VSX inter communication network funny IP

[ba3113]

If we deploy Cluster XL on security gateway we need to assign physical and virtual IP address to make it working.
If we deploy VSX and configure the virtual system we do not need to assign physical IP address its automatically assign address from inter communication network (192.168.192.0/23) which can be change to any network but has to be /24.
The question I got here are following
Can inter communication network and virtual IP be different network ?
Is inter communication network and virtual ip needs to be within same subnet ?
How virtual IP stick on cluster if inter communication network different than VIP ?


Thanks for your help

[mcnallym]

If we deploy Cluster XL on security gateway we need to assign physical and virtual IP address to make it working.
If we deploy VSX and configure the virtual system we do not need to assign physical IP address its automatically assign address from inter communication network (192.168.192.0/23) which can be change to any network but has to be /24.
The question I got here are following
Can inter communication network and virtual IP be different network ? YES, the Virtual IP should be a real IP on the Network that the interface is connected too.
Is inter communication network and virtual ip needs to be within same subnet e ? NO and shouldn't be
How virtual IP stick on cluster if inter communication network different than VIP ? NOT SURE, it just works for me. VSX is not the same as physical hardware. Sorry cannot answer tact more then that. I presume is something to do with the way that VSX communicates on the vs0 rather then the actual virtual systems themselves however.


Thanks for your help

Answered as best I can along the questions

[ba3113]

Thanks for your reply.

VS0 means you are talking about the VSX Gateway Cluster not the virtual system ?

[varera]

"funny IP network" addresses are to perform provisioning and to maintain clusterXL parameters locally on each physical device in the cluster. In fact, your VIP addresses SHOULD be different from that network.

More, make sure "funny IP network" is not used in any other part of your network. that segment should not be routed in your network at all.

[ba3113]

Thank you

Can VSX Gateway(VS0) pass any traffic ? How we can use VS0 to treat as virtual system ? Is it possible ?

[varera]

Thank you

Can VSX Gateway(VS0) pass any traffic ? How we can use VS0 to treat as virtual system ? Is it possible ?

Yes you can, you just don't want to. VS0 is used for provisioning of other VSs and for handling MGMT to VS communications for the whole system. With actual production traffic running through it, you need to be very careful not to install security policy that would affect other VSs. Also in MDSM environment VS0 belongs to so called Main Domain while other Virtual Systems are managed by other security doman servers, called Target domains. Main Domain server MGMT DB should not be locked, otherwise provisioning from target domain fails.

Bottom line - don't use it for production traffic, ever.

[ba3113]

It means if we need to build internet facing VS then we need to have two VS connected to internet world one is VS0 which is going to share all UTM's update , DNS , etc to other VS and another VS going to be your Virtual System which will host internet world.Based on SK its not advisable to have direct internet connection to each VS as VS0 shared all updates to other VS.

[varera]

It means if we need to build internet facing VS then we need to have two VS connected to internet world one is VS0 which is going to share all UTM's update , DNS , etc to other VS and another VS going to be your Virtual System which will host internet world.Based on SK its not advisable to have direct internet connection to each VS as VS0 shared all updates to other VS.

It is only a question of internal routing. VS0 does not have to be directly connected to the internet.