Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

License Guide Enquiry

Jump to solution

Hi, 

I was confusing on the license on the checkpoint. I've a customer using CheckPoint 3200 (R77.30) with following license: 

> cplic print

# ID Expiration SKU
===+===========+============+====================
1 | ******** | 1Jul2020 | CPSB-AV-S2-1Y 
+-----------+------------+--------------------
|Covers: cpap-sg320x cpsb-fw cpsm-c-2 cpsb-vpn cpsb-npm cpsb-logs cpsb-ia cpsb-sslvpn-5 cpsb-adnc cpsb-ips-s1 cpsb-urlf cpsb-apcl-s1 cpsb-av cpsb-abot-s cpsb-aspm cpsb-ctnt

 

1./ CPSB-VPN is for S2S but not for remote access ? Or it just need Security Gateway Container license to make it a complete remote access solution ? 

https://sc1.checkpoint.com/uc/pdf/license/license_guide.pdf

2./ I believe the license above do not cover the remote access solution as per below. 

https://sc1.checkpoint.com/documents/R77/CP_R77_VPN_AdminGuide/html_frameset.htm?topic=documents/R77...

 

3./ How do I check the remote access license in SKU code or in "cplic print"? 

The CPSB-SSLVPN-5 is for MAB license ? I understand that MAB is based on concurrent session, does it mean if it is 100 concurrent users, the license will be reflected as CPSB-SSLVPN-100 ? 

 

4./ How it looks like in "cplic print" if it is "Full layer-3 VPN tunnel integrate with desktop firewall" ? And how do I know the license is for how many devices? 

 

5./ For the SecuRemote, it mentioned no need license but IPsec VPN Software Blade on the Security Gateway.

How do I verify whether the CP have IPsec VPN software Blade on the security gateway ? 

 

Anyone can enlighten me about the SKU code/"cplic print" relate with the license guide/sk67820 in checkpoint ? 

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Advisor

cpsb-vpn is the license part for the IPSec VPN Blade as you identified

So as long as the Gateway has the IPSec VPN Blade enabled and configured for SecuRemote then you are good for that

 

cpsb-sslvpn-5 is indeed a 5 concurrent user license for Mobile Access Blade/SSL Network Extender and yes the 5 would be 100 if a 100 user license.

 

CPVP-VPS-1-NGX CPVP-VSC-5-NGX+5   Is what the license for the Endpoint Security VPN ie Fat IPsec VPN Client with Desktop Security ie Firewall. 

CPVP-VSC-5-NGX+5 is the client part and the numbers make the number of clients

CPVP-VPS-1-NGX is the license for the Policy Server that allows you to configure the Desktop Security and enable the Policy Server part on the Gateway

 

You will find hardly anyone that fully conversant with all of the licenses in terms of the strings and what is what as keeps changing.    

If really struggling then Account Services may well be able to help you or your Check Point SE, if they don't know can probably point you in the correct direction to someone who can.

View solution in original post

5 Replies
Highlighted
Advisor

cpsb-vpn is the license part for the IPSec VPN Blade as you identified

So as long as the Gateway has the IPSec VPN Blade enabled and configured for SecuRemote then you are good for that

 

cpsb-sslvpn-5 is indeed a 5 concurrent user license for Mobile Access Blade/SSL Network Extender and yes the 5 would be 100 if a 100 user license.

 

CPVP-VPS-1-NGX CPVP-VSC-5-NGX+5   Is what the license for the Endpoint Security VPN ie Fat IPsec VPN Client with Desktop Security ie Firewall. 

CPVP-VSC-5-NGX+5 is the client part and the numbers make the number of clients

CPVP-VPS-1-NGX is the license for the Policy Server that allows you to configure the Desktop Security and enable the Policy Server part on the Gateway

 

You will find hardly anyone that fully conversant with all of the licenses in terms of the strings and what is what as keeps changing.    

If really struggling then Account Services may well be able to help you or your Check Point SE, if they don't know can probably point you in the correct direction to someone who can.

View solution in original post

Highlighted
Participant

Thanks for the quick response.

1./ For the SecuRemote, what it meant by limited-function IPsec VPN client. 

Can a client using SecuRemote establish a VPN connection to the company and perform a remote desktop connection from remote location ? 


https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

2./ The latest version is E82.30, does it meant the checkpoint version must upgraded to the E82.30 ? or it meant the "Client" install the secuRemote version is E82.30 ? 

0 Kudos
Highlighted
Advisor

SecuRemote can build a VPN Connection however there is no Office Mode as part of this.    This being the Virtual Network Adaptor on the PC that gets an IP from the VPN Gateway.  This effectively means that the traffic leaves the client over the VPN with the IP address that assigned from Check Point and no need to perform NAT at the Gateway.

That is what is meant by the limited-function.

No reason why RDP wouldn't work providing the RDP solution handles either the IP Pool NAT or allows the connection from public ip. This is in terms of the config on the Server etc.

 

Check Point have moved to a monthly release of the client.    This is simply the client version of the software.     Gateway Details would be included in the Release Notes etc.

0 Kudos
Highlighted
Participant

Hi, 

For the CPSB-VPN, if customer using secuRemote, do the checkpoint 3200 have any limitation on the concurrent session ? 

Let's said if there is 100 secuRemote client, do CPSB-VPN able to accept 100 concurrent session ? 

 

0 Kudos
Highlighted
Advisor

There is no license limit to the number of sessions for SecuRemote.    So whether is a 3200 or a 16000 then as long as the box has resource it will take the SecuRemote connection and won't reject due to any license.

In terms of an actual number then depends upon what the 3200 is tasked with, ie blades, traffic throughput

You can use the Sizing Tool to get an idea as what your 3200 can handle based on traffic through the unit.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Is apparently only available to partners now however if you run the cpsizeme and provide the output to your Check Point partner then they can place the cpsizeme into the AST for you.