License limit 1

[acle]

Hi,
we want to implement a FW1 enterprise module on a Secure Platform machine with 3 interfaces.
1 interface connect to the LAN
1 interface connect to an internal router that connect with the head office.
1 interface connect to internet
In the LAN we have about 150 ip address, just 30 persons need to use Internet with authentication on the firewall.
The smart center is in the head office.
Question:
We would like to know wich kind of license we have to buy?
Several persons say that Checkpoint cound just the session that connect to Internet so a 50 user license would be OK,
other says that we need a 150 user license because CP count all the IP address except for the external interfcace?
Someone knows exactly wich kind of version must we buy?
Many thanks!

 

[ChrisAC]

The firewall will count any addresses it sees on the internal network, or at least that's how I understand it to work but I believe that maybe changing. Your best bet will be to ask your Checkpoint reseller who should be better able to advise you on what licence you will need.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[acle]

Finally I found someone that explain me how does it work!
Checkpoint consider a user a session that pass through the FW. 50 user means 50 concurrent session.
This is an official document

http://www.microsoft.com/windowsxp/downloads/tools/rdclientdl.mspx

CIAO!!

 

[ChrisAC]

Microsoft RDP client? What's that got to do with Firewall-1?

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[ChrisAC]

Okay, I've got the info from checkpoint now. If you have 150 internal clients then you need a licence to cover all 150 IP addresses.

From the knowledgebase:

Counting IP addresses for licensing purposes

Solution ID: 55.0.2070856.2577027
Creation Date: 03/10/2000
Revised Date: 01/09/2004

Licensing for both Check Point Firewall-1 and VPN-1 is based on the total number of internal nodes protected. For licensing purposes, a node is any IP address protected by any FireWall-1/VPN-1 interface, excluding the external interface. Protected nodes include all network devices with IP addresses, such as workstations, routers, hubs, printers, etc.

FireWall-1 and VPN-1 gateways track the cumulative number of nodes (IP addresses) on all internal interfaces beginning from initial installation. There is no expiration of IP addresses from this count. A multi-user workstation is counted as a single node. For a multi-homed workstation, the number of nodes is equal to the number of workstation interfaces.

The internal interfaces of the FireWall are also counted in this total.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[acle]

Chris,
from what I know this method is changed since 8 months.
This is the Checkpoint link that explain the concept of user. In effect the old system counted everything including printers and so on. The new system count just the real session that are passing through the FW.

Andy

http://pricelist.checkpoint.com/sections/descriptions.asp

 

[ChrisAC]

That's what I thought also but this document was updated on the 1st September this year. I also wanted to confirm this as we have some firewalls on the new licence scheme but they are adding ALL internal addresses to the host count for the licence.

To be honest, Checkpoint licensing has always been a pain in the @ss!!

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[ChrisAC]

This quote ..

"The IP address is counted even if it is blocked due to a specific rule configuration."

.. would confirm what we are seeing. Any machine that sends out a broadcast to the network is added to the host count as the broadcast is dropped by the firewall. If the firewall sees that address then it counts it!

You can test this for yourself using 'fw lichosts' to see what addresses have been added.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************