Home > Articles > Security > Network Security

Fun With Check Point Licensing

  • Print
  • + Share This
Perhaps one of the more challenging aspects of FireWall-1 is licensing the product. Even those who have been selling and supporting FireWall-1 for a number of years tend to get tripped up by Check Point’s licensing from time to time. This article, derived from Essential Check Point Firewall-1: An Installation, Configuration, and Troubleshooting Guide (Addison-Wesley, 2001 ISBN: 0201699508), sets you straight on licensing requirements.
This chapter is from the book

The major components that require licensing are the following:

  • Firewall module

  • Management console

  • Management Graphical User Interface (GUI) applications

A firewall module enforces your security policy and sends log information to a management console. This is typically referred to as the firewall. The management console is responsible for storing, compiling, and pushing the security policies out to the firewall modules. It also receives logging information from the firewall modules, and processes alerts. The Management GUI applications allow you to view, edit, and install security policies, view logs, and see the status of all installed firewall modules. The Management GUIs communicate to the management console, which does all of the actual work.

With some exceptions, which I will note in the following sections, each of these components may exist on separate systems. You can even mix and match the platforms on which each of these components exist. For example, you can have the firewall on a Nokia platform, the management console on Solaris, and the Management GUIs on Windows.

Note that in a High-Availability configuration, all firewalls must be on the same platform. The same is true for High-Availability management consoles in FireWall-1 NG.

Node-Limited Firewall Licenses

Node-limited firewall licenses are restricted in terms of the number of IP addresses that can be behind the firewall. FireWall-1 listens for any IP-based traffic on all interfaces except for ones deemed external. How you tell FireWall-1 which interface(s) are external depends on the version. In FireWall-1 4.1 and earlier, which is restricted to a single physical interface, the physical interface name is listed in the file $FWDIR/conf/external.if on the firewall module. In FireWall-1 NG and later, this information is defined on the management console in the firewall workstation object, topology tab. Multiple interfaces can be defined as external here. However, a node-limited license does not allow you to route traffic to these interfaces.

Any time FireWall-1 hears hosts talking to each other with an address on a non-external interface, it notes the IP addresses. After FireWall-1 has heard n IPs (plus a 10-percent fudge factor), connections from the n+1 hosts generate e-mails to root and messages to syslog or the event viewer. When the license is exceeded by a large number of hosts on a busy network, FireWall-1 consumes itself with logging and mailing out messages about exceeding your license. In many cases, this causes the firewall to process traffic very slowly, if at all.

So what are the implications of how FireWall-1 enforces a node-limited license? Anything behind your firewall with an IP address will eventually be found out. This includes non-computer components such as printers, coffee makers, and so on. Anything with an IP address that talks on your LAN will be heard eventually. Also, machines with multiple IP addresses will most likely be counted more than once. Peripherals that do not use TCP/IP should not be counted. Machines that only use AppleTalk, IPX, NetBEUI, and so on should also not be counted. Because FireWall-1 only looks for IP traffic, it should safely ignore these machines.

There are plenty of ways to deliberately mislead or fool the license. For example, machines can be hidden behind a choke router, a switch, a proxy server, or another FireWall-1 box. However, Section 2.5 of the January 2000 End User License Agreement for Check Point FireWall-1 clearly states that this is not permitted:

The Product is licensed to You based on the applicable Licensed Configuration purchased. The License permits the use of the Product in accordance with the designated number of IP addresses. It is a violation of this End User License Agreement to create, set-up, or design any hardware, software, or system which alters the number of readable IP addresses presented to the Product with the intent, or resulting effect, of circumventing the Licensed Configuration.

In any case, these sorts of licenses are only appropriate for use where you can guarantee the number of hosts behind a single gateway. More importantly, in FireWall-1 4.1 and earlier, these licenses should only be used where an external network can only be reached through a single interface. If it can be reached through more than one interface or you have no way to control the number of hosts behind the firewall, this type of license should not be used.

  • + Share This
  • 🔖 Save To Your Account