Technical data
VSX Architecture and Concepts
Check Point VSX Administration Guide NGX R67 | 19
A typical bridge mode scenario incorporates an 802.1q compatible VLAN switch on either side of the VSX
gateway. The Virtual System interfaces do not require IP addresses and it remains transparent to the
existing IP network.
Figure 2-5 Virtual System in the Bridge Mode
A Virtual System in the bridge mode:
Has the same security capabilities as a Virtual System, except for VPN and NAT
Simplifies virtual network management
Does not segment an existing virtual network
Requires manual topology configuration in order to enforce anti-spoofing
Virtual Routers
A Virtual Router is an independent routing domain within a VSX gateway that performs the functionality of
physical routers. Virtual Routers are useful for connecting multiple Virtual Systems to a shared interface,
such as the interface leading to the Internet, and for routing traffic from one Virtual System to another.
Virtual Routers support dynamic routing.
Virtual Routers perform the following routing functions:
Packets arriving at the VSX gateway through a shared interface to the designated Virtual System based
on the source or destination IP address.
Traffic arriving from Virtual Systems directed to a shared interface or to other Virtual Systems.
Traffic to and from shared network resources such as a DMZ.
As with physical routers, each Virtual Router maintains a routing table with a list of route entries describing
known networks and directions on how to reach them. Depending on the deployment requirements, multiple
Virtual Routers can be configured.
To protect themselves, Virtual Routers inspect all traffic destined to, or emanating from themselves (for
example, an ICMP ping to the Virtual Router IP address) based on the security policy. Traffic that is not
destined to, or emanating from the Virtual Router is not inspected by the Virtual Router policy and is
forwarded to its destination.