Check Point R81.10 VSX Cluster Configuration – How to Tutorial

In this Tutorial will be installed Check Point VSX (Virtual System Extension) Cluster with two Security Gateways in ClusterXL High-Availability mode. On this VSX Cluster will be created two Firewall VS’s (Virtual System) VS_FW1 and VS_FW2.


Separate isolated Management Network will be used for the communication between Security Management Server and the Security Gateways. Both gateways are using one dedicated Ethernet interface in the Management Net.


Since we have an Ethernet interface connected to the External WAN network and shared by the VS_FW1 and VS_FW2 virtual systems, we need to provide Layer 2 connectivity between the virtual systems in our VSX Cluster. This will be provided by the VS_sw_wan virtual switch.


From the LAN side we have two different LAN Networks, each one connected to only one of the VS Firewall. Those LAN Networks are transferred through the same Ethernet interface which is configured as a VLAN-Trunk.


The purpose of this tutorial is to create and configure step-by-step an environment that is closer to more real-life use-cases by using more than one technology at the same time. In this Lab will be used more technologies all at once such as Check Point VSX, ClusterXL, Virtual Switch, Virtual System (virtual Firewall), vlan Trunk.


Both Security Gateways must have the same hardware specification.

CheckPoint – ClusterXL Requirements and Compatibility




1. Testlab Setup


SG Configuration:

Checkpoint SG:

Management Interface:

Sync Interface:

External Interface:

Internal Interface:







eth0 vlan trunk (v201,v202)





eth0 vlan trunk (v201,v202)

VS Configuration:

Virtual System:

External Interface:

External Interface IP:

Internal Interface:

Internal Interface IP:


virtual in VS_sw_wan





virtual in VS_sw_wan




2. Create VSX Cluster

a) New – VSX – Cluster

b) Create VSX Cluster “vsx_cluster1” with Cluster IP “” with ClusterXL Platform

c) Check if you have per Virtual System State Option enabled

sg1:0> cpconfig
This program will let you re-configure
your Check Point products configuration.

Configuration Options:
(1)  Licenses and contracts
(2)  SNMP Extension
(3)  PKCS#11 Token
(4)  Random Pool
(5)  Secure Internal Communication
(6)  Disable cluster membership for this gateway
(7)  Disable Check Point Per Virtual System State
(8)  Disable Check Point ClusterXL for Bridge Active/Standby
(9)  Check Point CoreXL
(10) Automatic start of Check Point Products

(11) Exit

Enter your choice (1-11) :

Option in cpconfig “Disable Check Point Per Virtual System State” means that the feature is in enabled state.

d) add VSX Cluster Members sg1, sg2 using SIC Activation Key configured by the Security Gateway Install

add next VSX Cluster Member

e) Configure Interfaces that will be used as VLAN Trunk – eth0

f) Configure Interface for the ClusterXL state synchronization – eth4

g) Virtual Network Device will be configured separately, with unchecked box click next

h) Configure management access for VSX Cluster. 


I will now enable ssh from any to cluster object because I am in Testlab. In the production environment I strictly recommend to harden the policy specific only for the services, source and destination objects which are needed. This wizard will use this Window Options to create basic VSX object policy. This policy could be updated later according to the specific needs.

i) Finish Cluster Creation

j) Install vsx_cluster1 policy

3. Create Virtual Switch

a) New – VSX – Virtual Switch

b) Configure Virtual Switch Name – “VS_sw_wan” and designated cluster on which should be created – “vsx_cluster1“.

c) add SG external interface which will be connected to the Virtual Switch “VS_sw_wan” – eth1

d) in case you need more interfaces, add the additional interfaces otherwise click next and finish

4. Create Virtual System Extension

a) new – VSX – Virtual System

b) Define the VSX object name – “VS_FW1” and designated cluster – “vsx_cluster1

c) Add WAN Interface.

add interfaces – Lead to Virtual Switch VS_sw_wan

WAN Interface

d) Add LAN1 Interface.

add interfaces – Regular

LAN1 Interface eth0, vlan 201, IP

Note: If you want to propagate routes to other VSX Systems, enable the option – “propagate route to adjacent Virtual Devices”, otherwise you will need to add routes manually.

e) Add default route

f) finish the Creation Wizard

f) Create New Firewall Policy for the new VSX VS_FW1 and Install the policy. I will use “Standard” for the testing purposes.

Security Policies – Manage Policies – Manage Policies and layers

Policies – Edit – Installation Targets – Specific Gateways – VS_FW1

g) Repeat the steps a) – f) for VS_FW2

5. Conclusion

The Checkpoint VSX Cluster “vsx_cluster1” is now fully functional and utilizing more features at once such as Virtual System, ClusterXL, Virtual Switch, Vlan Trunk. The environment is now ready for additional configuration.