Check Point VSX - Training Lab 3 | Creating VS with vsx_provisioning_tool

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi and welcome to the channel my name is magnus and today we're going to use the vsx provisioning tool to create vs2 we actually created vs1 within the gui so we will use the vsx provisioning tool to actually show what type of configuration was made and we will use the v6 provisioning tool to see that and then we will use the vsex provisioning tool to actually create vs2 as well so then you have seen it both in gui and in vs expiration tools so that's great then you can pick which one you want to use but in your own production so to use this tool we need to go into the mds and we need to be in expert mode and normally i always do an mds stat so i see that all the the measurement stations and so on are up and v6 provisioning tool is installed on all the management stations running r80 so we can use this from scratch without installing anything different and to use this then we use vsx underscore provisioning and then just tab and it will write out provisioning tool and the next step is to do minus s or i think it stands for server and then we will select which one do we actually have this vs in today and that will be in 601 so that's this one so copy paste and then we will do minus u or user and um admin and then we would do minus o and i think that's for and let's see i think that's for like output like c like months um i'm not 100 sure i'm actually checking the guide so here you have the vsx provisioning tool it's within the documentation and you can see here so minus you is user as a server and o is for commands and then you can check what sort of commands can actually run and well that didn't say a lot um b6 provisioning cli commands ah nevermind we will do uh show virtual device name and then it's vs01 because this is called vs01 and then just enter and it will prompt you for the password you can put in you can put it in the string here to to prompt your password or to write in your password directly but i don't want to put it in the screen here so just hit enter and hopefully this should work so this is actually prompting out what we have on this virtual device so you see here show virtual system vs01 and then it's add virtual device name vs01 vsx and this is referring to the vsx cluster you see here the vsx cluster name and then main ip and this ip and if you don't specify this part it will select the first interface that you actually put in so in this case the main ip would have been this one if you didn't specify the main ip and then it says and then it has added interfaces so you see here add interface virtual device vs01 name ethernet 3 ip and then ip address and here you see something else so this is the virtual switch so you have add interface virtual device vs01 leads2 and then this is the name of the the virtual switch then ip and this is not included in the command you see that it's a bracket so it's not actually listed in the commands and here we have a route so how to actually do this to to fix this for our our own all right so i have prepared this one so i hope you can see here so we will make a file so transaction begin it's just to like highlight what actually happens so the first thing that we will change is the vs name and then we will have vs2 so just ctrl f and then replace vs and zero two and we did do small ones replace all and then we will have the vsx cluster name and here we have vsx01 and we need to select the main ifp and i was thinking this type address but dot one one two so 192 168 one five nine one one two and then we need to have an interface and that will be ethernet 4 and we will take this one and what was it there it was a slash 24. 24 so we will copy paste them from this one so this is the virtual switch name so copy does the virtual switch name and we will use the same ip address because we wanted to show you that it's actually possible to have overlapping ip addresses within a v6 system and we need to have a default route so that's dot two and we don't have a special next top so that one we can remove so delete and then just copy and let's create a file i guess so let's see where we are so we are in admin we can do vi and then vs02 and just copy paste all this escape and then write i don't see right quit now we have a file so let's go into the cma number two this one so um mdsm and then this one copy paste and now we will create this uh this virtual switch this virtual system yeah this firewall so you see here i don't have anyone and it's important also that you don't have the smart console open to that specific domain because it needs to lock it while it creates the virtual system and then we will do vsx provisioning tool provisioning tool then minus s and we need to take the specific domain and then u for username admin and we will do uh in this case we will point to the file so f and then we have this file so copy paste and now we should just do enter and it will prompt us for the password and this should create the stuff ah i didn't get in transaction i guess so let's do vi again yeah so insert transaction begin and then escape right quit page up or arrow up so let's see if it's creating it i hope so i'm expecting it to create it if not um we need to troubleshoot some but you see here it's adding a name didn't we do watch name ip let's check the file again leads to isn't that the same so if we do like this and i will do mds here as well do like this and we do quit and we have here we add interface vd let's do like this and this and then expert vs no viv 02 so what is the wrong name here ah do you see the issue ad interface we need to put virtual device we need to select where it's pointing so vdv a zero name ethernet for that looks better right so oh escape right quick and let's do like this come on let's make it work uh that one so it's something fail safe within it and i don't know if this is good or bad for the video to actually include arrows but um well you get some troubleshooting and this is just um well i'm bad in the right thing so now it's pushing the configuration towards the vsx system itself so it's actually creating the virtual system and after that it will