R70 multi-core license part II

[boldin]

Quote:

Originally Posted by PhoneBoy

If a customer keeps the same software revision on the same hardware version, nothing changes. When a customers make a change that requires re-licensing (i.e. upgrading to a new version or to different hardware), at that time, the installation must be licensed according to the current multi-core licensing terms.

Here's what we have from our rep:
-----
<Customer>,

The following appliances are pre-bundled with Security Acceleration Licenses: IAS series, Power-1 series, and UTM-1 3070. This will give you the ability to use CoreXL (multicore acceleration) if you upgrade to R70 using your existing NGX licenses. The UTM-1 Series below the 3070 are single core systems and CoreXL licenses are not applicable.

I wanted to bring up the differentiation between R70 and our new Software Blade Architecture, as the two are not synonymous. R70 is our next major version release and Software Blade Architecture is a new product launch. They coincided at about the same time and there is much confusion on the difference between the two.

When it comes to mapping out your upgrade path from NGX you essentially have two options:

1.) Upgrade to R70 using your existing NGX licenses - By doing so, you will gain the advantage of a.) multicore acceleration, b.) an enhanced/updated IPS engine for systems utilizing SmartDefense services, and c.) overall code enhancements. This upgrade path is covered under your annual support contract.

2.) Functionality upgrade to R70 Software Blade Architecture - This will place you on our network security architecture take full advantage of all the new feature/functionality associated with this new product launch detailed at the following URL: https://www.checkpoint.com/products/...ure/index.html. This option does require an incremental charge above your annual support cost.


The core difference in feature/functionality between the two options are as follows:

In option# 1, the IPS capabilities will not contain full features of the new R70 IPS engine which includes the heuristics engine, and some of the advanced reporting, and monitoring features. New functionality can not be added to the system with out upgrading to R70 Software Blade Architecture, for example - DLP, NAC, and Provisioning blades. The Software Blade Architecture also allows you granular control over assignment of specific blades to cores, this goes beyond the additional threading of process on multiple CPUs.

We can provide pricing on what it would cost to change your licensing to Software Blade Architecture from NGX Licensing if this is something you desire to do, of course you can continue to your existing licenses minus the functions listed above.

Best regards,
<Check Point Rep>
---------

So, it would appear that upgrading to R70 doesn't force us to go with the multicore licenses, but upgrading to the Software Blade Architecture would require the multicore licenses.

Has anyone else heard anything similar to this? My understanding up until this point was that R70 and Software Blades were inseparable.

This also doesn't address the information that some of us have found that says that any "change" to the system would require new licensing under the multi-core licensing terms.

curioser and curioser...

[PhoneBoy]

Here's my take on all this:

1. As part of a software subscription/support agreement, Check Point allows people to upgrade to the new version. An R65 license can be used *as-is* on R70 for just this reason. From a customer point of view, you should have roughly the same functionality in R70 as you had in R65.

2. Software blades also came out with R70 and provides additional features above and beyond what you had in R65. If you want that extra functionality, you pay the upgrade price (varies, contact your Check Point rep).

3. Multi-core is something independent of both R70 and Software Blades. From whenever multi-core licensing went into effect, ANY license or hardware change requires you to come into compliance with the current multi-core licensing rules.

Does that make sense?

[northlandboy]

Quote:

Originally Posted by PhoneBoy

3. Multi-core is something independent of both R70 and Software Blades. From whenever multi-core licensing went into effect, ANY license or hardware change requires you to come into compliance with the current multi-core licensing rules.

This is the part we're unhappy about - we believed that as long as we paid our support (or actually even if we didn't) we could replace our open server enforcement modules with newer hardware, without paying any extra for it. This was a key point in our choice of CP on SPLAT.

[Thorpuse]

Quote:

Originally Posted by PhoneBoy

Here's my take on all this:

2. Software blades also came out with R70 and provides additional features above and beyond what you had in R65. If you want that extra functionality, you pay the upgrade price (varies, contact your Check Point rep).

3. Multi-core is something independent of both R70 and Software Blades. From whenever multi-core licensing went into effect, ANY license or hardware change requires you to come into compliance with the current multi-core licensing rules.

Does that make sense?

I'm very confused about item 2, and this claim that a "traditional" license with R70 and a valid SmartDefense subscription somehow provides different functionality than R70 with the IPS blade subscription. I would like someone to explain at a technical level what is different between these, as I cannot see any difference and have had directly contradictory responses about this from Check Point.

