Check Point VSX – Internal Communication Network

Virtualizing your firewalls can be very beneficial for several reasons and making the transition from physical to virtual can be made with little impact through proper planning and guidance.

Checkpoint describes their VSX Internal Communication Network as follows:

Internal Communication Network

The internal communication network is a virtual network that is required for ClusterXL environments, in addition to the synchronization network. The internal communication network is invisible to external networks and lets cluster members communicate and recognize the state of the environment.

VSX assigns an IP address to the internal communication network during the cluster creation process. This eliminates the need to manually assign an IP address to each cluster member:

IPv4 address: 192.168.196.0, netmask: 255.255.252.0 (A range of four class C networks).

IPv6 address and netmask: FD9A::1FFE:0:0:0/80

You can modify the default IP address using the Gateway Cluster Properties Cluster Members page of the VSX cluster object, but only before creating Virtual Systems. Once Virtual Systems have been created, the IP range of the internal communication network cannot be modified.

Note: To avoid overlapping IP addresses, before creating any Virtual Devices, make sure the default IP address range of the Internal Communication network is not used anywhere else in the external network.

Original Check Point Source

Considerations:

When choosing your IP space it is important to understand that in addition to avoiding overlapping address space, you will want to validate there are no NAT rules which will encompass this subnet in any of your hosted firewalls. An indication that an overlap has occurred is seeing the management network outside of the VSX host. the unwanted areas where the management network may appear include packet captures on other hosts or logs originating from neighboring firewalls.

If you discover later on in your deployment plan that a NAT overlaps with your chosen internal communication network then there is still hope despite the warning that this network cannot be modified.

Check Point has provided two SK articles that will get you where you need to be. The first article is SK39984 and step by step instructions for changing the network are provided in SK99121.

I hope you find value in this post and I want to thank you for your time.

Have a Great Day!

Kevin Johnson

 

Unknown's avatar

Author: capkj1

With over 10 years in Information Technology and more specifically Information Security I humbly submit my thoughts, observations and experiences for your review and discussion. My hopes are to broaden your understanding of Information Security and deliver insightful material to assist you in your daily walk with Information Technology.

Leave a comment