Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

Hello Team,

We are planning to migrated R77.30 SMS which is currently running on Smart-1 225 appliance to R80.30. Since, we are having only one physical device available we are planning to install R80.30 on a VM and migrate existing R77.30 database to it. Later on we will migrate the physical box.

My concern is, is it possible to do so? If yes, is there any difference in license for physical appliance and VM (Open server). Do we need any additional licensing for VM or same license will work?

Thanks for your help in advance.

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

If you have a Smart-1 and are looking to migrate into VMWare, the process is the following with your reseller:

1) Say that you want to "turn in" your Smart-1 and associated licensing.  What rate you will get for this will depend on various promotions that are in effect.

2) This will create some level of credit that can be used to offset the purchase of a new open server SMS license.  The cost drivers of this license will be:

    - How many gateways you need to manage with the new SMS

    - Whether you want to do more than one domain/CMA (a.k.a. Provider -1/MDMS)

   - Any special add-ons (separate correlation units, separate log servers, ability to manage an unlimited number of gateways, etc.)

3) So for example the lowest SMS license you could purchase is:

CPSM-NGSM5 - Next Generation Security Management Software for 5 gateways (SmartEvent & Compliance 1 year)

next up the chain is:

CPSM-NGSM10 - Next Generation Security Management Software for 10 gateways (SmartEvent & Compliance 1 year)

These both include the following management blades which should be all you need, it is rare to need any add-ons:

Including Blades: Network Policy Management, Endpoint Policy Management, Logging and Status, Monitoring, SmartWorkflow, SmartProvisioning, User Directory, Management Portal, SmartEvent for 1 year, Compliance for 1 year.

4) As far as VM resource provisioning, if you can swing it I'd recommend at least 8 cores and 16GB RAM (32GB of RAM if you have a large configuration or more than 10 gateways).  However the most important factor for virtualized SMS performance is disk I/O speed.  Having your SMS share a disk channel with 50 database VMs that are also pounding that same disk channel will lead to absolutely terrible SMS performance, no matter how many cores and how much RAM you allocate.  Talk to your VM guy, usually there is a choice of different physical disk paths for your new VM, you want to be on the one that is fastest and/or least loaded.  Trust me on this one.  There are a few extra optimization strategies here as well: sk104848: Best Practices - Performance Optimization of Security Management Server installed on VMwar....

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
8 Replies
Highlighted
Admin
Admin

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

It is technically possible to do. But as you have mentioned yourself, your license should be changed. This is not a technical, but a legal requirement. 

Using an appliance license on a virtual machine is a breach of EULA

0 Kudos
Highlighted
Ivory

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution
I have the same issue... Can you tell me which license I need? Or how to find this out?
0 Kudos
Highlighted

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

If you have a Smart-1 and are looking to migrate into VMWare, the process is the following with your reseller:

1) Say that you want to "turn in" your Smart-1 and associated licensing.  What rate you will get for this will depend on various promotions that are in effect.

2) This will create some level of credit that can be used to offset the purchase of a new open server SMS license.  The cost drivers of this license will be:

    - How many gateways you need to manage with the new SMS

    - Whether you want to do more than one domain/CMA (a.k.a. Provider -1/MDMS)

   - Any special add-ons (separate correlation units, separate log servers, ability to manage an unlimited number of gateways, etc.)

3) So for example the lowest SMS license you could purchase is:

CPSM-NGSM5 - Next Generation Security Management Software for 5 gateways (SmartEvent & Compliance 1 year)

next up the chain is:

CPSM-NGSM10 - Next Generation Security Management Software for 10 gateways (SmartEvent & Compliance 1 year)

These both include the following management blades which should be all you need, it is rare to need any add-ons:

Including Blades: Network Policy Management, Endpoint Policy Management, Logging and Status, Monitoring, SmartWorkflow, SmartProvisioning, User Directory, Management Portal, SmartEvent for 1 year, Compliance for 1 year.

4) As far as VM resource provisioning, if you can swing it I'd recommend at least 8 cores and 16GB RAM (32GB of RAM if you have a large configuration or more than 10 gateways).  However the most important factor for virtualized SMS performance is disk I/O speed.  Having your SMS share a disk channel with 50 database VMs that are also pounding that same disk channel will lead to absolutely terrible SMS performance, no matter how many cores and how much RAM you allocate.  Talk to your VM guy, usually there is a choice of different physical disk paths for your new VM, you want to be on the one that is fastest and/or least loaded.  Trust me on this one.  There are a few extra optimization strategies here as well: sk104848: Best Practices - Performance Optimization of Security Management Server installed on VMwar....

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

0 Kudos
Highlighted
Sapphire

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

For a new installation, you have a PnP Evaluation license generated automatically - so there should be no issue with the VM as long as it is only using the PnP license for some days. 

0 Kudos
Highlighted
Admin
Admin

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

Not exactly. After DB import, the old license will apply, and PnP will no longer be active

0 Kudos
Highlighted

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

Hello @_Val_, thanks for your help. So VM option is not possible. As this is my first migration and I don't want to take any risk, could you please suggest the best way to migrate?

0 Kudos
Highlighted
Admin
Admin

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution

I did not say that it would be impossible. 

You can always get an evaluation license during migration. Another option is to keep the same IP address of the new management server. As mentioned before, technically it will work. For legal purposes, you will have to purchase a new final license for your management, once migrated.

0 Kudos
Highlighted

Re: Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Jump to solution
"Later on we will migrate the physical box."

If your going to import back into your existing Smart-1 525, it will be fine.