Item 3 to me is wrong, because the license containers in Software Blades are directly linked to cores. The previous pricelist had multicore as an optional extra - therefore multicore licensing is an integral part of the Software blades licensing system - you cannot avoid having to make a choice about the number of cores on a OpenServer system.

[serlud]

Quote:

Originally Posted by chillyjim

Not commenting on the logic/fairness/etc.
This would be my take on it (US price list):

Check Point Smart-1 Security Management managing 5 gateways with 4 blades CPAP-SM504 III $6,000

2x Check Point IP295 Disk Based System, Single Shell CPAP-IP295-D-AC-SS III $11,500

2x Two Port 10/100/1000Base-T Ethernet PMC Card - IP295, IP395, IP565, IP695, IP1285, IP2455 CPIP-A-2-1C III $4,500

Total US List $23,900

Then there is the trade-in allowance that will come off of this.

License upgrade to a U4 $15,300

Should end up being pretty close to a wash either way.

Sorry, but
1. We are using only SecPlat OS no place for IPSO at all.

2. Could you compare an existing systems HP DL360 R4 (Remote access -Ilo Board, all lhave RAID 0, 4 Core CPU, 4 Gb RAM, Redundant Power.....--IT IS an one OPEN Server) with IP295 -Single CPU ( at 600MhZ ???)

3. We have to have Spare HW just customer request (we have one HP server as Spare.) do we need to by additinal 1 Smart-1 and one
IP295 -

We have already payed about 16.000€ for Software LICs in 2002 -
Why should our customer pay 3x 5000$ one time and additional 20% of 3x5000$ every years for subscription?

Subscribthion only software:
Before MultiCore - about 3000 € (one time invest 16.000€ SW LICs)
After MultiCore - about 5000 € (additinal one time invest about 10.000 € - U4 Lics )


Simple explanation :
Due to technology progress all well known CPU vendors have stopped to produce an Singe Core CPU >> All Open Source Server vendor -cannot produce an Server with only one Core CPU >> That is why you should pay (one time) to SW vendor CheckPoint a 5000$ more for every new or old FWs plus about 1000$ per Year for subscription !!!


We are still waiting for CP Sales Rep best calculation - but it will be to hard for CP to explain: why our cutomer should pay twice now... to protect 120 internal hosts/users.

[PhoneBoy]

Quote:

Originally Posted by Thorpuse

I'm very confused about item 2, and this claim that a "traditional" license with R70 and a valid SmartDefense subscription somehow provides different functionality than R70 with the IPS blade subscription. I would like someone to explain at a technical level what is different between these, as I cannot see any difference and have had directly contradictory responses about this from Check Point.

Item 3 to me is wrong, because the license containers in Software Blades are directly linked to cores. The previous pricelist had multicore as an optional extra - therefore multicore licensing is an integral part of the Software blades licensing system - you cannot avoid having to make a choice about the number of cores on a OpenServer system.

Not sure of the exact difference on Item 2, perhaps someone else does.

My point about multi-core licenses being separate from R70 means it is still an issue if you stick on R65 and change hardware or otherwise need to relicense. I realize that number of cores is part of R70 licensing.

[chillyjim]

Quote:

Originally Posted by serlud

Sorry, but
1. We are using only SecPlat OS no place for IPSO at all.

You asked for the best fit. If you want SPLAT, you will need to go with a UTM-1 2073 @$19,150

Quote:

2. Could you compare an existing systems HP DL360 R4 (Remote access -Ilo Board, all lhave RAID 0, 4 Core CPU, 4 Gb RAM, Redundant Power.....--IT IS an one OPEN Server) with IP295 -Single CPU ( at 600MhZ ???)

But you are saying you don't need/want this level power. If you need this level of system, then why are you having a problem paying for a license that would let you use it? Do you want multi-core performance or not?

Quote:

3. We have to have Spare HW just customer request (we have one HP server as Spare.) do we need to by additinal 1 Smart-1 and one
IP295 -

Check for unlicensed spares. If you are a CSP (or whatever it is called now) you should be able to get them.

