eG Help

VSX (Virtual System Extension) is a security and VPN solution for large-scale environments based on the proven security of Check Point Security Gateway. VSX provides comprehensive protection for multiple networks or VLANs within complex infrastructures. It securely connects them to shared resources such as the Internet and/or a DMZ, and allows them to safely interact with each other. VSX is supported by IPS™ Services, which provide up-to-date preemptive security.

VSX incorporates the same patented Stateful Inspection and Software Blades technology used in the Check Point Security Gateway product line. Administrators manage VSX using a Security Management Server or a Multi-Domain Server, delivering a unified management architecture that supports enterprises and service providers.

A VSX Gateway contains a complete set of virtual devices that function as physical network components, such as Security Gateway, routers, switches, interfaces, and even network cables. Centrally managed, and incorporating key network resources internally, VSX lets businesses deploy comprehensive firewall and VPN functionality, while reducing hardware investment and improving efficiency.

Using the Check Point Smart-1 appliance, administrators may configure multiple virtual systems in their environment. Each Virtual System works as a Security Gateway, typically protecting a specified network. When packets arrive at the VSX Gateway, it sends traffic to the Virtual System protecting the destination network. The Virtual System inspects all traffic and allows or rejects it according to the rules defined in the security policy thus preventing unauthorized access to the network which in turn leads to the optimal network resource usage. On the other hand, improper policy configurations may result in fewer virtual systems which may hog the bandwidth and choke the network! To avoid such spurious situations, administrators should periodically monitor the efficiency of the policy configuration, figure out any impending discrepancies and fix them immediately! This is where the CpVsxTrafficTest test helps!

This test auto-discovers the virtual systems configured in the Check Point Smart-1 appliance and periodically monitors the amount of data and packets processed through each virtual system. In addition, this test also reports the CPU utilization and the active connections on each virtual system. In the process, this test helps administrators deduce the virtual system that is handling high volume of traffic and is hogging the bandwidth resources available to the network! This way, administrators can figure out if policy configurations are effective and if not, can initiate necessary action to fine tune them.

Measurement	Description	Measurement Unit	Interpretation
CPU_usage	Indicates the percentage of CPU utilized by this virtual system.	Percent	A value close to 100% is a cause of concern.
Active_connections	Indicates the number of connections that are currently active on this virtual system.	Number	An abnormally high value for this measure could indicate a probable virus attack or spam to a mail server in the network.
Peak_connections	Indicates the maximum number of connections to this virtual system.	Number
Data_processed	Indicates the amount of data processed by this virtual system during the last measurement period..	MB	Comparing the values of this measure across the virtual systems helps you in identifying the virtual system that is processing the maximum amount of data i.e., you can deduce the virtual system that has consumed the maximum bandwidth over the network. If there is a huge gap between the maximum and minimum bandwidth consumers, it could indicate that one/more virtual systems are hogging the bandwidth resources. You may then need to reconfigure/fine-tune the security policies and rules to minimize the bandwidth usage.
Accepted_data	Indicates the amount of data that was processed successfully by this virtual system during the last measurement period.	MB
Dropped_data	Indicates the amount of data that was dropped by this virtual system during the last measurement period.	MB	Ideally, the value of this measure should be zero. If there is a consistent increase in the value of this measure, then it clearly indicates that the virtual system is either processing a lot of malicious traffic or is under attack.
Rejected_data	Indicates the amount of data rejected by this virtual system during the last measurement period.	MB	A low value is desired for this measure.
Success_data_ratio	Indicates the percentage of data that was successfully processed by this virtual system during the last measurement period.	Percent	A high value is desired for this measure.
Packets_processed	Indicates the number of packets processed by this virtual system during the last measurement period.	Number	Comparing the values of this measure across the virtual systems helps you in identifying the virtual system that is processing the maximum amount of data i.e., you can deduce the virtual system that has consumed the maximum bandwidth over the network. If there is a huge gap between the maximum and minimum bandwidth consumers, it could indicate that one/more virtual systems are hogging the bandwidth resources. You may then need to reconfigure/fine-tune the security policies and rules to minimize the bandwidth usage.
Accepted_packets	Indicates the number of packets that were processed successfully by this virtual server during the last measurement period.	Number
Dropped_packets	Indicates the number of packets that were dropped by this virtual server during the last measurement period.	Number	Ideally, the value of this measure should be zero.
Rejected_packets	Indicates the number of packets that were rejected by this virtual server during the last measurement period.	Number
Success_packets_ratio	Indicates the percentage of packets that were successfully processed by this virtual system during the last measurement period.	Percent