R75.40VS and R76 Security Gateway Mode to VSX Mode Conversion Process - Known Limitations
For R77 and above, see sk106029.
This article explains how to configure a Security Gateway, before you convert it to a VSX Gateway . The conversion wizard automatically checks some of the features, but not all of them. We recommend that you read this article thoroughly and verify that you can convert the Security Gateway to VSX.
- The Security Gateway must use the Gaia operating system.
- Install a policy on the Security Gateway before you start the conversion process.
- PerformancePack (SecureXL) must be installed.
- Make sure that these settings are selected in SmartDashboard - '
Global Properties' - '
Firewall Implied Rules' page:
Accept SmartUpdate connections'
Accept Control connections'
- The name of each cluster interface must be the same as the name of the related member interface and must have a cluster IP address configured.
- VSX cluster supports only one Sync interface with no cluster IP address.
- The IP addresses of the Management interfaces of the cluster and of the cluster members must belong to the same subnet.
- No dynamic routes are configured.
- 61000 Security System does not support conversion.
Unsupported Software Blades:
- Management Blades are not supported
- Data Loss Prevention
- FireWall-1 GX
- UserAuthority Server
- User Authority Web Access
- Legacy URL Filtering
- Legacy Anti-Virus
- Mobile Access *
- QoS Blade *
* Mobile Access and QoS Software Blades are partially supported. For more details on how to use them, see the R75.40VS VSX Administration Guide
Other Unsupported Functionalities:
- Cluster in Load Sharing mode
- ISP Redundancy
- Cooperative Enforcement ("Authorize clients using Endpoint Security Server")
- Policy based routes
- Dynamic routes
- DAIP (if a single Gateway)
- Connect Control
- ClusterXL Multicast
- TCP 'Out of State' exceptions
Malicious IPs' IPS protection is not enforced
Unsupported Interfaces Types:
- VPN tunnel interfaces
- PPPoE interfaces
- PPTP interfaces
- IPv6 interfaces
- Interfaces aliases
- Bridge interfaces
- Q: Why did the conversion process fail because of "cpstop"
A: The SecureXL driver was not installed on the Security Gateway.
- Q: After I clicked "Finish", the "Removed Used object" window opened. What should I do?
A: Click 'Yes' in all the windows that open.
- Q: While using the conversion wizard, I got a "no connectivity with (IP address)" error message.
A: Install a policy on the Security Gateway or cluster before you convert to VSX.
- Q: I am converting to VSX using "shared interface" mode. After the conversion finishes, this message appears: Failed to establish trust with VSW. What should I do?
A: From SmartDashboard, double-click the Virtual Switch object that belongs to the new VSX Gateway. Click "OK".
- Q: I am converting to VSX using "shared interface" mode. At the end of the conversion wizard, this message appears "Failed to create shared interface (virtual switch) for SPLAT". What should I do?
A: The Wrp driver may be missing after the upgrade. For more information, see sk79940 (Converting Security Gateway mode to VSX mode might fail after upgrading to R75.40VS on Gaia OS).
Related Solution: sk79940 (Converting Security Gateway mode to VSX mode might fail after upgrading to R75.40VS on Gaia OS)