PO VSX Course 1 Introduction - v2

R75.
40VS Introduction
2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals
Agenda
VSX introduction VSX Virtual Devices

What is VSX and why How to integrate a VSX
should I consider it? infrastructure into my
enterprise network?
VSX Clustering VSX Management

Is my VSX Is management of a
infrastructure robust, VSX infrastructure
scalable and fast? complex?
Giza vs R67 VSX Giza
Whats new in Giza What is a

User Space VSX?
2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals | 2
2
Why Virtualization?
Hardware Cost Savings
Simplified Security Management
Better availability and scalability
Simplified Security Provisioning
3
VSX Virtual System Extension
What is VSX
A VSX is a Gateway running
several separate firewalls
each protecting a different
network (customer).
A VSX is a Gateway with the

ability to virtualize physical
network components into one
physical gateway.
4
What do we Virtualize?
Networking (IP, Routing table, IP stack)

INSPECT filter (and tables)
Kernel tables
Configuration (global) parameters
Policy (rules, anti-spoofing, etc.)
SIC entities
File handling
CP Registry
And more
5
Agenda

enterprise network?


User Space VSX?
6
Virtual Routing and Firewalling
VSX establishes a Virtual Network Environment

consists of multiple virtual devices
Virtual System (VS) Firewall Module
Virtual System In Firewall Module In

Bridge Mode Bridge Mode
Virtual Router (VR) IP Router
Virtual Switch (V-SW) Switch
Virtual Cable (warp link) Network Cable
7
Virtual Devices
Virtual System (VS)
Virtualizing Check Points Firewall
Each Virtual System is a unique routing and security domain
Each Virtual System has its own separate FW properties.
8
VSX virtual devices:
Firewall objects
Virtual System (VS)

Virtual System
Each VS functions as a stand-alone, independent

FW gateway
State Table
FW Layer 3
Security & VPN Secure XL
Interfaces list
IP Addresses Policies
Routing table Configuration
ARP table VPN Parameters
Layer 2
Logging Cluster XL
Dynamic Routing
Configuration Configuration
Etc.
SSL VPN Dynamic
Routing
State Table
Security & VPN
Interfaces list AUTH Policies
IP Addresses (Client & Session) Configuration
Routing table Parameters
ARP table Logging
Dynamic Routing Configuration
Configuration
Etc.
9
Layer 2 Virtual Devices
Virtual System in Bridge Mode (VSB)
Firewall capabilities of a Virtual System, Except NAT &VPN
Easier configuration of Virtual Systems.
Does not segment an existing network.
Needs anti-spoofing to be manually defined.
10
Layer 2 Virtual Devices
Virtual Switch (VSW)
L-2 connectivity between Virtual Systems, and to a shared interface.
Maintains a forwarding table with a list of MAC addresses and their

associated ports.
Simplifies configuration of connected Virtual Systems.
11
Virtual Devices
Virtual Router (VR)
independent routing domains within a VSX Gateway
Designed to route traffic between interfaces connected to it.
Protects itself from traffic directed to or originating from it.
All other packets are forwarded according to the route table entries.
12
warp Interfaces
Regular Interfaces
Physical interfaces
Virtual interfaces - VLANS
VSX Gateway introduces a new type of interfaces
warp links interface between component of the VSX gateway
Eth1 (physical interface)
Wrp Interface
Eth0.101 Eth0.100
Eth0 (VLAN Trunk interface)

13
Example: Physical Network Layout
Internet
16
Example: VSX Deployment
VSX
Internet
VS
X
Switch
17
Agenda

enterprise network?


User Space VSX?
18
Clustering
Virtual System Load Sharing
Distributes VS instances
between different VSX
gateways
Sync improvements
New state: Backup
Sync only between active &
standby (unicast sync)
VS distribution
Performed automatically or
manually (vsx_util
redistribute_vsls)
SYNC
19
Agenda

enterprise network?


User Space VSX?
20
VSX management
SMART
3-tier management architecture with Consoles
either SmartCenter or Provider-1

Provider-1
SmartCenter
CLI Management: vsx_util

# vsx_util vsls
# vsx_util redistribute_vsls
# vsx_util reconfigure
# vsx_util add_member
VSX Gateways
21
VSX management
Provider-1 focus
Main CMA manages the VSX infrastructure

Target CMAs manage one or more Virtual Devices
Multiple concurrent administrators
Granular permissions
Separate object databases
22
Agenda

enterprise network?


