R70 multi-core license part II

[PeterGV]

Quote:

Originally Posted by northlandboy

...
It's so easy to have redundant disks, and saves so much time when one fails.

I'm less concerned with alternate street power than I am with the power supply itself failing. Again, I've replaced a lot of these on Nokia boxes.
...

(sorry to be "late to the party"... but I figured I'd provide a comment from the perspective of a new SPLAT user)

I'm new to SPLAT, having just moved from a Nokia box. We're a small shop, and I'm a very part-time, reluctant, manager of our firewall.

I config'ed what I figured would be a reasonably reliable Dell server box, with RAIDed disks and dual power supplies (yes, the power supplies are fed by dual UPS units, each of which is fed by a dedicated circuit... but no, not with separate street power feeds or unique transformers; There's only so much you can control.). I didn't even pay attention to the number of physical CPUs or cores. But, it happens to be a quad-core machine.

After running my new R70.1 SPLAT-based system for a couple of months, I just noticed the "license violation" message for the first time the other day.

I was floored.

So... now I'm basically hosed for choosing what is a relatively basic Dell server box. My choices are:

a) Remain out of license compliance until this is enforced

b) Pay some relatively large chunk of money (amount currently unknown) to upgrade to the quad CPU support.

Either way... not good.

To give you an idea: We're protecting less than 100 hosts behind this firewall, and we have less than 15 VPN users.

Checkpoint licensing has always been confusing... but I've always been able to follow it before. Increasingly frequently, I'm just regularly finding myself confused, baffled and frustrated.

Peter

[adam65535]

Quote:

Originally Posted by cciesec2006

The bottom line to this issue is that you, the customer, will have to pay for multi-core license, either NOW
or LATER. Just make sure that you take this into consideration for your IT budget. What Checkpoint is doing is
so outrageous that it is nothing but highway robbery.

Food for thought: Since R65 will be End of Support in March 2011, I strongly suggest that everyone looks for
an alternative firewall solutions besides Checkpoint so that Checkpoint will NOT hold you hostage.

I will probably be one that holds on until March 2011 in hopes that check point realize that they are chasing away their customers so that the next major version might have a better licensing model. The ironic part is that one of the reasons I switched from Symantec Enterprise Firewall to Check Point NGX because Symantec was pushing their hardware platform too hard. Now here I am with the same thing happening. Heck. If I could just drop support until 2011 I could buy just about any other firewall solution at that time.

As others have mentioned, The most obvious reason for the appliance push is their support costs would fall *dramatically* if they were in control of the hardware(ie... they make even more money). Don't downplay that. I am sure that is a very big factor in the appliance push. For all the reasons that have been discussed though... There are customers who know the down sides to appliances and want to avoid them for long term cost and flexibility reasons.

If check point were to come up with a very simple licensing scheme(don't nickle and dime us either) I think they overall would make more money even though they would make less per customer. They have made headway with their license complexity but it is still far too complex and pricey IMHO.

You buy a firewall. Oh you want to monitor the firewall properly? You need an extra license for that. You notice that traffic throttling is needed? You need another license for that. Oh you want to manage the 3 firewalls you have centrally? You need another license for that. You want to do some history reporting on the activity? You need another license for that. You want to actually use the smart defense capability that is already in your firewall? You need a license for that. You say you might need Office Mode? You need a license for that too. Do you want to use SSL VPN? You need another license for that. Oh... dont forget the mobile clients. You need another license for that too. Oh you bought another firewall? Don't forget that you need another management license to actually manage that from the same management station as your other 3. Oh I know you bought a smart defense license but you say you want to use Web Intelligence only on your web servers instead of all traffic? You need another license (per web/mail/etc server) for that too. Didn't you read the documents on this stuff? Do you want to be able to use your domain for authentication? You didn't tell me that! Yea.. you need another license for that. Don't forget clustering! You don't need a license... oh wait... yea you do! Oh anti-virus too? Guess what... Congratulations... it's another license for you! Hmm... you say you didn't order a single CPU server??!?! Shame on you for not picking up an old out of date server on ebay to get around the multi-core license. Man... you don't read all the documentation on products do you? Oh yea... you know that CoreXL doesn't work with clustering, or QoS right? So you can't really use all those cores to their full potential that you just were forced to pay extra for. Dont worry though you won't have to pay extra for more interfaces. That great *feature* is in our Rxx product coming soon. Oh you want to use the routing protocols or advanced routing? More licensing for you! How many systems do you need to protect? ....