Quote:

Simple explanation :
Due to technology progress all well known CPU vendors have stopped to produce an Singe Core CPU >> All Open Source Server vendor -cannot produce an Server with only one Core CPU >> That is why you should pay (one time) to SW vendor CheckPoint a 5000$ more for every new or old FWs plus about 1000$ per Year for subscription !!!

So do you want an enterprise class gateway as you spec'ed HW for or do you want an SMB class gateway?

The argument of single-core systems not being available goes out the window as soon as you say we want to compare the appliance's performance to a quad-core system.

[Thorpuse]

Quote:

Originally Posted by chillyjim

But you are saying you don't need/want this level power. If you need this level of system, then why are you having a problem paying for a license that would let you use it? Do you want multi-core performance or not?

And *here* is where CP misses the point. The reason for the system requested is not for the performance, but for the hardware-level redudnancy and standardised hardware setups. If you want RAID/Dual redundant Power etc, you have no choice but to buy a system at this level. Not only that, but you're buying a piece of hardware that you expect to last 4-5 years - so you standardise and buy it with components that will still be able to be run and used in that time. The 4 cores is just a consequence of the class of server you need to buy to get all the other bits.

[chillyjim]

Quote:

Originally Posted by belvdr

My calculations are coming up way different.

If I just sum up your totals, I get $22,000.

However, aren't the 295s $11,500 per device? You have 2 listed so that's $23,000 for the devices, $9,000 for the interfaces, and $6,000 for the blades for a total of $38,000.

You are indeed correct, guess my calculator use needs some help

[PhoneBoy]

The pricing model was based on the assumption that higher-end systems imply a higher-end usage. Clearly, that is not true in your case and that puts you in the position of having to explain to whomever holds the purse strings why your firewall suddenly costs more than it did last year.

Hate to say it, but work the issue through your reseller. If enough people make an issue about it, I'm sure the pricing model can somehow be adjusted.

[rubber_chicken]

Quote:

Originally Posted by Thorpuse

And *here* is where CP misses the point. The reason for the system requested is not for the performance, but for the hardware-level redudnancy and standardised hardware setups. If you want RAID/Dual redundant Power etc, you have no choice but to buy a system at this level. Not only that, but you're buying a piece of hardware that you expect to last 4-5 years - so you standardise and buy it with components that will still be able to be run and used in that time. The 4 cores is just a consequence of the class of server you need to buy to get all the other bits.

I've bought quad core HP DL360's and DL380's because that was the smallest/cheapest "decent" hardware I could at the time. I couldn't give a damn about the power of multicore - They are protecting 50-100 users on 2-10Mb links. It was simply about the hardware offering raided disks, redundant power supplies and user based repair and the option to chuck it all away and replace with a PC if needed (also the option to chuck CP and use it elsewhere in the business at a later date if that decision is made).

[northlandboy]

Quote:

Originally Posted by rubber_chicken

I've bought quad core HP DL360's and DL380's because that was the smallest/cheapest "decent" hardware I could at the time. I couldn't give a damn about the power of multicore - They are protecting 50-100 users on 2-10Mb links. It was simply about the hardware offering raided disks, redundant power supplies and user based repair and the option to chuck it all away and replace with a PC if needed (also the option to chuck CP and use it elsewhere in the business at a later date if that decision is made).

+1 for me. The DL120 - the only single core system I might be able to get from HP - is a joke. We're more interested in things like redundant power supplies and hard drives (things I have replaced far too many times). Plus we use systems like DL380s elsewhere. As others point out, I can just grab a standard part off the shelf and be back up and running - before the engineer has even rung back about the ticket logged to get a UTM box replaced. I didn't get multicores for the performance; I got them because that's all that hardware vendors will sell me if I want the other bits listed.

[Thorpuse]

Quote:

Originally Posted by PhoneBoy

Hate to say it, but work the issue through your reseller. If enough people make an issue about it, I'm sure the pricing model can somehow be adjusted.

Agree totally. The power that this forum has is that people can now point to this rational, well reasoned debate which has shown both the vendor side and the consumer side from a number of different and interesting angles, and we can all go to our resellers and local CP sales and channel people and say that we're not alone in our thoughts here. Based on this discussion, I fail to see how either side could be satisfied with the practice of this new model, and that tells me that we should be able to make it change.

Kudos to everyone here, I think this debate is the sort that will bring actual change.

[dsb.nepo]

Quote:

So do you want an enterprise class gateway as you spec'ed HW for or do you want an SMB class gateway?

The argument of single-core systems not being available goes out the window as soon as you say we want to compare the appliance's performance to a quad-core system.

8 years ago I switched from nokia to solaris because I had a couple of sparc machines (after two replacements of broken nokia boxes).
A jumpstart setup was done in a view minutes, don't wait for nokia HW replacement.

With the update to R65 I switched to an OpenServer platform and splat because of ILO and other HW features.

Today I don't feel a DL380 is enterprise, it is a pice of standart datacenter hardware.

[PhoneBoy]

I can't promise changes will occur, of course, but at least there is better understanding. In the event some policy change DOES occur, I'll let you know.

[RayPesek]

Perhaps I can put this new multi-core license requirement and general Check Point costs in perspective:

Last year my Check Point support contract cost me about $23,000 for three firewalls with SmartDefense and Web Intelligence on Dell 2950's.

On my desk is a quote for three Cisco ASA 5510's with 512 MB of RAM and IPS for all three (AIP-SSM-10). The first year cost for purchasing three new firewalls and all support is $15,700.

Over the next three years, assuming these costs remain static and that I do not have to buy multi-core licenses, I could have three 4-year old Check Point firewalls that cost my company $69,000 in Check Point support.

Over the next three years, I could instead have NINE ASA 5510's: 3ea. 1-year old, 3ea. 2-years old and 3ea. 3-years old and it will have cost me $47,100 + $2,565 total for support for boxes more than one year old.

Or $69,000 for Check Point and $50,000 for Cisco but I'll have six more Cisco firewalls I can deploy as internal firewalls or at remote offices and I can install brand new hardware in the most critical points every year.

Do the math.

Ray

PS: I started with Check Point last century, originally purchasing it as Sun Solstice, which I think was FW-1 v2.1 or so. I have a CCSE-NGAI, which I paid for myself.

How can I ask my company, particularly in these times, to stay with Check Point? No auditor or forensics team would ever say we erred by purchasing Cisco firewalls over Check Point.

[belvdr]

The ASA series is nice, but our 5520s seem to be slower than molasses these days. There are few connections going through them, but site-to-site tunnels seem particularly slow.

Another note, if you data center is doing the hot aisle-cold aisle thing, watch how you rack the ASA. Other than a 5580, all the units suck cold air from the _back_ and blow hot air out the _front_.

[PhoneBoy]

These are the kinds of numbers you can take to your Check Point rep to get better pricing.

[chillyjim]

As Phoneboy said you can use this for better pricing but consider this:

The ASA 5510 is rated at 300 Mbps
The UTM-1 130 is rated at 400 Mbps

So to match up your quote 3xUTM-1/136 at list with premium support is 16,848 (this includes IPS/AV/ASyp/ASpam for a year). Annual support there after $9,948 (Though I think this may be high) and that gets you the TS package not just the IPS.

The 5510 is a great price point, but it is a SMB firewall not a large-enterprise FW.

A side-effect of decoupling the SW from the HW is that most people ended up getting very pricey licenses that they didn't need (Sounds like you have VPG-U's). The multi-core/blade pricing is an attempt (admittedly not as successful as it could have been) to correct this.

Now don't get me wrong, I think you have a very valid point, and that Check Point has shot itself in the foot more than once on the price/support/product thing but you do have to be very careful comparing VPN-1 on open server to an appliance based FW or you end up comparing apples and oranges when you really need a pineapple.

[RayPesek]

Hi Jim,

Agreed, however we have a small pineapple. :-)

Although we have about 1,000 employees in 45 locations, all have Internet access and a lot of our services are Internet-based, we don't need a lot of bandwidth. The use of caching proxy servers means we have only 10 M/bps of Internet access and we're consistently around 6 M/bps. The caching proxy also dramatically reduces the number of discrete connections. The proxy logs are around 700 MB each day, so yes, we do know the Internet is heavily in use. :-)

We do have a number of DMZ interfaces in use because we bring in all partner connection private lines through them. Five NICs on the UTM-1/136 is not adequate. We're currently using most of the ten we now have installed. We also have RAID 1 and dual power supplies on the 2950's.

Yes, we do have unlimited licenses because FW-1 was licensed by IP's protected and we were above 500. Our oldest license is a CPFW-FM-U that we use on an internal firewall, so you know we've been around awhile. :-)

Ray