastructure

Target CMAs manage one or more Virtual Devices
Multiple concurrent administrators
Granular permissions
Separate object databases
22
and
Agenda

network?

Is my VSX
Is management of a
infrastructure
VSX infrastructure
robust, scalable
complex?
and fast?

User Space VSX?
23
and
VSX - Whats New in R75.40VS
1. VSX Merged to Maintrain

2. Supports most software blades
3. Runs on Gaia
4. VSs Infrastructure Segregation
5. User Mode FW (FWK)
6. High performance and capacity (64bit &
CoreXL)
7. Support Jumbo Frames
8. Dynamic routing (routed)
9. Source based routing
10. SNMP per VS
11. Improved CPU and memory monitoring (per
VS)
12. Conversion between GW and VS
13. OSU zero downtime upgrade
24
and
VSX merge to maintrain
Maintrain
Ver.
Florenc Flint Foxx Flow Fiber Giza
e
a
n ad
re
G
Ecuado El-Salvador
r
VSX Ver.
25
and
Software Blades
R75.40VS supports Software Blade

Architecture on every Virtual System
Supporting Software Blades including

Firewall, VPN, Intrusion Prevention (IPS),
Identity Awareness, Application Control,
URL Filtering, *Anti-virus and Anti-bot.
Administrators have the flexibility to
configure any Software Blades with any
security policy to any Virtual System.
* Anti-virus and Anti-bot will be added in the near future.
26
and
Virtualization and segregation
R67 R75.40VS
Resilience Kernel panic effects all An FWK dying effects one VS,
VSs, and takes minutes and takes seconds to recover.
to recover
Segregation All memory shared Separate address spaces for
between VSs and each FWK. Excellent
instances. A bug on one segregation.
VS can cause a memory
corruption on another
VS.
CPU monitoring Resource Control. Not Standard OS tools (top).
per VS. completely accurate
(due to wasted lock
time), and not standard.
RAM monitoring Currently no method. Standard OS tools (ps)
per VS. Will require a lot of
code changes.
RAM limiting per Not possible. Will Can be easily done.
VS require exact
accounting of
consumption per VS.
27
and
Changing of CP Not possible today on a Can be easily done, per VS.
VSX (R67) architecture
fwd cpd cplogd vpnd 1. All kernel

vpnd
vpnd code had
Ioctls ex. policy
U install inside
M From cpd to fw
kernel virtualization
K Trap example logs Tables per VS
M From fw kernel to Parameters
cplogd
per VS or
global
Fw kernel virtualized VPN kernel virtualized
2. Most of the
UM processes
Ppack virtualized were
virtualized
NIC NIC (fwd/cpd/cplog
d)
3. Some were
per VS (vpnd)
28
and
R75.40 VSX architecture
cpd
Trap example cpd cpd
logs
From fwk to fwd
fwd fwd fwd Ioctls ex. policy
install
From cpd to fwk
vpnd vpnd vpnd
fwk fwk fwk 1. Fwk is the

VS VS VS fws kernel
U
M code compiled
to a dll
K Firewall dispatcher
M
2. PPK remains
virtualized
Ppack virtualized 3. I/S to simulate
traps and
NIC NIC ioctls, over
TCP between
fwd/cpd and
fwk -
2010 Check Point Software Technologies Ltd. fwasync_rpc
| [Restricted] ONLY for designated groups29
29
and
CoreXL per VS - 1
You can use CoreXL to increase the performance of

the VSX Gateway. You can also assign each instance
to a specific CPU core using fwctlaffinity
command.
You can configure multiple instances for each

of the Virtual Systems
Each firewall instance that you create uses

additional system memory.
Downside, a Virtual System with five instances
would use approximately the same amount of
memory as five separate Virtual Systems.
30
and
CoreXL per VS - 2
Firewall instances are

configured differently
on VSX Gateway (VS0),
and on Virtual Systems.
VSX Gateway - Use
the CLI to configure

the number of
instances.
Other Virtual Systems
- Use SmartDashboard
to configure the
number of instances.
31
and
Jumbo Frames Support
VSX in R75.40VS supports Jumbo

Frames, up to 9,000 MTU on virtual
devices:
1. Virtual System
2. Virtual Switch
3. Virtual Router
4. Virtual System in Bridge Mode
Configuring the MTU on Bond interfaces
Configuring the MTU on Warp interfaces
Configuring the MTU on VLANs interfaces
32
and
SNMP per VS
There are two modes of SNMP monitoring

that you can use with VSX :
Default mode
- only monitors VS0
VS mode
- supports SNMP monitoring per VS
The per-VS monitoring such as :

- Interface state and statistics
- Policy name
- Policy date
33
and
Memory Resource control
overview
Memory Resource control (fw vsx mstat)

gives the user overview information about:
Memory consumption of the system
Memory consumption per virtual device
34
and
VSX Memory Resource Control Examples
fw vsx mstat unit B -vs 2-7 sort 3

VSX Memory Status
=================
Memory Total: 1045659648 Bytes
Memory Free: 242528256 Bytes
Swap Total: 2146787328 Bytes
Swap Free: 2146607104 Bytes
Swap-in rate: 0 Bytes
VSID | Memory Consumption
======+====================
3 | 45741252 Bytes
2 | 44537028 Bytes
6 | 44360900 Bytes
fw vsx mstat debug

