This article presents the Frequently Asked Questions concerning the Software Blades supported on VSX.

 

IPS

• Should I enable IPS Software Blade on the VSX Gateway?
  

  IPS Software Blade should be enabled based on your needs.

  For more information, refer to IPS product page.

  
  
  
• How do I update the IPS Software Blade?
  

  The updates for IPS Software Blade are downloaded to the Security Management Server / Domain Management Server and then are transferred to the VSX Gateway during policy installation.

  IPS Software Blade update on the Security Management Server / Domain Management Server can always be performed manually, or can be scheduled in SmartDashboard.

  
  
  
• Are there special instructions for IPS Geo Protection?
  

  • In R80.10 and higher versions, IPS blade does not have to be enabled (Geo policy is installed as a part of the Access Policy). For R80.10 and higher VSX gateways, the activation mode of Geo policy assigned to VSX gateway (Context of VS0) has to be either in "Monitor Only" or "Active". This is required for the IPS Geo Protection updates to work on Virtual Systems (VS). 

  • In R77.30 and lower versions, for the IPS Geo Protection updates to work correctly,
    the following has be configured in the VSX Security Gateway object itself (context of VS0):

    1. IPS blade has to be enabled
    2. IPS profile has to be assigned, in which the "Action" of Geo Protection is set to either "Detect", or "Prevent"

 

Application Control and URL Filtering

• When I enable the Application Control / URL Filtering Software Blade in Virtual System object, should I also enable this blade in the VSX Gateway object?
  

  There is no need to enable these blades in the VSX Gateway object (context of VS0) when you enable these blades on some Virtual System(s).

  
  
  
• Should I configure proxy settings in VSX Gateway object when I enable the Application Control / URL Filtering Software Blade in Virtual System object?
  

  If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object.
  VSX Gateway fetches the update package from the cloud, and then all Virtual System get the update package from the shared directory in the context of VS0.

 

Anti-Bot and Anti-Virus

• When I enable the Anti-Bot / Anti-Virus Software Blade in Virtual System object, should I also enable this blade in the VSX Gateway object?
  

  Yes.
  Because contracts validation and initialization of default updates parameters are performed from the VSX Gateway itself (context of VS0).

  
  
  
• Should I configure proxy settings in VSX Gateway object when I enable the Anti-Bot / Anti-Virus Software Blade in Virtual System object?
  

  If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object.
  Each configured Virtual System will use its own proxy settings.

  
  
  
• Should I install Threat Prevention policy on all Virtual Systems and on the VSX Gateway?
  

  Threat Prevention policy must be installed on VSX Gateway / VSX Cluster
  and
  on the Virtual Systems, on which the Anti-Bot / Anti-Virus Software Blade is enabled.

  
  
  
• How do I update the Anti-Bot / Anti-Virus Software Blade?
  

  The VSX Gateway / VSX Cluster Member tries to get the Anti-Bot / Anti-Virus updated signatures using its proxy settings.

  • If it succeeds, then it the updated signatures will be transferred to the Virtual Systems.
  • If it fails, then each Virtual System will download the updated signatures package from the Internet using its own proxy settings.

  
  
  
• Do I need to configure DNS server on VSX Gateway for Anti-Bot / Anti-Virus Software Blade updates?
  

  Yes.

  Follow these guidelines:

  • Configure the DNS server(s) in the Operating System settings on VSX Gateway / each VSX Cluster in the context of VS0 (VSX machine itself).
    Note: All Virtual Systems will use the same DNS configuration (it can not be configured per Virtual System).
  • You must create an explicit security rule for each Virtual System that allows access from Virtual System to the configured DNS Server(s).
  • If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object. Each configured Virtual System will use its own proxy settings.

 

Threat Emulation

• When I enable the Threat Emulation Software Blade in Virtual System object, should I also enable this blade in the VSX Gateway object?
  

  No.
  The VSX Gateway is not involved in the Threat Emulation process.

  
  
  
• Should I configure proxy settings in VSX Gateway object when I enable the Threat Emulation Software Blade in Virtual System object?
  

  If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object.

  
  
  
• What are the limitations of Threat Emulation on VSX?
  

  The following are not supported:

  • Active/Standby Bridge Mode.
  • Virtual System Load Sharing clusters with more than two members is supported in VSX version R80.10 and higher.
  • Mail Transfer Agent (MTA) [resolved starting in R80.10].

 

Advanced Networking & Clustering

• What improvements were added to VSX in R80.20?
  

  • Significant boost to Virtual Systems performance, utilizing up to 32 CoreXL FW instances for each Virtual System.
  • SecureXL Penalty Box supports the contexts of each Virtual System. Refer to sk74520.

Related solutions:

• sk79700 - VSX supported features
• sk94508 - Recommended Internet Access Settings for Automatic Downloads

 

Related documentation:

• Release Notes (R75.40VS, R76, R77, R77.10, R77.20, R77.30, R80.10, R80.20, R80.30, R80.40)
• VSX Administration Guide (R75.40VS, R76, R77.X, R80.10, R80.20, R80.30, R80.40)

 

Product pages:

• VSX
• IPS
• Application Control
• URL Filtering
• Anti-Bot
• Anti-Virus
• Threat Emulation