Software Blades updates on VSX - FAQ

Support Center > Search Results > SecureKnowledge Details

Software Blades updates on VSX - FAQ

Technical Level

Solution ID	sk106496
Technical Level
Product	VSX, Quantum Appliances, Quantum Security Gateways, Quantum Scalable Chassis
Version	R75.40VS (EOL), R76 (EOL), R76SP (EOL), R76SP.10 (EOL), R76SP.10_VSLS (EOL), R76SP.20 (EOL), R76SP.30 (EOL), R76SP.40 (EOL), R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL), R80.10 (EOL), R80.20, R80.30, R80.40, R81
OS	Gaia
Platform / Model	2000, 3000, 4000, 5000, 12000, 13000, 15000, 21000, 23000, Power-1 (EOL), VSX-1 (EOL), UTM-1 (EOL), IP1280 (EOL), IP2450 (EOL), 41000, 61000
Date Created	06-Jul-2015
Last Modified	11-Jun-2021

Solution

This article presents the Frequently Asked Questions concerning the Software Blades supported on VSX.

Click Here to Show Entire FAQ

IPS

Click Here to Show This Section

Should I enable IPS Software Blade on the VSX Gateway?

IPS Software Blade should be enabled based on your needs. The IPS blade does not need to be enabled on VS0.
For more information, refer to IPS product page.
How do I update the IPS Software Blade?

The updates for IPS Software Blade are downloaded to the Security Management Server / Domain Management Server and then are transferred to the VSX Gateway during policy installation. (The IPS update is fetched from the Security Management and pushed to the VSX (VS0).)

In SmartConsole, go to 'Security Policies tab > Threat Prevention Policy > Updates' (similar to the description in sk120255). Make sure that proxy setting are defined on the Security Management.
IPS Software Blade update on the Security Management Server / Domain Management Server can always be performed manually, or can be scheduled in SmartDashboard.
Are there special instructions for IPS Geo Protection?
- In R80.10 and higher versions, IPS blade does not have to be enabled (Geo policy is installed as a part of the Access Policy). For R80.10 and higher VSX gateways, the activation mode of Geo policy assigned to VSX gateway (Context of VS0) has to be either in "Monitor Only" or "Active". This is required for the IPS Geo Protection updates to work on Virtual Systems (VS).
- In R77.30 and lower versions, for the IPS Geo Protection updates to work correctly,
  the following has be configured in the VSX Security Gateway object itself (context of VS0):
  1. IPS blade has to be enabled
  2. IPS profile has to be assigned, in which the "Action" of Geo Protection is set to either "Detect", or "Prevent"

Application Control and URL Filtering

Click Here to Show This Section

When I enable the Application Control / URL Filtering Software Blade in Virtual System object, should I also enable this blade in the VSX Gateway object?

There is no need to enable these blades in the VSX Gateway object (context of VS0) when you enable these blades on some Virtual System(s).
Should I configure proxy settings in VSX Gateway object when I enable the Application Control / URL Filtering Software Blade in Virtual System object?

If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object.
VSX Gateway fetches the update package from the cloud, and then all Virtual System get the update package from the shared directory in the context of VS0.

Anti-Bot and Anti-Virus

Click Here to Show This Section

When I enable the Anti-Bot / Anti-Virus Software Blade in Virtual System object, should I also enable this blade in the VSX Gateway object?

Yes.
Because contracts validation and initialization of default updates parameters are performed from the VSX Gateway itself (context of VS0).
Should I configure proxy settings in VSX Gateway object when I enable the Anti-Bot / Anti-Virus Software Blade in Virtual System object?

If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object.
Each configured Virtual System will use its own proxy settings.
Should I install Threat Prevention policy on all Virtual Systems and on the VSX Gateway?

Threat Prevention policy must be installed on VSX Gateway / VSX Cluster
and
on the Virtual Systems, on which the Anti-Bot / Anti-Virus Software Blade is enabled.
How do I update the Anti-Bot / Anti-Virus Software Blade?
The VSX Gateway / VSX Cluster Member tries to get the Anti-Bot / Anti-Virus updated signatures using its proxy settings.
- If it succeeds, then it the updated signatures will be transferred to the Virtual Systems.
- If it fails, then each Virtual System will download the updated signatures package from the Internet using its own proxy settings.
Do I need to configure DNS server on VSX Gateway for Anti-Bot / Anti-Virus Software Blade updates?
Yes.

Follow these guidelines:
- Configure the DNS server(s) in the Operating System settings on VSX Gateway / each VSX Cluster in the context of VS0 (VSX machine itself).
  Note: All Virtual Systems will use the same DNS configuration (it can not be configured per Virtual System).
- You must create an explicit security rule for each Virtual System that allows access from Virtual System to the configured DNS Server(s).
- If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object. Each configured Virtual System will use its own proxy settings.

Threat Emulation

Click Here to Show This Section

When I enable the Threat Emulation Software Blade in Virtual System object, should I also enable this blade in the VSX Gateway object?

No.
The VSX Gateway is not involved in the Threat Emulation process.
Should I configure proxy settings in VSX Gateway object when I enable the Threat Emulation Software Blade in Virtual System object?

If your VSX Gateway is connected to the Internet via Proxy, then you should configure the relevant proxy settings in the VSX Gateway object.
What are the limitations of Threat Emulation on VSX?
The following are not supported:
- Virtual System Load Sharing clusters with more than two members is supported in VSX version R80.10 and higher.
- Mail Transfer Agent (MTA) [resolved starting in R80.10].

Advanced Networking & Clustering

Click Here to Show This Section

What improvements were added to VSX in R80.20?
- Significant boost to Virtual Systems performance, utilizing up to 32 CoreXL FW instances for each Virtual System.
- SecureXL Penalty Box supports the contexts of each Virtual System. Refer to sk74520.

General

Click Here to Show This Section

Are Updatable Oblects supported on VSX?

Updatable objects are supported on VSX. Each VS configured with Updatable Objects must have connectivity to updates.checkpoint.com and dl3.checkpoint.com in order to be able to download the package of Updatable Objects.

Related solutions:

Related documentation:

Release Notes (R75.40VS, R76, R77, R77.10, R77.20, R77.30, R80.10, R80.20, R80.30, R80.40, R81)
VSX Administration Guide (R75.40VS, R76, R77.X, R80.10, R80.20, R80.30, R80.40, R81)

Product pages:

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating