This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ashish_verma
Contributor
‎2020-03-09 04:59 AM
Jump to solution

Checkpoint SMS Migration from R77.30 to R80.30 licensing requirement.

Hello Team,

We are planning to migrated R77.30 SMS which is currently running on Smart-1 225 appliance to R80.30. Since, we are having only one physical device available we are planning to install R80.30 on a VM and migrate existing R77.30 database to it. Later on we will migrate the physical box.

My concern is, is it possible to do so? If yes, is there any difference in license for physical appliance and VM (Open server). Do we need any additional licensing for VM or same license will work?

Thanks for your help in advance.

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2020-03-31 06:28 AM
In response to epexspot
Jump to solution

If you have a Smart-1 and are looking to migrate into VMWare, the process is the following with your reseller:

1) Say that you want to "turn in" your Smart-1 and associated licensing.  What rate you will get for this will depend on various promotions that are in effect.

2) This will create some level of credit that can be used to offset the purchase of a new open server SMS license.  The cost drivers of this license will be:

    - How many gateways you need to manage with the new SMS

    - Whether you want to do more than one domain/CMA (a.k.a. Provider -1/MDMS)

   - Any special add-ons (separate correlation units, separate log servers, ability to manage an unlimited number of gateways, etc.)

3) So for example the lowest SMS license you could purchase is:

CPSM-NGSM5 - Next Generation Security Management Software for 5 gateways (SmartEvent & Compliance 1 year)

next up the chain is:

CPSM-NGSM10 - Next Generation Security Management Software for 10 gateways (SmartEvent & Compliance 1 year)

These both include the following management blades which should be all you need, it is rare to need any add-ons:

Including Blades: Network Policy Management, Endpoint Policy Management, Logging and Status, Monitoring, SmartWorkflow, SmartProvisioning, User Directory, Management Portal, SmartEvent for 1 year, Compliance for 1 year.

4) As far as VM resource provisioning, if you can swing it I'd recommend at least 8 cores and 16GB RAM (32GB of RAM if you have a large configuration or more than 10 gateways).  However the most important factor for virtualized SMS performance is disk I/O speed.  Having your SMS share a disk channel with 50 database VMs that are also pounding that same disk channel will lead to absolutely terrible SMS performance, no matter how many cores and how much RAM you allocate.  Talk to your VM guy, usually there is a choice of different physical disk paths for your new VM, you want to be on the one that is fastest and/or least loaded.  Trust me on this one.  There are a few extra optimization strategies here as well: sk104848: Best Practices - Performance Optimization of Security Management Server installed on VMwar....

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

View solution in original post

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2020-03-09 05:23 AM
Jump to solution

It is technically possible to do. But as you have mentioned yourself, your license should be changed. This is not a technical, but a legal requirement. 

Using an appliance license on a virtual machine is a breach of EULA

0 Kudos
epexspot
Explorer
‎2020-03-31 01:04 AM
In response to _Val_
Jump to solution

I have the same issue... Can you tell me which license I need? Or how to find this out?
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-03-31 06:28 AM
In response to epexspot
Jump to solution

If you have a Smart-1 and are looking to migrate into VMWare, the process is the following with your reseller:

1) Say that you want to "turn in" your Smart-1 and associated licensing.  What rate you will get for this will depend on various promotions that are in effect.

2) This will create some level of credit that can be used to offset the purchase of a new open server SMS license.  The cost drivers of this license will be:

    - How many gateways you need to manage with the new SMS

    - Whether you want to do more than one domain/CMA (a.k.a. Provider -1/MDMS)

   - Any special add-ons (separate correlation units, separate log servers, ability to manage an unlimited number of gateways, etc.)

3) So for example the lowest SMS license you could purchase is:

CPSM-NGSM5 - Next Generation Security Management Software for 5 gateways (SmartEvent & Compliance 1 year)

next up the chain is:

CPSM-NGSM10 - Next Generation Security Management Software for 10 gateways (SmartEvent & Compliance 1 year)

These both include the following management blades which should be all you need, it is rare to need any add-ons:

Including Blades: Network Policy Management, Endpoint Policy Management, Logging and Status, Monitoring, SmartWorkflow, SmartProvisioning, User Directory, Management Portal, SmartEvent for 1 year, Compliance for 1 year.

4) As far as VM resource provisioning, if you can swing it I'd recommend at least 8 cores and 16GB RAM (32GB of RAM if you have a large configuration or more than 10 gateways).  However the most important factor for virtualized SMS performance is disk I/O speed.  Having your SMS share a disk channel with 50 database VMs that are also pounding that same disk channel will lead to absolutely terrible SMS performance, no matter how many cores and how much RAM you allocate.  Talk to your VM guy, usually there is a choice of different physical disk paths for your new VM, you want to be on the one that is fastest and/or least loaded.  Trust me on this one.  There are a few extra optimization strategies here as well: sk104848: Best Practices - Performance Optimization of Security Management Server installed on VMwar....

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-03-09 07:15 AM
Jump to solution

For a new installation, you have a PnP Evaluation license generated automatically - so there should be no issue with the VM as long as it is only using the PnP license for some days. 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
_Val_
Admin
Admin
‎2020-03-09 07:43 AM
In response to G_W_Albrecht
Jump to solution

Not exactly. After DB import, the old license will apply, and PnP will no longer be active

0 Kudos
ashish_verma
Contributor
‎2020-03-11 01:23 AM
In response to _Val_
Jump to solution

Hello @_Val_, thanks for your help. So VM option is not possible. As this is my first migration and I don't want to take any risk, could you please suggest the best way to migrate?

0 Kudos
_Val_
Admin
Admin
‎2020-03-11 01:33 AM
In response to ashish_verma
Jump to solution

I did not say that it would be impossible. 

You can always get an evaluation license during migration. Another option is to keep the same IP address of the new management server. As mentioned before, technically it will work. For legal purposes, you will have to purchase a new final license for your management, once migrated.

0 Kudos
Michael_Curtin1
Employee
Employee
‎2020-03-31 09:44 PM
Jump to solution

"Later on we will migrate the physical box."

If your going to import back into your existing Smart-1 525, it will be fine.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events