TechLeague

    Check Point

    Check Point VSX: multi-tenant firewalls without the headache

    TechLeague EditorialΒ·Β·8 min read

    VSX runs many logical firewalls on one cluster. Used poorly, you create state explosion; used well, you collapse a rack.

    Building blocks

    • Virtual System (VS) = full firewall instance.
    • Virtual Switch and Virtual Router connect VSes.

    Traffic flow

    • Packets cross VSes via VS Links β€” treat like wires.
    • Each VS has its own policy and routing.

    Sizing

    • Concurrent connections, throughput, policy per VS.
    • CoreXL split per VS matters.

    Operations

    • vsx stat and fw -vs for per-VS state.
    • Backups by VS, not just by cluster.

    Pitfalls

    • Don't share interfaces across VSes carelessly.
    • Document the topology β€” no one remembers it later.

    Train multi-tenant firewall design in a TechLeague tournament.