Anatomy of a VPN-1/FireWall-1 4.1 license

[BarryStiefel]

Anatomy of a VPN-1/FireWall-1 4.1 license



When you get your permanent or temporary license from Check Point or your vendor, it will look something like this:

Expiration Date: 21Dec1999Host ID: a.b.c.dFeatures: CPFW-EVAL-1-3DES-module-v41License String: aDxbb4F5j-d6tK6Mf3X-xSg4UvWZ6-owNuuj5fu (Validation code: XyZwa)

A typical license has three parts to it: Host ID, Features, and License String. The Host ID can be one of three things:

• The 'hostid' of the machine (Unix machines only)
• An IP address associated with the machine itself (all platforms)
• The word 'eval' (which means the license is valid on any host)

The feature string corresponds to the designation on the price list (a.k.a. Product SKU). Note that a single license string might contain multiple SKUs.

The license string is case sensitive! A validation code is included, which you can use when entering the license in the NT GUI

The "feature" desginations below are used internally. You can do an "fw printlic -p" to print out the list of features in a somewhat more familiar way.

Expiration Date: 28-May-98Host ID: a.b.c.dFeatures: pfmx des skip activemod controlx routers des skip motif embeddedLicense String: 3504abcd-ef123456-7890abcd

Or you might see it as:

fw putlic a.b.c.d 3504abcd-ef123456-7890abcd pfmx des skip activemod controlx routers des skip motif embedded

The feature string will vary depending on which product(s) you have purchased. An evaluation license will typically allow you to utilize all features for a specific timeframe. The license string portion (the 24-digit hex number) is an encrypted version of your features, hostid, and license expiration date. If your license string begins with 7fff, it is a permanent license (e.g. expiration date of 'Never'). If it does not, then you have an evaluation license.

So What Do The Features Mean?



While not a complete list, here is a list of features you are likely to see and what they refer to. Depending on what you bought, you may get one or more license strings with a combination of these features:


Feature

VersionDescription



pfm

AnyPacket Filtering Module (e.g. a FireWall?) + highav. Can be listed as pfmN, where N is the number of hosts the module is licensed to protect.





pfmx

3.x +pfm + encryption



control

AnyManagement Console



controlx

3.x +

control + encryption





activemod

3.x +Connect Control Module. Also shown as 'connect'. Must purchase seperately.



routers

3.x +Router Control Module (e.g. can install ACLs on an unlimited number of Routers). Also shown as 'rcc' or 'routerN' (where 'N' is the number of routers you can control). Must purchase seperately.



oseN
osmN

4.x

Open Security Manager (previously Router Control). ose is for FireWall-1 Management Consoles (i.e. like routers above), osm is for Open Security Manager on NT. oseu, osmu, and routers for an unlimited number of routers. Must purchase seperately.



des skip

3.xAdds DES and SKIP encryption capabilities to 3.x. Included with an encryption license.



vpndes

4.xAdds all encryption schemes 56bit and lower.



vpnstrong

4.xvpndes + "Strong" encryption (i.e. above 56-bit).



embedded

3.x +Allows security policies to be installed on routers capable of stateful inspection.





highav

3.x +Allows for state sharing between firewalls. Listed seperarely with stdlight and stdmed licenses.



stdlightN
stdmedN

Any

Single Gateway Products (e.g. FireWall-1/N). Licensed to protect N hosts (not N concurrent connections). In FireWall-1 2.x, stdlight was a 50-user license, stdmedium was a 250-user license.



encryption

Any

Encryption module. Includes 'ca' license (for management console). Must purchase seperately.





motif

3.x +License necessary to run Motif GUI on a Unix system. This license was free in version 4.0 and prior, though it must be purchased for FireWall-1 4.0. Not necessary for Windows 95 GUI.



pfi

AnyInspection Module (Does packet filtering only, no auth gateways). Can be listed as pfiN, where N is the number of hosts the module is licensed to protect.



srX

4.x

License for a specific number of SecuRemote Clients. srX can be any of:


Feature# of client supported



srulight50 Users





srlight100 Users



srmedium500 Users



srlarge1000 Users



srsuper5000 Users

srunlimitUnlimited







Comes with an encryption license, but must be requested from Check Point.





ram14.xAccount Management Client GUI to manage an unlimited number of users via LDAP. am1 for up to 250 users.







-- PhoneBoy - 02 Jan 2004

FAQForm FAQs.Class: LicensingFAQs FAQs.OS: FAQs.Version: 4.1