Let us know the outcome.

My conclusion is:

1) without the IPS blade on, I don't get the IPS Core protection. I don't get for example portscan alerts. And the portscan alerts actually come with the IPS blade tag.
2) I need the threat prevention layer activated in the policy  assigned  to the gateway, because otherwise the IPS process is off.
3) The system automatically install a trial IPS license.

The IPS core protections work with all that but what will it happen when the trial license expires?
Following https://community.checkpoint.com/t5/General-Topics/Delete-trial-license/td-p/56751
I have tried to remove the trail license using both cplic eval_disable and $CPDIR/bin/cpprod_util CPPROD_SetPnPDisable 1 but the license is still installed according the output of cplic print -x .

To remove trial, you have to do this, its called plug and play and its below.

Andy

$CPDIR/conf/cp.pnp

https://community.checkpoint.com/t5/General-Topics/Delete-trial-license/td-p/56751

And is my expectation correct? Will IPS core protections (with just the FW license) keep working after removing the trial license? 🙂

Im fairly sure yes. It did for me back in R81 base.

Andy

Excellent. Thanks Andy.

And where you aware of the trial license then and you just let it expired or sth like that?

No worries mate, glad we can help. Yes, I deleted that license with command I gave in the last post.

Andy

I have deleted  $CPDIR/conf/cp.pnp and  rebooted and IPS Core protections still work, I can see alerts.
I can see that the trial license is not installed but I am getting this error. I guess the IPS process still trying to get the trial license
cplic print -x
GetLicFromFile: Failed to open file: /opt/CPshrd-R80.40/conf/cp.pnp
pnp_blades_iterate: Failed to find a match to PNP_BLADE_IPS-V1 in PnP file: /opt/CPshrd-R80.40/conf/cp.pnp
Host Expiration Signature Features
ip never jjjj CPSG-C-4-U CPSB-FW CPSB-ADNC CK-D188343B5EF5

After removing cp.pnp smartconsole doesn't look pretty. The gateway is red because contract has expired.
See screenshot attached.

Is there any way to tweak smartconsole gateway checks/status behavior? I would like the gateway not to go red because of the IPS license that is not required to run the IPS core protections.

Thats easy to fix. Apply eval license, wait 10-15 mins, if status goes to yellow, follow what I did below.

Andy

https://community.checkpoint.com/t5/Management/License-warning-messages/m-p/169625#M33614

If I apply eval license  the gateway status will go green but only until the eval licenses expires again, no? So then I will be in the same position with the IPS core protections working but with the gateway status in smartconsole in red due to the eval license expiration, no?

Believe you are correct here.
Most likely this would require a code fix, which likely won't occur on an EOL version.

That sounds right, but again, as Phoneboy said, it woukd not be fixed on unsupported code. I would upgrade to R81.20 if you can.

Absolutely, we are upgrading to r81.20 very soon. 
One question, I am curious if you don't need the ips blade for IPS core protections, how are these alerts tagged in R81.20.
For example, do you filter port scan alerts/logs with blade:Firewall or blade:ips ?
I expect that these alerts will be full firewall blade in r81.20, so blade:Firewall.

Thats right.

I have tested R81.20 and it is the same. Very confusing.
It is true that you don't need to install the threat prevention policy.
But you need the IPS BLADE enabled and you need the to configure the IPS core protections in the threat prevention policy configuration side.
Now I know how it works, but I guess that a lot of people will waste time figuring it out. Very confusing.

100% you need ips core protections, right.