This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Adam276
Collaborator
‎2026-02-25 07:09 AM
Jump to solution

Local gateway license generation in usercenter

I am hoping someone can help clarify some licensing questions that I have.  I am used to central managed licenses with open platform so I understand licensing with that scenario but not with appliances or local (non-central licensing).  I want to better understand this before generating the license.

I am now replacing a gateway appliance (going to a 6400 series) at another site that also has a separate management.  I looked at the existing licensing for this group of firewalls/management in Usercenter and the old gateway license has the Module IP and Management IP as the gateway's IP (external IP).  So these systems appears to have all of their licenses generated as local licenses (not central licensing).  For consistency I want to keep that going for these systems.

The new product (6400) in license center has not been licensed yet as it has 'Not licensed yet' for last license date.   When attempting to generate a license in Usercenter for that gateway appliance as a local license,  it is asking for both an "IP Address" and a "Management IP".

Going by the existing license that I looked at in Usercenter,  It would appear that I set both to the gateway external IP.  It just seems confusing that it asks for a management IP for a local (not central) license.

1. Is this correct?
2. If that is correct then under what situation would a local license have a management IP set to something different?

After figuring that out, from my understanding,  Once the appliance is put in place and has internet, It can pull the license directly from Usercenter through the license menu in the GAIA web interface so no need to manually apply it.  First time wizard is already done as well as gaia cli config/interfaces,etc.

3. Is this also correct?
4. If so then nothing needs to be done specifically in Smartconsole to import that license?  I am used to central licenses where everything goes through Smartconsole/smartupdate for open platform and central licenses.

Preview file
15 KB
0 Kudos
1 Solution

Accepted Solutions
Adam276
Collaborator
‎2026-02-26 08:22 AM
In response to the_rock
Jump to solution

I already did that and stated above what they said previously.  They mentioned it likely doesn't matter if the gateway IP address was used for the 'Management IP' for a gateway product license generation (local license) if the dedicated management license already has skews for the features that were needed.  They gateway only portion of it would still work.  They did mention that if you use the gateway IP for the 'Management IP' for a local license, that management part of the gateway product license would be invalid since it doesn't contain the IP of the management.  It would appear that isn't really needed in most cases.  I assume there are some situations where it might matter (like if you don't have a skew already on management allowing management to manage gateways with advanced networking, etc).

Now maybe in the future it will matter for all I know.  I hope it doesn't though.  I don't want gateway products to also depend on the IP of the management in that gateway product license as it is just another complication if for any reason in the future that the management IP changes.

Obviously there are companies/people that are not even using the management part of the gateway product license (or generating it with gateway IP instead of management IP) and things are working at least for now based on all the feedback that I have seen.

I was mainly confused why the current gateways were even working in management since the gateway product licenses were generated in Usercenter with the gateway external IP for the gateway and management part.

I certainly don't claim that I fully understand it all.  I could certainly be missing something or edge cases, etc.  This is the information that I have on it though so far with all the feedback I have received on it.

View solution in original post

15 Replies
_Val_
Admin
Admin
‎2026-02-25 07:19 AM
Jump to solution

I suspect you did not consult the Licensing Guide yet: https://support.checkpoint.com/results/sk/sk11054

There is a video there that should answer all your questions. 

In short, yes, with a local license, your Management IP and GW IP are different. With central licensing, all GWs are licensed with the Management Server IP only.

Adam276
Collaborator
‎2026-02-25 07:28 AM
In response to _Val_
Jump to solution

Thanks,  I did watch that but the existing license for the old hardware, that I viewed in Usercenter, goes against that.  It shows both the Module IP and management IP as the gateway's IP address.  Does that mean that web form is asking for the management IP and requires that but after generation, the license will actually have the gateway IP for the 'Management IP' when viewed from Usercenter's license page for the product?

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-25 07:44 AM
In response to Adam276
Jump to solution

Im no licensing expert by any means, but here is what I do for all my labs:

-for mgmt, I just assign mgmt IP for the license, paste that in expert mode

-for gateway, I do same thing, just remove module part from local license when you get the string output

-if standalone, I paste both mgmt and gateway parts. You can also do this in web UI as well, mind cplic put part, just copy and paste string that starts with IP address onwards

Thats it.

Hope it helps.

