This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Collaborator
‎2024-04-23 06:57 AM
Jump to solution

License Renewal

Hi Mates,

We have a Check Point 7K Security Gateway with a Smart Management Server (SMS) running R81.10. IPS, App Control, and URL Filtering blades are activated. We'd like to understand how license expiration for these blades will affect the Security Gateway's operation.

Specifically, will the Security Gateway continue normal operation after the blade licenses expire?

For example, if a rule currently blocks access to facebook.com, will this rule stop working after the App Control or URL Filtering blade license expires, allowing access to Facebook?

Thanks,

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2024-04-23 08:04 AM
Jump to solution

When we are talking about AC/URLF, it is not a license but a subscription contract. 

You are supposed to have a valid contract in place, but in case it expires and is not renewed in time, you will see policy installation warnings, see positions 8 to 13 from this SK.

After a short grace period, the blade will be disabled, and you will not be able to use it unless the contract is renewed, and the new contract file is applied to the GW.

Specifically, sk56300 says the following:

What happens when there is no Application Control contract

You must have an Application Control Software Blade contract to use the Application Control Software Blade functionality on a gateway. If a valid Application Control contract is not associated with a gateway, the blade will be disabled.

When this change in functionality occurs, customers will be notified by:

  • A pop-up warning message that appears on the screen, during policy installation.
  • An audit log that is sent periodically, notifying that the Application Control Blade is disabled.

Once you purchase a valid contract, the blade is enabled again.

Important: When an Application Control Blade is disabled due to insufficient contract, all Application Control settings in SmartDashboard do not change. The blade will appear to be active in SmartDashboard; however it will not be active on the gateway.



In lamen terms, AC/URLF rules will not be matched. Would it be AV or IPS, your GW could use the last downloaded data without the possibility of getting the latest updates, but in the case of AC/URLF, gateways are using Threat Cloud in real-time to get the latest categorization for specific URLs and applications, with only limited cache possibilities. 

 

View solution in original post

6 Replies
the_rock
Legend
Legend
‎2024-04-23 07:02 AM
Jump to solution

Here is my understanding, but someone can correct me if Im wrong...so if license expires, rule wont stop working, BUT, updates will, meaning you wont get any new ips/urlf database updated, plus you wont be able to install any new policy to the firewalls either.

Andy

References:

https://community.checkpoint.com/t5/General-Topics/What-happens-when-a-license-expires/td-p/56011

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Installation_and_Upgrade_Guide/Top....

0 Kudos
G_W_Albrecht
Legend
Legend
‎2024-04-23 07:39 AM
Jump to solution

See sk44175: You have a 90 days grace period after blade license expires during which all will work as if licensed !

CCSE CCTE CCSM SMB Specialist
_Val_
Admin
Admin
‎2024-04-23 08:04 AM
Jump to solution

When we are talking about AC/URLF, it is not a license but a subscription contract. 

You are supposed to have a valid contract in place, but in case it expires and is not renewed in time, you will see policy installation warnings, see positions 8 to 13 from this SK.

After a short grace period, the blade will be disabled, and you will not be able to use it unless the contract is renewed, and the new contract file is applied to the GW.

Specifically, sk56300 says the following:

What happens when there is no Application Control contract

You must have an Application Control Software Blade contract to use the Application Control Software Blade functionality on a gateway. If a valid Application Control contract is not associated with a gateway, the blade will be disabled.

When this change in functionality occurs, customers will be notified by:

  • A pop-up warning message that appears on the screen, during policy installation.
  • An audit log that is sent periodically, notifying that the Application Control Blade is disabled.

Once you purchase a valid contract, the blade is enabled again.

Important: When an Application Control Blade is disabled due to insufficient contract, all Application Control settings in SmartDashboard do not change. The blade will appear to be active in SmartDashboard; however it will not be active on the gateway.



In lamen terms, AC/URLF rules will not be matched. Would it be AV or IPS, your GW could use the last downloaded data without the possibility of getting the latest updates, but in the case of AC/URLF, gateways are using Threat Cloud in real-time to get the latest categorization for specific URLs and applications, with only limited cache possibilities. 

 

CheckPointerXL
Advisor
‎2024-04-23 11:39 AM
Jump to solution

Most important cleanup rule will be matched after grace period ends... if cleanup is Drop, you will face a little problem..

the_rock
Legend
Legend
‎2024-04-23 12:20 PM
In response to CheckPointerXL
Jump to solution

100%...

0 Kudos
the_rock
Legend
Legend
‎2024-04-23 12:21 PM
Jump to solution

Just as temporary solution, apply an eval license, thats what most people do anyway.

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events