Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Getting Licenses

Each product you purchase will be given a certificate key. This certificate key, once registered at https://usercenter.checkpoint.com/home/index.jsp, can be used to obtain your permanent license key for your product. The actual process, if everything goes well, is very straightforward. Not only will you be given the license information on a Web page, you will also be sent an e-mail with the same information. Save this e-mail and print the license page. You will need this information when installing the product. You will also need the certificate key when you upgrade at a later date because the same certificate key will be used for the updated product as well (provided you purchase a software subscription, which should be activated at the same time the product is licensed).

There are two ways to license a FireWall-1 installation: on a hostid or an IP address. The hostid is an ID number based on information burned onto the motherboard.

Hostid-based licensing can only occur on Sparc Solaris or HP/UX because these hardware types actually support this type of license. On AIX, you can use a hostid-based license, but the hostid of an AIX box is actually based on an IP address, so there is no point. Windows NT and Nokia do not allow hostid-based licenses and can only be licensed by IP addresses.

IP-address-based licenses require that the IP address noted in the license be associated with an interface that is active when FireWall-1's kernel-loadable module loads at boot time. On a Solaris platform, the licensed IP address must be associated with the physical interface (that is, it cannot be an interface alias).

It is relatively easy to get evaluation licenses to do the testing and even the initial deployment of your firewall. Your Check Point reseller can obtain an evaluation license for you. Also, with each "eval pack" (which contains a CD and some documentation), you get a certificate key that can be used to generate two 30-day evaluation licenses.

In some cases, it has taken many months to get the correct permanent licenses, especially when upgrading from one version of FireWall-1 to the next, so do not be surprised if this happens to you. Unfortunately, there is no magic to this process. Making sure you have copies of your certificate keys and software subscription IDs helps tremendously, but does not guarantee success in obtaining a permanent license quickly. If you find you must run a production firewall on an evaluation license, make sure that you request new evaluation licenses at least a week before you actually need them. It may take at least that long to hunt down another license that you can use. The same is true with an upgrade of permanent licenses: Request the upgrade at least a week (or more) before you actually need them.

There are actually two kinds of evaluation licenses: those that are tied to an IP address/hostid and those that are not (which are sometimes called floating evals). Licenses of the latter type will display the word eval where an IP address or hosted would be. Check Point no longer offers floating evaluation licenses. However, these licenses are still used within Check Point and occasionally make their way into the outside world. These licenses are only good for a limited period of time. They usually have a start date of some sort where if the system is dated before this time, the license will be invalid. As such, you cannot backdate your system to use one of these licenses indefinitely.

During the FireWall-1 3.0 time frame, Check Point changed over to a system where evaluation licenses were tied to a specific IP or hostid, which is still in use today. The dirty little secret about these licenses was that they are actually permanent licenses that have an expiration date. It appears that you can backdate the system to use these licenses. However, I am quite certain that this is against Check Point's Licensing Agreement.

  • + Share This
  • 🔖 Save To Your Account