Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

License Issues 1

Status
Not open for further replies.
icintamyself

icintamyself

MIS
Mar 13, 2002
34
MY
1) How does licensing works in Checkpoint ?
2) If I buy 250-node license checkpoints, what does it means ?
3) What happen if with that license (250 nodes), I place 500 PCs behind the firewall ? How do I know which among the 500 is protected and which is not ?
4) Can I create a list of 200 IP addresses and force checkpoint to take the 200 pcs listed in the list as within its 250 nodes ?


 
Sort by date Sort by votes
Licencing in checkpoint is controled by the firewall. interfaces on the firewall are labeld as internal and External.
any ip trafic if recieves from an internal interface it logs the originating IP address. when this number of ip addresses reaches 250 or the licence value (+ i think 10%) it starts writing to system log files what then eventuly happens is that the firewall is spending all its processor time writing logs that performance drops to almost 0.
ip addresses include any device with an ip address that will route any traffic via the firewall.
i dont know if it logs addresses from broadcasts.
 
Upvote 0 Downvote
Thanks for your info. I can see that the logs file contains the Ip addresses. When I was using the Management Clients remotely and try to view the logs, there was a message now and then stating respond was slow and whether I chose to abort or continue.

That is the problem. Someone in my office bought the Checkpoint with 250 nodes. We have one flat LAN. There are about 500 pcs behind the firewall.

1) I want to know what happens to those IP addresses that don't fit into the 250-nodes licensing.

2) let say for simplicity sake, I have a new PC. Put that PC behind the firewall. Next I create a rule in the firewall for this PC. Does that means that since the Checkpoint licensing has reached the limit, it would ignore this rule since this new PC is not part of the IP addresses that it covers ?

3) In that case, how do I create a fixed list of IP addresses and force Checkpoint to acknowledge that these are the IP addresses that you should protect and cover under your licensing scheme, ignore the rest. Since basically it seems to me that whatever IP packet that get routed to the firewall, the origin IP addresses would be taken as 1 license. How do I control this ?

I know one of the way i could get over this problem is by segmenting the network in such a way that the firewall would only see a segment say segment A, with less than say 240 nodes. The rest of the PCs that I have should be in different segment say segment B and no routing from segment B should be made to the firewall.

Please advise. Thanks.
 
Upvote 0 Downvote
unfortionatly the firewall has ears.

1 & 2 the firewall will always apply the rules regardless of the number of nodes. it will just become so slow it is unusable due to the system log flood from the licence exceded messages.

3. this may work but you will have to ensure no trafic reaches the firewall. i cant guarentee this would work but some precautions would be to make sure the firewall is atleast on a switch and not on a hub. and if you can find a way to stop broadcasts from the subnet reaching the firewall

There are ways to reset the table on the firewall but they are clumbersom ( i would need to look them up) if i remember they take a few minutes
 
Upvote 0 Downvote
I remember to flush the table, we have to wipe off certain file contents which I can't remember which files. But even after we wipe off the table, it would build up again and start to hit the systems slowness problem again.

1) Can we wipe off the table and choose what ip addresses to be listed here.

2) Can we disable the flooding message from the firewall ? Perhaps syslog.conf would be able to control this, however it might as well disable other important messages from other systems within the firewall server.
 
Upvote 0 Downvote
unfortionatly this is checpoints method of controling licences.
if you have 500 nodes you need a 500 node licence.
unless you can subnet your network to restrict the visible nodes.

i am not willing to post methods of circumventing checkpoints licencing model. only help try and create a network that conforms to your current licence
 
Upvote 0 Downvote
Is there a way to check how many nodes the FW currently sees? I dont have 250 nodes per say; but I have users with multiple machines. So I need to see how many CP thinks I have.

Thanks AJ
SA
HS
 
Upvote 0 Downvote
To get a count type

fw tab -t host_table -s

The entry under # vals corresponds to the number of hosts it has counted.
You can see what IP's are currently being counted against your license by
issuing the following command:

fw lichosts

Rather than reboot the box, you may want to reset FireWall-1 count of IPs.
cpstop, remove the $FWDIR/database/fwd.h and $FWDIR/database/fwd.hosts files
and cpstart FireWall-1.

You can reset the table with

fw tab -t host_table -x.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jfp23
  • Locked
  • Question
ASA 5512x 9.3 version Outbound connection issues
Replies
0
Views
62
jfp23
jfp23
sampko
  • Locked
  • Question
Load Balancing Issues
Replies
1
Views
74
joepc
joepc
xylax
  • Locked
  • Question
DHCP issues for AnyConnect configuration.
Replies
3
Views
106
ADB100
ADB100
jbober14
  • Locked
  • Question
IPSec VPN Issues
Replies
3
Views
77
jbober14
jbober14
wcummings
  • Locked
  • Question
Pgp newbie with and invalid license
Replies
0
Views
51
wcummings
wcummings

Part and Inventory Search

Sponsor

Back
Top