Technical data
VSX Architecture and Concepts
Check Point VSX Administration Guide NGX R67 | 18
Provisioning and logging may degrade user performance
Does not support several new VSX features
Non-DMI is irreversible - you cannot change a non-DMI gateway to DMI
Virtual Devices
This section describes virtual network components and their characteristics.
Virtual System
A Virtual System is a virtual security and routing domain that provides the functionality of a Security
Gateway with full firewall and VPN facilities. Multiple Virtual Systems can run concurrently on a single VSX
gateway.
Virtual System Autonomy
Each virtual system functions as a stand-alone, independent entity, much in the same way as each Security
Gateway is independent from other gateways. Each Virtual System maintains its own interfaces, IP
addresses, routing table, ARP table and dynamic routing configuration. In addition, each Virtual System
maintains its own:
State Tables: Each Virtual System contains its own kernel tables containing configuration and runtime
data, such as, active connections, IPSec tunnel information, etc.
Security and VPN policies: Each Virtual System enforces its own security and VPN Policies (including
INSPECT code). Policies are retrieved from the management server and stored separately on the local
disk and in the kernel. In a Multi-Domain Security Management environment, each Domain database is
maintained separately on the management server as well as on the VSX gateway.
Configuration Parameters: Each Virtual System maintains its own configuration, such as IPS settings,
TCP/UDP time-outs, etc.
Logging Configuration: Each Virtual System maintains its own logs and performs logging according to
its own rules and configuration.
Virtual System in Bridge Mode
A Virtual System in the bridge mode implements native layer-2 bridging instead of IP routing. This allows
network administrators to easily and transparently deploy a Virtual System in an existing network topology
without reconfiguring the existing IP routing scheme.