Best,
Andy
"Have a great day and if its not, change it"
the_rock
MVP Diamond
MVP Diamond
‎2026-02-25 08:01 AM
In response to the_rock
Jump to solution

@Adam276 If you are allowed to, we can do remote later, in about an hour, around 12 pm est. Just message me directly and I can send you the link, so can demonstrate what I was referring to.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
JozkoMrkvicka
Authority
Authority
‎2026-02-25 10:57 PM
In response to the_rock
Jump to solution

I do exactly the same. I use the local IP assigned to management interface on the gateway itself (show management interface) for IP during license creation.

Never used real management (MDS or SMS) IP while generating license for gateway.

I also dont know which IP I am supposed to use during creation of license for gateway in case MDS as management is used. It should be MDS IP or Domain IP from which gateway is managed from ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Adam276
Collaborator
‎2026-02-26 07:01 AM
In response to JozkoMrkvicka
Jump to solution

I contacted the vendor and they said the same thing.  They manage a lot of customers and they mentioned that Checkpoint changed their interface recently in Usercenter for generating local licenses and now have a spot for the management IP.  They said it used to only have a gateway IP when licensing.  They said going forward they will start putting the management IP in the form for reference in the future for local gateway license generation, but they said they don't plan to put the management portion of that license on the management as they have never installed the management portion of a local license for a gateway license into management for any of their customers and it was worked just fine without it.  I assume that is one less step they have to do.  They only install the gateway portion of the license.  Management of course has it's own license dedicated license.

As I mentioned though,  I think tying a portion of the gateway product license for a local license to the gateway and the management IP address would cause more chaos when it comes to moving a management to a different IP address.  If that management part of the local gateway product license was ever required, You would then have to regenerate/license all of your gateways again when the management IP changes.  I thought that was a side benefit of local licensing is that the gateway license was tied to the gateways only and not the management.  If part of the gateway product license for local licensing requires the management IP though, that seems like it would require relicensing all gateways if the management was moved to another IP/site.  While this shouldn't happen often, it would complicate it for a customer when it does happen.

I will do what Checkpoint is requesting and generate it with the gateway IP and the management IP and put the gateway portion on the gateway and the management portion on the management just to make sure I am following best practice.  I do have to say though,  I am surprised this turned out to be so confusing.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-26 07:44 AM
In response to Adam276
Jump to solution

If I were you, if any doubt, definitely call Account services, I always found them to be EXCELLENT explaining things and helping with any doubts you may have.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Adam276
Collaborator
‎2026-02-26 08:22 AM
In response to the_rock
Jump to solution

I already did that and stated above what they said previously.  They mentioned it likely doesn't matter if the gateway IP address was used for the 'Management IP' for a gateway product license generation (local license) if the dedicated management license already has skews for the features that were needed.  They gateway only portion of it would still work.  They did mention that if you use the gateway IP for the 'Management IP' for a local license, that management part of the gateway product license would be invalid since it doesn't contain the IP of the management.  It would appear that isn't really needed in most cases.  I assume there are some situations where it might matter (like if you don't have a skew already on management allowing management to manage gateways with advanced networking, etc).

Now maybe in the future it will matter for all I know.  I hope it doesn't though.  I don't want gateway products to also depend on the IP of the management in that gateway product license as it is just another complication if for any reason in the future that the management IP changes.

Obviously there are companies/people that are not even using the management part of the gateway product license (or generating it with gateway IP instead of management IP) and things are working at least for now based on all the feedback that I have seen.

I was mainly confused why the current gateways were even working in management since the gateway product licenses were generated in Usercenter with the gateway external IP for the gateway and management part.

I certainly don't claim that I fully understand it all.  I could certainly be missing something or edge cases, etc.  This is the information that I have on it though so far with all the feedback I have received on it.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-26 08:30 AM
In response to Adam276
Jump to solution

Sounds good!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Adam276
Collaborator
‎2026-02-25 08:51 AM
Jump to solution

I called support and they basically said that we don't need the management portion of the license that is generated with the license if we already have a separate management license that allows managing a certain number of gateways.  That would explain why it didn't matter that the management IP was set to the gateway external IP in the licensing form for each gateway at this site.

