Technical data
VSX Architecture and Concepts
Check Point VSX Administration Guide NGX R67 | 17
Check Point recommends that remote management connections use a dedicated management interface
(DMI) that connects directly to a router or switch that leads to the external network or the Internet. The
following diagram illustrates this scenario.
Figure 2-4 Typical VSX deployment with DMI remote management
You can choose to use a non-dedicated management interface by connecting a Virtual Router or Virtual
Switch to the management interface. This, however, is not recommended.
When management traffic passes through a Virtual Router or Switch, you must ensure that the associated
Warp Link IP address originates from the remote network. Furthermore, if the remote management
connection arrives via the Internet, you must assign a routable, public IP address.
Management Interface
A VSX deployment can be managed using one of the following interface schemes:
Dedicated Management Interface (DMI): Uses a separate interface that is restricted to management
traffic, such as provisioning, logging and monitoring
Non-Dedicated Management Interface: Uses a shared internal or external interface that also carries
routine user traffic
Dedicated Management Interface (DMI)
Check Point recommends that you use a DMI for management for the following reasons:
Segregation of management traffic from routine "production" traffic enhance performance, especially for
end users
Enables several advanced VSX features
Non-Dedicated Management Interface
VSX supports non-DMI deployments primarily to provide backward compatibility with legacy deployments.
When configuring a non-DMI deployment, you can define remote management connections only via a
Virtual Switch or Virtual Router. Remote management connects via a Virtual System are not supported.
Check Point does not recommend using non-DMI for the following reasons: