This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
3 weeks ago
Jump to solution

What happens if licences expire on gateway

Hi All

If our licence expires on our gateway and we are running IPS/Antibot/AV etc, what will happen?

Will it continue to run for 14 days?

Does it just stop scanning for these blades?

Will it impact any traffic, i.e stop forwarding through the gateway?

Many thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
2 weeks ago
Jump to solution

Gateway Perpetual Blades (Firewall, IPSec VPN, Mobile Access, Identity Awareness, QoS, ClusterXL, Monitoring, DLP) have a license that never expires; the only way these features would stop working is if someone manually removed the license or it became corrupt.

All remaining blades are Subscription Blades that require a service contract present to operate.   Once these features have 30 days or less left on their contracts prior to expiration, you will receive a warning every time you try to install policy to the gateway. There is no way to shut up this warning without loading a new contract.

Traditionally, Subscription Blades have had a 30-day grace period where they will keep working after expiration.  However in the latest Jumbo HFAs the grace period was extended to 90 days.  To my knowledge here is what will happen to the various subscription blades when they finally go beyond the 90 day grace period:

IPS - Continues enforcing Core Activations & Inspection Settings, but only enforces the "out of the box" ThreatCloud Protections.  Any updated/new ones stop being enforced.

APCL - Only custom-created applications still work, no classification for any other applications (would assume they are classed as "unknown")

URLF - Only custom-created Applications/Sites still work (no categorizations for any other sites)

Content Awareness - Not sure, would assume only custom-created Data/File types would work

Anti-spam & Email Security (which no one uses) - Don't know

AV/ABOT- I would assume they stop working completely, as they are constantly dependent on the Check Point ThreatCloud to operate

Threat Emulation/Extraction & Zero Phishing - Don't know, would assume that minimally cloud-based emulation sandboxing would stop working

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

View solution in original post

4 Replies
the_rock
Legend
Legend
3 weeks ago
Jump to solution

Traffic wont stop, but you wont be able to push policy and blades wont get any new updates.

Andy

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
Jump to solution

What you’re likely asking about is the “contract” which entitles use of annual blades.
There are specific SKs for:

In general, though:

  • You will see errors when pushing policy with expired contracts and/or licenses
  • Traffic will be passed if the access policy allows, but will not be inspected with the advanced blades that lack a current contract and is outside the grace period (if one exists). 
  • If the base Firewall license expires (most of these licenses are perpetual), then no traffic will pass as the gateway will be enforcing “defaultFilter” which is to deny all traffic.



0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to PhoneBoy
Jump to solution

I thought that traffic would NOT stop even if license expires. I recall couple times before it happened to the customer and everything sitll worked till they applied valid license the next day.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
2 weeks ago
Jump to solution

Gateway Perpetual Blades (Firewall, IPSec VPN, Mobile Access, Identity Awareness, QoS, ClusterXL, Monitoring, DLP) have a license that never expires; the only way these features would stop working is if someone manually removed the license or it became corrupt.

All remaining blades are Subscription Blades that require a service contract present to operate.   Once these features have 30 days or less left on their contracts prior to expiration, you will receive a warning every time you try to install policy to the gateway. There is no way to shut up this warning without loading a new contract.

Traditionally, Subscription Blades have had a 30-day grace period where they will keep working after expiration.  However in the latest Jumbo HFAs the grace period was extended to 90 days.  To my knowledge here is what will happen to the various subscription blades when they finally go beyond the 90 day grace period:

IPS - Continues enforcing Core Activations & Inspection Settings, but only enforces the "out of the box" ThreatCloud Protections.  Any updated/new ones stop being enforced.

APCL - Only custom-created applications still work, no classification for any other applications (would assume they are classed as "unknown")

URLF - Only custom-created Applications/Sites still work (no categorizations for any other sites)

Content Awareness - Not sure, would assume only custom-created Data/File types would work

Anti-spam & Email Security (which no one uses) - Don't know

AV/ABOT- I would assume they stop working completely, as they are constantly dependent on the Check Point ThreatCloud to operate

Threat Emulation/Extraction & Zero Phishing - Don't know, would assume that minimally cloud-based emulation sandboxing would stop working

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events