User Space VSX?
23
VSX - Whats New in R75.40VS
1. VSX Merged to Maintrain

2. Supports most software blades
3. Runs on Gaia
4. VSs Infrastructure Segregation
5. User Mode FW (FWK)
6. High performance and capacity (64bit & CoreXL)
7. Support Jumbo Frames
8. Dynamic routing (routed)
9. Source based routing
10. SNMP per VS
11. Improved CPU and memory monitoring (per VS)
12. Conversion between GW and VS
13. OSU zero downtime upgrade
24
VSX merge to maintrain
Maintrain Ver.
Florence Flint Foxx Flow Fiber Giza
Ecuador El-Salvador
VSX Ver.
25
Software Blades
R75.40VS supports Software Blade Architecture on

every Virtual System
Supporting Software Blades including Firewall,

VPN, Intrusion Prevention (IPS), Identity
Awareness, Application Control, URL Filtering,
*Anti-virus and Anti-bot.
Administrators have the flexibility to configure any

Software Blades with any security policy to any
Virtual System.
* Anti-virus and Anti-bot will be added in the near future.
26
Virtualization and segregation
R67 R75.40VS
Resilience Kernel panic effects all VSs, An FWK dying effects one VS, and
and takes minutes to recover takes seconds to recover.
Segregation All memory shared between Separate address spaces for each
VSs and instances. A bug on FWK. Excellent segregation.
one VS can cause a memory
corruption on another VS.
CPU monitoring per Resource Control. Not Standard OS tools (top).

VS. completely accurate (due to
wasted lock time), and not
standard.
RAM monitoring per Currently no method. Will Standard OS tools (ps)
VS. require a lot of code changes.
RAM limiting per VS Not possible. Will require Can be easily done.
exact accounting of
consumption per VS.
Changing of CP Not possible today on a per Can be easily done, per VS.
global kernel VS basis. Global parameters
parameters shared for all VSs.
27
VSX (R67) architecture
fwd cpd cplogd vpnd 1. All kernel code

vpnd
vpnd had inside
UM Ioctls ex. policy install virtualization
From cpd to fw kernel
Tables per VS
KM
Trap example logs
Parameters per
From fw kernel to cplogd VS or global
2. Most of the UM
Fw kernel virtualized VPN kernel virtualized processes were
virtualized
(fwd/cpd/cplogd)
Ppack virtualized
3. Some were per
VS (vpnd)
NIC NIC
28
R75.40 VSX architecture
cpd
Trap example logs cpd cpd
From fwk to fwd
fwd fwd fwd Ioctls ex. policy install

From cpd to fwk
vpnd vpnd vpnd
fwk fwk fwk 1. Fwk is the fws

VS VS VS kernel code
UM
compiled to a dll
KM 2. PPK remains
Firewall dispatcher
virtualized
3. I/S to simulate
Ppack virtualized traps and ioctls,
over TCP
NIC NIC between fwd/cpd
and fwk -
fwasync_rpc
29
CoreXL per VS - 1
You can use CoreXL to increase the performance of the

VSX Gateway. You can also assign each instance to a
specific CPU core using fw ctl affinity command.
You can configure multiple instances for each of

the Virtual Systems
Each firewall instance that you create uses

additional system memory.
Downside, a Virtual System with five instances would
use approximately the same amount of memory as five
separate Virtual Systems.
30
CoreXL per VS - 2
Firewall instances are

configured differently on
VSX Gateway (VS0), and
on Virtual Systems.
VSX Gateway - Use
the CLI to configure
the number of
instances.
Other Virtual Systems
- Use SmartDashboard
to configure the
number of instances.
31
Jumbo Frames Support
VSX in R75.40VS supports Jumbo Frames,

up to 9,000 MTU on virtual devices:
1. Virtual System
2. Virtual Switch
3. Virtual Router
4. Virtual System in Bridge Mode
Configuring the MTU on Bond interfaces
Configuring the MTU on Warp interfaces
Configuring the MTU on VLANs interfaces
32
SNMP per VS
There are two modes of SNMP monitoring that you can

use with VSX :
Default mode
- only monitors VS0
VS mode
- supports SNMP monitoring per VS
The per-VS monitoring such as :

- Interface state and statistics
- Policy name
- Policy date
33
Memory Resource control overview
Memory Resource control (fw vsx mstat) gives the

user overview information about:
Memory consumption of the system
Memory consumption per virtual device
34
VSX Memory Resource Control Examples
fw vsx mstat unit B -vs 2-7 sort 3

VSX Memory Status
=================
Memory Total: 1045659648 Bytes
Memory Free: 242528256 Bytes
Swap Total: 2146787328 Bytes
Swap Free: 2146607104 Bytes
Swap-in rate: 0 Bytes
VSID | Memory Consumption
======+====================
3 | 45741252 Bytes
2 | 44537028 Bytes
6 | 44360900 Bytes
fw vsx mstat debug

VSX Memory Status
=================
Memory Total: 1021152.00 KB
Memory Free: 235680.00 KB
Swap Total: 2096472.00 KB
Swap Free: 2096296.00 KB
Swap-in rate: 0.47 KB
VSID | Private_Clean | Private_Dirty | DispatcherGConn | DispatcherHTab | SecureXL
======+====================+====================+====================+====================+====================
0 | 13336.00 KB | 121856.00 KB | 0.00 KB | 0.00 KB | 2850.00 KB
1 | 968.00 KB | 39724.00 KB | 0.00 KB | 0.00 KB | 2833.54 KB
2 | 968.00 KB | 39692.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
3 | 776.00 KB | 41060.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
4 | 968.00 KB | 39512.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
5 | 776.00 KB | 39600.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
6 | 976.00 KB | 39512.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
7 | 784.00 KB | 39516.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
8 | 3008.00 KB | 88592.00 KB | 0.00 KB | 0.00 KB | 2833.19 KB
35
VSX Gateway Conversion
Smart Dashboard wizard