VSX Memory Status
=================
Memory Total: 1021152.00 KB
Memory Free: 235680.00 KB
Swap Total: 2096472.00 KB
Swap Free: 2096296.00 KB
Swap-in rate: 0.47 KB
VSID | Private_Clean | Private_Dirty | DispatcherGConn | DispatcherHTab | SecureXL
======+====================+====================+====================+====================+====================
0 | 13336.00 KB | 121856.00 KB | 0.00 KB | 0.00 KB | 2850.00 KB
1 | 968.00 KB | 39724.00 KB | 0.00 KB | 0.00 KB | 2833.54 KB
2 | 968.00 KB | 39692.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
3 | 776.00 KB | 41060.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
4 | 968.00 KB | 39512.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
5 | 776.00 KB | 39600.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
6 | 976.00 KB | 39512.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
7 | 784.00 KB | 39516.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
8 | 3008.00 KB | 88592.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
35
and
VSX Gateway Conversion
Smart Dashboard
wizard to convert
Gaia Security
Gateways to VSX
Gateways
36
and
VSX Gateway implicit Conversion
Theres no need to switch the gateway to

VSX mode explicitly, this is done
automatically in the following scenarios:
Creating new VSX - during the first time wizard

we set the gateway to VSX mode if needed
Recovery of existing VSX configuration - during

the vsx_util reconfigure process we set the
gateway to VSX mode.
37
and
Optimal Service Upgrade
OSU provides a
solution for upgrading
a VSX to R75.40VS
without losing
connectivity
Two cluster members

are used to maintain
connectivity, while
you upgrade all the
other VSX cluster
members
38
and
VSX CLISH commands
Several new commands were introduced in

R75.40VS,
such as switching context, assign resources
to
specific VSs, and more :
>set virtual-system <vsid>

>add rba role adminRole virtual-system-
access 1
All commands related to interfaces or routes

configuration are disabled in CLISH along
with everything else controlled from Smart
Dashboard 2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups39
39
and
Agenda

network?

Is my VSX
Is management of a
infrastructure
VSX infrastructure
robust, scalable
complex?
and fast?

User Space VSX?
40
and
R75.40 VSX architecture
cpd
Trap example cpd cpd
logs
From fwk to fwd
fwd fwd fwd Ioctls ex. policy
install
From cpd to fwk
vpnd vpnd vpnd
fwk fwk fwk 1. Fwk is the

VS VS VS fws kernel
U
M code compiled
to a dll
K Firewall dispatcher
M
2. PPK remains
virtualized
Ppack virtualized 3. I/S to simulate
traps and
NIC NIC ioctls, over
TCP between
fwd/cpd and
fwk -
2010 Check Point Software Technologies Ltd. fwasync_rpc
| [Restricted] ONLY for designated groups41
41
and
Technology
User mode Firewall
FW-1 code is compiled into a DLL (libfwk.so)
A new process called fwk was created per VS, essentially functions
as firewall
A light-weight driver exists in the kernel which Dispatches packets
to the relevant VS and executes the Drop/Accept decision that was
made by firewall.
ZeroCopy (ZeCo) mechanism I/S for fast read/write access to
packets from user-mode. Implemented in the Linux kernel
Ioctl & Traps - instead of a system call to the kernel driver, a localhost connection is
opened to the fwk process which will execute the ioctl/trap request
CP user mode Daemons

Major CP daemons run per VS and are not virtualized
CPD, FWD, VPND and others
This provides better segregation, easier coding and resource monitoring and
controlling
In addition Registry and $CPDIR and $FWDIR are per VS
42
and
User Space FW advantages
Speeding up development
Each process handles a specific VS making the

code most part identical to the non VSX
codebase.
Slides to maintrain will be faster, code conflicts
will be minimal.
The CPU time and memory of each process can
be monitored and controlled.
Enhanced capacity: each VS has separate
virtual address space, meaning it can use 2-
3GB of memory.
44
and
User Space FW advantages
Better Security
Better segregation of VSes. Each VS

state is encapsulates in a separate
process with its own address space
without access to the other VSes.
Enhanced performance: packets

belonging to several VSes can be
processed in parallel.
45
and
Thank you !
2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and

PO VSX Course 1 Introduction - v2

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

PO VSX Course 1 Introduction - v2

Încărcat de

Drepturi de autor:

Formate disponibile

R75.

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

2010 Check Point Software Technologies Ltd. | 2

Hardware Cost Savings

Simplified Security Management

Better availability and scalability

Simplified Security Provisioning

2010 Check Point Software Technologies Ltd. | 3

A VSX is a Gateway with

2010 Check Point Software Technologies Ltd. | 4

Networking (IP, Routing table, IP stack)

2010 Check Point Software Technologies Ltd. | 5

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

2010 Check Point Software Technologies Ltd. | 6

VSX establishes a Virtual Network

Virtual System In Firewall Module In

Virtual Router (VR) IP Router

Virtual Switch (V-SW) Switch

Virtual Cable (warp link) Network Cable

2010 Check Point Software Technologies Ltd. | 7

Virtual System (VS)

Virtualizing Check Points Firewall

Each Virtual System is a unique routing and security

Each Virtual System has its own separate FW properties.

2010 Check Point Software Technologies Ltd. | 8

Virtual System (VS) Virtual

Each VS functions as a stand-alone,

Virtual System in Bridge Mode (VSB)

Firewall capabilities of a Virtual System, Except NAT

Easier configuration of Virtual Systems.

Does not segment an existing network.

Needs anti-spoofing to be manually defined.

Virtual Switch (VSW)

L-2 connectivity between Virtual Systems, and to a

Maintains a forwarding table with a list of MAC

Simplifies configuration of connected Virtual Systems.

Virtual Router (VR)

independent routing domains within a VSX Gateway

Designed to route traffic between interfaces connected

Protects itself from traffic directed to or originating from

All other packets are forwarded according to the route

Eth0 (VLAN Trunk interface)

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

architecture with either

CLI Management: vsx_util

Main CMA manages the VSX infrastructure

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a