actually create the routes so it would create the virtual system before it actually add the routes so you see here it's pushing the configuration to to vs601 so that's great successfully updated nice and now it's actually adding the route so let's see if that's working as well nice so you see here topology has changed please reinstall the security policy and we see that everything was committed so you see here committed lines one to five that's these ones and then committed lines six to eight that's these ones so if you write it correct it should work um if you put incorrect numbers it doesn't work so you see here now the virtual system is actually created and it's within 602 so let's go into to this one 602 connect to domain and um let's see if we can log into it and actually reach the internet and then we have actually created a virtual system from v6 provisioning tool with some errors but well so here standard let's see if we have the virtual device here virtual system so you see here vs02 and it's the main ip that i talked about topology we have ethernet 4 we have the leads to virtual switch and we have the default route so just imagine this but if you have 100 interfaces or 100 routes then it's a lot more efficient than to do it in the gui so let's do like this let's change the cleanup rule to uh ping to no allow internet like we did on the other one so we have to your network net 10 10 10 0 24 and do like this publish and now we will install the policy and hopefully this works so it's looking promising at least and don't do any rules but well this is still a training this is still a lab so the point is to do some failures and do some troubleshooting and actually find out why all right so let's do like this let's jump into the v6 itself and as we're running ha both of the v6 both of the vss will be on the same member so expert so if i do cph probe start i don't see any difference here but if i do vsx start minus v then i now see two so i have the virtual switch then i have vs01 and vs02 so if i want to go into the specific vs then i just do vs and two for actually three because this is number three and then i'm able to hopefully ping google and i am nice so let's go back to the mds itself and actually check what did we do so within the file itself this is what we ended up with so we have the transaction begin and we have the add virtual device name and then via002 v6 this is not referring to anything this is referring to that you will specify vsx cluster so this is the vsx cluster so we will do like this i will just update like this so this is what we did do that's correct right interface name yeah so here is the show command i should do domain domain ip username all right like that so here's the guide for actually how to do it and uh there are more vsx tool uh references in the provisioning guide um you can check that out but this is some basic about how to actually create the virtual system and we actually created we actually did some interfaces both the normal interface and also something that leads to virtual switch and we did do some default route we didn't add any specific route to a next top ip address but you get the point you can add hundreds if you want the only difference is that it would take longer time to actually provisioning it but doing it this way is a lot faster than to do it in the gui because remember there is no add interfaces etc if you're going on the vsx system itself because the the transaction that we did do or the the configuration that we would do we did do that on the mds we didn't do that on the vsx so the mds has the configuration and then it push it to the vsx cluster so the the mds is the most important one or the the management station is the most important one when it comes to v6 um vsx is just let's say dumb so it needs their management server to actually be able to do changing of routings of interfaces etc etc it doesn't needs its management station to work it will still push traffic even if the management station is down same as any other checkpoint gateway but you're not able to do any changes on a v6 system without the management station and just to prove a point v6 provisioning tool has been around for years and this is a reference guide on from r76 and higher i don't think that the commands have changed but maybe you should check the reference guide for a later version but still in this one it has more explanation on how to actually use it what you can do and what you can add like mtu if you don't want to have the 1500 as default you can change it you can change the instances that's mean the performance on the box meaning you can do it and then instead of changing it after i normally change this after because well i don't know but i normally do that after anyway and it has some like examples of of scripts so if we scroll down here you can see more so here's some script example on what you can do and yes that's a reminder currently as of r81 there is no api for provisioning the virtual systems there is an api for configuring and provisioning the vsx clusters and changing the members but there is no api as of ra21 to actually fix the virtual systems and add interfaces so if you want to do it script wise if you do want to do it in no in another way than the gui you need to use v6 provisioning too so if you're going to work with vsx make sure to to actually learn and use v6 provisioning tool it will help you a lot so i think that's it for this video i hope you did learn something and i you realized that i was in the way for some of the commands but i think you did get it anyway and make sure to actually lab this in your own environment so you can actually try this and i hope to see in the next one take care bye
Info
Channel: Magnus Holmberg
Views: 1,227
Rating: undefined out of 5
Keywords: ccsa, ccse, checkpoint, check point, cyber security, network, secuirty, firewall, checkpoint training, r80, r80.40, checkpoint firewall, checkpoint firewall training videos, #compliance, r81, ccsa training, r80.10, r80.20, r80.30, check point vsx, network design
Id: ZqYrHXF_IK4
Channel Id: undefined
Length: 20min 31sec (1231 seconds)
Published: Mon Mar 29 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.