Sorry for the chatter but this is really getting to me. Licensing per CPU would be understandable but per core is just wrong since CPUs nowadays come with multi-core as standard. Regardless if other companies are trying to do the same in other areas it is still wrong IMHO.

[PhoneBoy]

The right people are hearing the message and taking action. I'll let you know when I have something more to share about this.

[rubber_chicken]

Great to hear it. I would have been disappointed if the hottest thread here didn’t at least prompt a review.

Waiting patiently,

Rubber….

[mcnallym]

Update from Check Point recieved this morning;

Check Point adds more flexibility to its license scheme on multi-core systems. Customers can now choose the amount of cores they want to use.
In response to feedback received from customers and partners, and in a continued effort to provide more value using multi-core technologies, Check Point Security Gateway software licensing on multi-core open hardware systems is now based on the amount of cores requested by the user. This is according to the license installed rather than the physical amount of cores available on the system. This change applies to products listed on the NGX and Software Blades price list.

With this new adjustment, customers are able to use a subset of the physical cores available on multi-core systems by using a license for a partial amount of these cores. For example, a customer with less than 50 users, having a dual-core system, may install a single core Security Gateway package to use a single core. Later on as the customers’ security performance needs grow, they can use the additional core.

Note: With the R70 and R70.1 latest software releases, the user can use the instructions referenced in SecureKnowledge solution SK36750 to specify to the operating system how many cores should be used; otherwise the user will receive a warning indicating the following: a License violation has occurred: The current machine has M CPU cores and the installed license is valid for up to N CPU cores. In future releases, the system will automatically use the number of cores as stated in the license.

This notification will be announced to partners on September 14th and the Check Point Price List will be updated on September 16th.




Seems that they have gone for the can license for a number of the cores that want to use, ie if only need a single core then can license for 1, need 2 can license for 2 etc.

[rubber_chicken]

I can live with that. I would have thought it would have been cleaner to do it via physical socket because the multicore environment is going to be a moving target for a while (4 cores, 4 cores with hyperthreading, 6 cores, 6 cores with hyperthreading, 8 cores and so on), but I'm not going to complain.

A single core will do me nicely for now.

[PhoneBoy]

Quote:

Originally Posted by mcnallym

Seems that they have gone for the can license for a number of the cores that want to use, ie if only need a single core then can license for 1, need 2 can license for 2 etc.

That is my understanding as well. Hopefully, this will solve the issue for most people.

Worth pointing out that this came came about, in part, as a result of feedback received on CPUG. I can't promise this will happen every time, of course, but Check Point is listening.

[serlud]

Quote:

Originally Posted by PhoneBoy

Worth pointing out that this came came about, in part, as a result of feedback received on CPUG. I can't promise this will happen every time, of course, but Check Point is listening.

PhoneBoy,

thanks a lot for your support with this issue.

[Thorpuse]

I'm glad to hear this - it's a good step forward. However there is still the problem about binding users and cores together, which is going to cause significant upgrade grief for those of us who are upgrading pre-multicore Software licenses, and now have no choice but to buy a 4 or 8 core container due to our user requirements, NOT our performance requirements. My rough calculation on this is that it will add at least $USD3K per upgraded gateway for the 4 core unlimited. Still, it's a start to making this better - it's good to know that CP will listen and react when confronted with rational debate.

[PhoneBoy]

It sounds like you can request fewer cores now, though I will admit to being ignorant about how that might work. Hopefully your local Check Point rep knows a bit more about this.

[Thorpuse]

Rumour has it that there's a SG203U in the new bundling. Assuming this is priced sensibly, that probably provides a reasonable trade-up path.

[marklar]

Quote:

Originally Posted by Thorpuse

Rumour has it that there's a SG203U in the new bundling. Assuming this is priced sensibly, that probably provides a reasonable trade-up path.

This seems like a sensible upgrade for those of us with 3+ year old hardware that isn't running anywhere near capacity but needs a refresh.

Please make it so Check Point!

m.

[chillyjim]

Quote:

Originally Posted by Thorpuse

Rumour has it that there's a SG203U in the new bundling. Assuming this is priced sensibly, that probably provides a reasonable trade-up path.

Give us 'till tomorrow and (hopefully) PhoneBoy and I will have it figured out.