2 licenses are created when you generate/license a gateway (one for gateway and one for management).  He did confirm that the usercenter view does show that the other appliance was generated with the gateway external IP for both the 'IP Address' and 'Management IP' in the web form since management part of the license shows the gateway IP address.  That cluster is working just fine like that.  A very big third party vendor in Tel Aviv did the previous installation before so I would hope they wouldn't generate the license in a way that would break something before.  I assume they had their reasons for doing it that way.

Since we have a separate management license that allows a certain number of gateways to be managed,  It doesn't need the management part of the gateway generated license.  It sounds like the only need for the management part of the license is if we didn't have a separate management for each gateway.  Using the gateway IP for the 'Management IP' would just allow that gateway to host it's own management on the same system?

Since the management part of the license has the external IP of the gateway for all existing clusters, that license shouldn't be useful for my purpose unless management accepts the gateway external IP for the 'management ip' part of the license and that part does still need to be on the management.  So I am still not 100% sure how it works or if I am missing something.

An example of another 6400 license in Usercenter that is already installed and working fine with management.

Management IP: (set to gateway external IP)
CPVP-SNX-100-NGX CPVP-SNX-100-NGX CPSB-SWB CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M

Module IP: (set to gateway external IP)
CPAP-SG640X CPSB-FW CPSG-C-2-U CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-SSLVPN-200 CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-APCL CPSB-CTN

I was hoping to understand the details of how this works without assumptions.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-25 08:54 AM
In response to Adam276
Jump to solution

Personally, I just do what I mentioned before and it works.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Adam276
Collaborator
‎2026-02-25 09:01 AM
In response to Adam276
Jump to solution

I corrected the first sentence which was reversed.

_Val_
Admin
Admin
‎2026-02-25 12:50 PM
In response to Adam276
Jump to solution

Regardless of other comments in this thread, please always follow the licensing guide.

As the licensing guide clearly suggests, for the local license mode, you should use your management server IP for the management part, and your local GW IP for the module part.

Deviating from this practice may cause issues with the unexpected issues. For example, to manage a cluster or to control QOS policy, the CPSB-ADNC-M license should be applied to your management server. You probably already have it if your management is controlling more than a single cluster.

However, it is prudent to follow the guide, just in case. If licensed with the GW IP address, that SKU will be absolutely useless. 

0 Kudos
Adam276
Collaborator
‎2026-02-25 01:02 PM
In response to _Val_
Jump to solution

Thanks.  Yea,  I assume the CPSB-ADNC-M license is like already existing from other license (maybe main management) which is why it seems to work without it.  Maybe the vendor knows this and generates the gateway license "Management IP" with the gateway IP in case the firewall becomes a standalone firewall/management.  That is the only thing I can think of anyway.

By following the guidelines though,  If the management part of the generated gateway product is ever required, then that I assume would mean if the management IP ever changes (moved to another IP  or subnet),  All of those local generated licenses (the management part of them) would then be invalidated.  I assume that would require then going back and regenerating every gateway license so that the management IP part of the local gateway license has the correct management IP.  That sounds very cumbersome.  Again... it likely doesn't matter if there is a dedicated management license with the skews needed but the result would be the same as generating the management IP for a gateway product as the gateway external IP when you have a management server managing them... it would be invalid for the management server.

Looking from the outside of all of this,  I would have expected a local generated license to not have any reference the management IP at all.  I am sure there are reasons it works the way it does internally though.

I guess I now need to decide if I want to keep doing it the way the vendor did it or if I want to change and do it the right way (use the management IP for the management IP when generating the local license).

The only other question to verify what I think is right, Is should that be the internal IP of the management (I would assume so) or the external NATed management IP.  Since the management portion of the license of a remote gateway doesn't get referenced to contact the management, I would assume I would use the internal IP... the same as I would do for a central license.

0 Kudos
TurgutKaplanogl
MVP
MVP
‎2026-02-25 10:44 PM
In response to Adam276
Jump to solution

Hello,

This is a known behavior. When you generate the gateway license using local licensing, you are required to enter the Management Server IP address and then assign the license that corresponds to the Management Server IP to the Management Server. This license is specifically required for controlling features such as VPN, Office Mode, Capsule Workspace and Endpoint Security VPN.

Even if you had generated the license using central licensing instead of local licensing, you would still need to apply the license string that belongs to the Management Server on the Management Server itself. This is a known behavior and for partial confirmation, you can review the sections related to the Management Server in the SK document referenced below.

https://support.checkpoint.com/results/sk/sk67820

Thank you

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events