What happens when a license expires?

Taekyoon-kim · ‎2019-06-17

Hi ..!

I just..

If the licenses for each device expire, can I use the features I used before?

And what features are available and what are not? I wonder.

1. Smart-1

2. Collector

3. TE

Thank you for taking the time to ask.

_Val_ · ‎2019-06-19

On management and log servers, if a license expire, you wound be able to use any of the admin tools. However, management licenses are usually permanent.

On gateways, if a license expire, gateway will carry on the last installed policy. You will not be able to change it and to use any service based on subscription. Yet, gateway licenses are also usually permanent.

For any of subscriptions, when expire, the feature / service in question will be unavailable for you.

Maarten_Sjouw · ‎2019-06-19

Sorry Valeri, but regarding the gateway you are wrong, you can still update the policy and you will not have any subscriptions that will work anymore but FW and VPN and even Identity Awareness will keep on working as usual.
What you will not have is:
support from Check Point
the ability to make IP changes to the license when the counter expires
the upgrade ability using CPUSE, so no version updates nor Jumbo's

Regards, Maarten

Lari_Luoma · ‎2019-06-19

Well... If a gateway license is expired and you try to push policy, you will get an error message that the license is expired (or that there is no license). I think this is the same thing as not having able to change the security policy. I have experienced this several times, lately about a week ago.

Maarten_Sjouw · ‎2019-06-19

if there is no license correct, but all normal gateway / vpn licenses do not expire, you only do or do not pay for maintenance and support.
The latter cannot prevent you from updating your policy, eval's however do expire.
I have never not been able to install a policy due to a license that was no longer in maintenance.
That you get a message for all expired subscriptions that are expired and it will tell you the functionality will be disabled, indeed I will not debate that.

Regards, Maarten

_Val_ · ‎2019-06-20

@Maarten_Sjouw,

let's be precise here. The topic starter did not specify, WHICH license expires, exactly. My answer assumes at some part, he has had a temporal GW license with an expiration date: an evaluation one, plug and play, EA, etc.

Your answer assumes support contracts expire, but GW license is permanent. I did mention this in the answer as well.

That said, we are both correct, and since the original question is vague, either case can be relevant.

Maarten_Sjouw · ‎2019-06-20

@_Val_ You are correct.
It is indeed very unclear but still a lot of people do not understand the expiration of licenses for normal management and gateway licenses.
A normal license itself does not expire and will keep on working.
All that expires is:
the subscriptions (the extra features),
the right to upgrade/update,
the right to support,
the right to access more than the public knowledge base articles,
the possibility to get the IP counter reset.

Regards, Maarten

Firewallteam_DE · ‎2019-10-14

Hello Gentlemen

I have following situation: VSX cluster, original license ordered mistakenly without VS coverage, yet there is need to build VSs.

So far EVAL cpsg-vsx-25s was attached until VS package license will be procured.

String:

# cplic print
Host Expiration Features
<IP> 19Oct2019 cpsg-vsx-25s cpsb-swb CK-XXXXXXXXXXXX
<IP> never cpap-sg1540x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips cpsb-urlf cpsb-apcl cpsb-av cpsb-abot-l cpsb-aspm cpsb-ctnt CK-XXXXXXXXXXXXXXXX

Q1: Original license should be enough to carry 2 virtual systems - vs 0 is one of them, vs 1 is virtual switch (this should not drain license count) and vs 2 which is firewall device - any VS fw beyond this needs coverage by virtual system license, right?

Q2: Assuming there are multiple VS built and cpsg-vsx-25s expires - what would be the effect here? could running virtual systems somehow influence production traffic? If so, to what extend? Or will this only prohibit us from creating more virtual systems?

I would like to understand risks in Virtual System case.

Cheers, Tomas

Maarten_Sjouw · ‎2019-10-14

A1: When you apply a VSX license ALL but VS0 Virtual Firewalls will be counted in the license. So when you install a VS10 license you cannot add 11 Virtual FW's, only 10 VFW's (plus VS0).
A2: Been there done that, the effect is that you cannot install any policy except the VS0 policy. All traffic will be handled untill you reboot the box, as then it will also fail when the license is expired.

Regards, Maarten

Firewallteam_DE · ‎2019-10-18

Hi Marteen,

Thank you for your reaction. I can clearly understand A2, but heres the situation regarding A1:

Imagine there is no cpsg-vsx-25s license, but only cpap-sg1540x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips cpsb-urlf cpsb-apcl cpsb-av cpsb-abot-l cpsb-aspm cpsb-ctnt

-As this wasn't thought to be VSX when ordered, it is now, therefore will the upper mentioned license (no explicit VS coverage there) be able to cover first virtual system in a row - that is VS:2 (ommiting vs0 and vs1 as virtual switch) ?

Maarten_Sjouw · ‎2019-10-18

As the VSX add on license is nowadays presented as a blade on top of your normal license this would show in the end as a cpsb-vs25.
That said, every normal gateway license has a built-in allowance for a vs0/vs1 setup.

Regards, Maarten

Are you a member of CheckMates?

What happens when a license expires?