to convert Gaia Security
Gateways to VSX
Gateways
36
VSX Gateway implicit Conversion
Theres no need to switch the gateway to VSX mode

explicitly, this is done automatically in the following
scenarios:
Creating new VSX - during the first time wizard we set the
gateway to VSX mode if needed
Recovery of existing VSX configuration - during the vsx_util

reconfigure process we set the gateway to VSX mode.
37
Optimal Service Upgrade
OSU provides a solution

for upgrading a VSX to
R75.40VS without losing
connectivity
Two cluster members are

used to maintain
connectivity, while you
upgrade all the other VSX
cluster members
38
VSX CLISH commands
Several new commands were introduced in R75.40VS,

such as switching context, assign resources to
specific VSs, and more :
>set virtual-system <vsid>

>add rba role adminRole virtual-system-access 1
All commands related to interfaces or routes

configuration are disabled in CLISH along with
everything else controlled from Smart Dashboard
39
Agenda

enterprise network?


User Space VSX?
40
R75.40 VSX architecture
cpd
Trap example logs cpd cpd
From fwk to fwd
fwd fwd fwd Ioctls ex. policy install

From cpd to fwk
vpnd vpnd vpnd
fwk fwk fwk 1. Fwk is the fws

VS VS VS kernel code
UM
compiled to a dll
KM 2. PPK remains
Firewall dispatcher
virtualized
3. I/S to simulate
Ppack virtualized traps and ioctls,
over TCP
NIC NIC between fwd/cpd
and fwk -
fwasync_rpc
41
Technology
User mode Firewall
FW-1 code is compiled into a DLL (libfwk.so)
A new process called fwk was created per VS, essentially functions as firewall
A light-weight driver exists in the kernel which Dispatches packets to the relevant
VS and executes the Drop/Accept decision that was made by firewall.
ZeroCopy (ZeCo) mechanism I/S for fast read/write access to packets from user-
mode. Implemented in the Linux kernel
Ioctl & Traps - instead of a system call to the kernel driver, a localhost connection is
opened to the fwk process which will execute the ioctl/trap request
CP user mode Daemons

Major CP daemons run per VS and are not virtualized
CPD, FWD, VPND and others
This provides better segregation, easier coding and resource monitoring and controlling
In addition Registry and $CPDIR and $FWDIR are per VS
42
User Space FW advantages
Speeding up development
Each process handles a specific VS making the code most

part identical to the non VSX codebase.
Slides to maintrain will be faster, code conflicts will be
minimal.
The CPU time and memory of each process can be
monitored and controlled.
Enhanced capacity: each VS has separate virtual address
space, meaning it can use 2-3GB of memory.
44
User Space FW advantages
Better Security
Better segregation of VSes. Each VS state is

encapsulates in a separate process with its own
address space without access to the other VSes.
Enhanced performance: packets belonging to

several VSes can be processed in parallel.
45
Thank you !
2010 Check Point Software Technologies Ltd. | [Restricted] ONLY for designated groups and individuals

PO VSX Course 1 Introduction - v2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PO VSX Course 1 Introduction - v2

Uploaded by

Copyright:

Available Formats

R75.

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

Hardware Cost Savings

Simplified Security Management

Better availability and scalability

Simplified Security Provisioning

A VSX is a Gateway with the

Networking (IP, Routing table, IP stack)

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

VSX establishes a Virtual Network Environment

Virtual System (VS) Firewall Module

Virtual System In Firewall Module In

Virtual Router (VR) IP Router

Virtual Switch (V-SW) Switch

Virtual Cable (warp link) Network Cable

Virtual System (VS)

Virtualizing Check Points Firewall

Each Virtual System is a unique routing and security domain

Each Virtual System has its own separate FW properties.

Virtual System (VS)

Each VS functions as a stand-alone, independent

Virtual System in Bridge Mode (VSB)

Firewall capabilities of a Virtual System, Except NAT &VPN

Easier configuration of Virtual Systems.

Does not segment an existing network.

Needs anti-spoofing to be manually defined.

Virtual Switch (VSW)

L-2 connectivity between Virtual Systems, and to a shared interface.

Maintains a forwarding table with a list of MAC addresses and their

Simplifies configuration of connected Virtual Systems.

Virtual Router (VR)

independent routing domains within a VSX Gateway

Designed to route traffic between interfaces connected to it.

Protects itself from traffic directed to or originating from it.

Eth1 (physical interface)

Eth0 (VLAN Trunk interface)

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

3-tier management architecture with Consoles

either SmartCenter or Provider-1

CLI Management: vsx_util

Main CMA manages the VSX infrastructure

VSX introduction VSX Virtual Devices

VSX Clustering VSX Management

Giza vs R67 VSX Giza

Whats new in Giza What is a

1. VSX Merged to Maintrain

R75.40VS supports Software Blade Architecture on

Supporting Software Blades including Firewall,

Administrators have the flexibility to configure any

CPU monitoring per Resource Control. Not Standard OS tools (top).