[serlud]

To adds more flexibility to its license scheme on multi-core systems -> It will be great to have not only SG203U (prise 14.000$) , but also (just without VPN and IPS):

existing SG401U - $12,500

SG201U - for $10.000 ($12,500 SG401 - $2,500 MC-2 Multi Core Lic for 2 Core)
will work on open source Server bis 400Mb/s FW Throughput

SG101U - for $7,500 ($12,500 SG401 - $5,000 MC-4 Multi Core Lic for 4 Core)
will work on open source Server bis 200Mb/s FW Throughput

we have about 80% of 250 FWs (without needs for VPN, IPS ) internal enterprise FW with unlim. users, and we are planning to expand this area.

[BarryStiefel]

Quote:

Originally Posted by PhoneBoy

That is my understanding as well. Hopefully, this will solve the issue for most people.

Worth pointing out that this came came about, in part, as a result of feedback received on CPUG. I can't promise this will happen every time, of course, but Check Point is listening.

Thanks for the feedback, Phoneboy.

[wowtek]

Changes?
In the last e-news:

Quote:

Check Point adds more flexibility to its license scheme on multi-core systems. Customers can now choose the amount of cores they want to use.
In response to feedback received from customers and partners, and in a continued effort to provide more value using multi-core technologies, Check Point Security Gateway software licensing on multi-core open hardware systems is now based on the amount of cores requested by the user. This is according to the license installed rather than the physical amount of cores available on the system. This change applies to products listed on the NGX and Software Blades price list.
With this new adjustment, customers are able to use a subset of the physical cores available on multi-core systems by using a license for a partial amount of these cores. For example, a customer with less than 50 users, having a dual-core system, may install a single core Security Gateway package to use a single core. Later on as the customers' security performance needs grow, they can use the additional core.
Note: With the R70 and R70.1 latest software releases, the user can use the instructions referenced in SecureKnowledge solution SK36750 to specify to the operating system how many cores should be used; otherwise the user will receive a warning indicating the following: a License violation has occurred: The current machine has M CPU cores and the installed license is valid for up to N CPU cores. In future releases, the system will automatically use the number of cores as stated in the license

[serlud]

Do not forget to provide CP with feedback : cpp@us.checkpoint.com:

Our feedback for this price update :

Hallo support,

CP: Check Point adds more flexibility to its license scheme on multi-core systems. Customers can now choose the amount of cores they want to use.

Sorry we could not find an annoced flexibility, you still force a customer to pay for 2 core LICs and or for IPS/VPN Blade(SG203U) , or for 4 Core Lic SG401.

We just need an singe Core , unlimited user lics SG101U and also SG201U.

Please provide use with new Pricing update which included SG101U and SG201U as soon as possible.

Again: do not force a customer to pay for something they do not need.

[Thorpuse]

Quote:

Originally Posted by serlud

Do not forget to provide CP with feedback : cpp@us.checkpoint.com:



Again: do not force a customer to pay for something they do not need.

Firstly, emailing Support about this is pretty much useless, as support does not set the sales and licensing agenda. Contact your sales or account rep if you have an issue with this.

Second, your argument about "do not force a customer to pay for something they do not need" is flawed. CP's comeback is going to say that the old pricelist made you buy all sorts of extra things in the UTM or Power lines, and in actual fact what's included in the bundle here is a much reduced feature set than the old pricelist. While I still believe on principle that a core-based licesning model is flawed, lets give them a little credit for doing a lot here to fix some of the inequities caused by trying to join cores and users inflexibly. If you do the math, in actual fact the SG203 is a better deal than the old pricelist offered, and at least provides a SKU that we can go to customers with that doesn't commit them to an unrealistic upgrade price. If you really want single core, then just keep your old NGX license - CP isn't going to retire these for some time still....

While your argument for a SG101U and 201U would be consistent, the added costs of a la carte blades on top of these would quickly make them unaffordable. Flexible yes, but no-one would do the sums and think this makes sense.

[northlandboy]

Just wanted to say, as someone who participated in this thread, that I'm pleased that Check Point has made some changes to their licensing model.

I think that this change will provide suitable flexibility for customers like us.

It is good to see that constructive feedback can make a real difference.

[mcnallym]

It was quite strange I was the Check Point update at Twickenham yesterday and there was a loud chear went up when they announced this..