Licensing NG and NGX

[Testing-123]

Hello All,

Trying to understand checkpoint licensing a bit better having been confused reading the posts here and talks with my checkpoint licensor. I have searched all the posts in the licensing section but can't find the exact answers i'm after. Take the licenses below for example:

1)
VPN-1 Module for an unlimited number of IP addresses
CPVP-VFM-U-NG

2)
VPN-1 Power Gateway for Unlimited Users
CPPWR-VPG-U

3)
VPN-1, FireWall-1 and FloodGate-1 Gateway for 50 users
cpmp-vpg-50-ngx

1) is a NG license and the key word unlimited would imply you won't have any issues with being short on enforcement licensing. However, how does checkpoint enforce the "number of IP addresses" limit? Do you get a warning or certain functionality is disabled? Can you tell how much you've consumed on an enforcement module?

2) and 3) I've read that NGX has moved from licensing per ip address to per user? What's the difference and again how is this enforced and is there a way of checking how close you are to the limit?

I've been comfortable till now with management and module licensing as i've always been given unlimited licenses for both and i've just been careful with the features enabled on the license (i.e VPN, FloodFate-1 etc). It’s time to bang my head against the wall now :-)

Regards
Testing-123

[chillyjim]

Quote:

Originally Posted by Testing-123

Hello All,

Trying to understand checkpoint licensing a bit better having been confused [...]

Join the crowd :)

Quote:

1) is a NG license and the key word unlimited would imply you won't have any issues with being short on enforcement licensing. However, how does checkpoint enforce the "number of IP addresses" limit? Do you get a warning or certain functionality is disabled? Can you tell how much you've consumed on an enforcement module?

The gateway counts the number of IP addresses that attempt to pass it from an "Internal" interface.

When you exceed your license count, you will receive console errors and SmartView Monitor alerts

Additional connections should be dropped (YYMV on this one)

Quote:

2) and 3) I've read that NGX has moved from licensing per ip address to per user? What's the difference and again how is this enforced and is there a way of checking how close you are to the limit?

It has not in functionality, just how the EULA reads (This is not an official answer!!).

In the past, FW-1's license counted every connected device protected by the gateway, even devices that never connected to the Internet (e.g. printers). Now only connections that try to traverse it are counted.

For Messaging Security, users are counted but without an enforcement mechinisem other than IP address count.

[Testing-123]

Thanks chillyjim,

Seems a bit "crap" (don't want to use a conservative word to describe checkpoint licensing). So you have to be looking at console messages and smartview monitor to determine whether you're reaching a licenses limit? How do you capacity plan? Nightmare!

Testing-123

[MarioL]

The norm used to be count IP nodes. After the changes it became count IP nodes that will go out through the firewall.

Most customers end up having the "U" license anyway.

[Thorpuse]

Very true - the license count engine has always been a real PITA... Best way I've found of getting around it lately is the licensing for the UTM-1 devices, because they give you an Unlimited-node Gateway license plus hardware at a cheaper price than you can buy a software-only license (go figure....). You just have to ensure that the performance and interface metrics for these appliances fit your site, but if they do, then it's a good way to go.