Sunday, January 25, 2015

VSX provisioning tool

VSX is great, especially in combination with MDSM. Managing your virtual FWs directly form SmartDashboard is very handy.

The only caveat is that SmartDashboard does not allow you bulk changes on virtual systems.

Imagine you have 100 static routes to add. Doing in in the GUI, one by one, is a bit of a pain. What if there was an instrument that would allow the same, but faster and in one shot? 

Since this year, the solution does exist. It is called VSX provisioning tool. It is essentially an additional CPMI client that allows changing, adding and removing interfaces, static routes and Virtual Systems with VSX.

It needs to be placed on a Linux/Windows machine which has CP software installed (management or module), or even on a Windows machine with Check Point SmartConsole. It connects to the management server in the same way as SmartDashboard, over the same TCP port, and using the same username/pwd and permissions.

It has a replication of the logic of all the stuff SmartDashboard does when you edit/add/del a VS object. This logic is quite complex, which unfortunately means that you cannot, even if you try really hard, to accomplish the same thing with DBEdit.

Nowadays, if you are migrating from physical environment, Check Point or not, there is an easy and effective way to build up your VSX system.

The tool is available for Linux, SPLAT/Gaia and Windows. Both tool and its documentation are accessible through SK100645 at Check Point support portal.

I thank David Bar and Maor Elharar for their hard work to build the tool and assistance in correcting my mistakes in this post.


  1. Valeri,

    The VSX Provisioning tool is not a DBEdit CLI script. It's has nothing to do with DBEdit (and that's a good thing... :-), apart from the fact that they are both CPMI clients.

    Also, this is a good place to mention that the tool is capable of almost everything SmartDashboard can do in terms of VSX provisioning, including adding new VSs, etc. This can be a very useful building block to anyone who wants to create a cloud orchestration I/S, where VSX is part of the solution.

    1. David, thanks for this correction. Could you please provide me more details?

    2. David, thanks again, the post is now corrected.

  2. Great tool. I would like to see the ability though to use the show command without needing to obtain a lock on the database for write access. Maybe it's there and I missed it. The use case would simply be if I want to show a VS without having the current admin with the write lock log out of the management station.

    1. you can achieve that by just looking into VSX provisioning script. You do not even have to have a CPMI client

    2. Can you elaborate further on how this is done?

    3. Chad, what info are you looking for? If for information on particular VS config, go to VSX machine and look for NCS scripts. To make it easy, you can run "fw vsx showncs " command.

      Mind you need to understand a lot about VSX internal structure to read it, as it uses internal "funny IP" addressing to build interfaces.

      Alternatively, you can look into NCS files on the management (Main CMA for that matter), but that requires even more understanding. If you ever come to my VSX course, we discuss it there.

    4. Thanks. Very helpful. I tested the show vsx showncs and see what you mean. That gives me all of the information I would need.

      To further clarify my original statement. As you probably already know, when you run the vsx_provisioning_tool to show an existing vs, it will output the vs in the same format that the tool would read in to create it. But the tool will only run if you can obtain a write lock on the database. So even if you just want to output a vs in vsx_provisioning_tool format by using the show command, the tool needs to have write access.

      But, it would be simple enough though to script the showncs output into vsx tool format also.

      Do you have a link to your available classes?

      Thanks again!

    5. Chad, my classes are in Europe:-) will it work for you?

    6. Chad, if I ever run a course in US, I will post in in the blog. It's a promise

    7. Chad,
      If I remember correctly, if logging in using a read-only user, then write lock will not be obtained.

  3. This comment has been removed by the author.