This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Patrick134041
Explorer
Sunday
Jump to solution

What happens when Support Contract Expires?

Hi All,

 

What will happen after the support contract for both the Security Gateway and the Management Server expires?
I understand that the Firewall and SMS blades show “Never”, but if I do not renew the support contract, can the gateway and management still be upgraded?
For example, can I upgrade from R81.20 to R82 without an active support subscription?

 

Thanks.

0 Kudos
2 Solutions

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Monday
Jump to solution

You won't be able to download the necessary files or complete the process via CPUSE no.

CCSM R77/R80/ELITE

View solution in original post

10 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Monday
Jump to solution

You won't be able to download the necessary files or complete the process via CPUSE no.

CCSM R77/R80/ELITE
Patrick134041
Explorer
Monday
In response to Chris_Atkinson
Jump to solution

Hi 

Do you know if there is any official documentation that states this behavior?
For example, a document that explicitly says OS upgrades (via CPUSE) require a valid Software Subscription or Support contract?
Thank you.

0 Kudos
Vincent_Bacher
Leader Leader
Leader
Monday
In response to Patrick134041
Jump to solution

Hi,
don't know about an official document. But.

When trying to download and install upgrade packages via CPUSE: it will not show or download new releases or jumbo HFAs. (I haven't tried it, but the statement should be correct.)

However, an offline upgrade is still technically possible.
If your User Center account still has download entitlement through other devices with valid subscription, you can manually download the upgrade packages (e.g. R82), upload them to the appliance, and install them via CPUSE offline mode. The appliance itself does not block the upgrade based on its own contract status.

Whether this places you in a licensing or support grey area — or even outside what is officially permitted — I can’t say. My explanation was purely from a technical perspective.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Monday
In response to Patrick134041
Jump to solution

CPUSE admin guide.png

 


Source: https://sc1.checkpoint.com/documents/CPUSE/Content/Topics/Requirements.htm?tocpath=CPUSE%20Requireme... 

CPUSE in Web UI will warn / alert you if there is no valid entitlement - examples:
sk109224: "CPUSE requires a valid license for download and updates" error when establishing connecti... 
sk103433: "CPUSE requires a valid license for downloads and updates" message in Gaia Portal

The EULA and Support Plans page otherwise outline the provision of upgrades / hotfixes.

https://www.checkpoint.com/support-services/support-plans/

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Platinum
MVP Platinum
Monday
In response to Patrick134041
Jump to solution

What @Chris_Atkinson sent is an official documentation.

Best,
Andy
0 Kudos
Hugo_vd_Kooij
MVP Gold
MVP Gold
Monday
Jump to solution

From a legal point of view you are not allowed to upgrade/update.

In my experience you can do it manually but if it breaks you are allowed to keep all the pieces but don't expect Check Point to put it back together again.

 

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
_Val_
Admin
Admin
Monday
Jump to solution

Without a software subscription, you lose access to the upgrade binaries and images and will not be able to upgrade. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Monday
Jump to solution

For context, though Im sure @Don_Paterson will find some flaws in this AI answer (rightfully so), but there are some good points in there.

***********************

TL;DR

What actually happens when the support contract expires?

Security Gateway

  • Firewall / IPsec VPN / Mobile Access / Content Awareness: These are generally perpetual; traffic continues to pass according to the last installed policy. If the base firewall license itself were to expire (rare—typically only evals do), the gateway loads defaultFilter and blocks all traffic. [community....kpoint.com], [community....kpoint.com]
  • Subscription blades (IPS, App Control, URL Filtering, Threat Prevention):
    • You’ll see warnings on policy install, and the blades will run under a grace period (in R81+ with current Jumbos, most are 90 days). After the grace ends, enforcement is disabled (rules remain in the policy but stop matching). [community....kpoint.com], [support.ch...kpoint.com]
    • For IPS, contract expiry reduces/halts protections; IPS explicitly requires a valid contract for protections. [support.ch...kpoint.com]
    • For App Control / URL Filtering, a valid contract is required; when the contract is missing, the blade is disabled (even though it appears enabled in SmartConsole). [support.ch...kpoint.com]

Management Server

  • The Security Management license is typically perpetual. Without subscription, you lose access to updates and TAC, but management itself continues. If you were on an evaluation management license and it expired, SmartConsole/API logins fail. [community....kpoint.com]

Can you upgrade from R81.20 → R82 without an active support subscription?

Functionally:

  • CPUSE/Central Deployment will not show or download R82 images or Jumbos when your account lacks entitlement; that blocks the standard online upgrade path. [community....kpoint.com], [support.ch...kpoint.com]
  • Offline upgrade: If you can legally obtain the R82 package (e.g., another device in your UC account still has a valid subscription and you download the image manually), you can upload/install offline; the gateway/management won’t block the upgrade solely because the contract file is missing. [community....kpoint.com]

Compliance & support considerations:

  • Check Point’s Contract Verification docs explicitly say the absence of a contract file does not prevent an upgrade, but you may be in violation of licensing and won’t be entitled to support/upgrades. [sc1.checkpoint.com]
  • Access to software downloads on Support Center typically requires a valid software subscription or support plan; without it, you’ll see “Not entitled to download this file.” [support.ch...kpoint.com]
  • R82 is the recommended release today, with its own supported upgrade paths and recommended Jumbo Take—but you need Support Center access to get those bits. [support.ch...kpoint.com], [sc1.checkpoint.com]

Practical next steps (safe & legal)

  1. Verify your current entitlements and blade status
    • On management/gateways: cplic print -x (shows license/contract status) and review contract warnings during policy install. [community....kpoint.com]
  2. Decide how you’ll obtain R82 packages
    • If you renew at least the Software Subscription (part of Check Point support programs), you’ll regain major upgrades & hotfix access and TAC help. [checkpoint.com], [checkpoint.com]
    • If you can’t renew immediately, and another UC container in your org still has entitlement, you can download R82 there and perform an offline upgrade; be aware this can leave you unsupported until you renew. [community....kpoint.com]
  3. If contracts lapse, mitigate risk
    • Disable unused subscription blades so policy won’t rely on them after grace expires (especially App Control / URL Filtering). [support.ch...kpoint.com]
    • Keep the gateway on a stable take and avoid major changes until you’re back under contract

*********************

 

 

Best,
Andy
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
Monday
In response to the_rock
Jump to solution

The answers are:

Technically, Yes and Yes, but it's against the EULA, and the upgrade packages could be blocked from download.

Don't go there.

 

Now, on to the AI ...stuff....  🙃

Flaws:

What a lof of noise.

TL;DR... Noisy mess.

defaultFilter- No - wrong - InitialPolicy is what is a applied when a licence expires on an SG and it is rebooted (or cpstop ; cpstart). Get out of jail - 30 day eval license, but this is adding to the excessive noise now.

What a lof of noise.

  • Check Point’s Contract Verification docs explicitly say the absence of a contract file does not prevent an upgrade, but you may be in violation of licensing and won’t be entitled to support/upgrades. [sc1.checkpoint.com]

Valid, but R81 reference. Meaning that is valid for customers upgrading to R81.

What a lof of noise.

What a lof of noise.

What a lof of noise. 

 

Added value:

Customers can be asked to cover the period that the support contract was expired. Meaning that the gap between the Support contract being expiry date and the renewal date will be added to the quote for renewal. It's all in the fine print.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
Monday
In response to Don_Paterson
Jump to solution

Maybe not the best comparison, but its like in the old days when people would get mad if something with computer would not work...well, computers only know 0 and 1, thats it lol

Kind of like AI, it only gives when can find online...hopefully LLM will make it better, lets see 🙂

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events