This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
carl_t
Contributor
‎2025-02-28 07:38 AM
Jump to solution

What happens if licences expire on gateway

Hi All

If our licence expires on our gateway and we are running IPS/Antibot/AV etc, what will happen?

Will it continue to run for 14 days?

Does it just stop scanning for these blades?

Will it impact any traffic, i.e stop forwarding through the gateway?

Many thanks

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2025-03-01 07:28 AM
Jump to solution

Gateway Perpetual Blades (Firewall, IPSec VPN, Mobile Access, Identity Awareness, QoS, ClusterXL, Monitoring, DLP) have a license that never expires; the only way these features would stop working is if someone manually removed the license or it became corrupt.

All remaining blades are Subscription Blades that require a service contract present to operate.   Once these features have 30 days or less left on their contracts prior to expiration, you will receive a warning every time you try to install policy to the gateway. There is no way to shut up this warning without loading a new contract.

Traditionally, Subscription Blades have had a 30-day grace period where they will keep working after expiration.  However in the latest Jumbo HFAs the grace period was extended to 90 days.  To my knowledge here is what will happen to the various subscription blades when they finally go beyond the 90 day grace period:

IPS - Continues enforcing Core Activations & Inspection Settings, but only enforces the "out of the box" ThreatCloud Protections.  Any updated/new ones stop being enforced.

APCL - Only custom-created applications still work, no classification for any other applications (would assume they are classed as "unknown")

URLF - Only custom-created Applications/Sites still work (no categorizations for any other sites)

Content Awareness - Not sure, would assume only custom-created Data/File types would work

Anti-spam & Email Security (which no one uses) - Don't know

AV/ABOT- I would assume they stop working completely, as they are constantly dependent on the Check Point ThreatCloud to operate

Threat Emulation/Extraction & Zero Phishing - Don't know, would assume that minimally cloud-based emulation sandboxing would stop working

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

11 Replies
the_rock
Legend
Legend
‎2025-02-28 08:32 AM
Jump to solution

Traffic wont stop, but you wont be able to push policy and blades wont get any new updates.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-28 09:39 AM
Jump to solution

What you’re likely asking about is the “contract” which entitles use of annual blades.
There are specific SKs for:

In general, though:

  • You will see errors when pushing policy with expired contracts and/or licenses
  • Traffic will be passed if the access policy allows, but will not be inspected with the advanced blades that lack a current contract and is outside the grace period (if one exists). 
  • If the base Firewall license expires (most of these licenses are perpetual), then no traffic will pass as the gateway will be enforcing “defaultFilter” which is to deny all traffic.



0 Kudos
the_rock
Legend
Legend
‎2025-02-28 09:48 AM
In response to PhoneBoy
Jump to solution

I thought that traffic would NOT stop even if license expires. I recall couple times before it happened to the customer and everything sitll worked till they applied valid license the next day.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2025-03-01 07:28 AM
Jump to solution

Gateway Perpetual Blades (Firewall, IPSec VPN, Mobile Access, Identity Awareness, QoS, ClusterXL, Monitoring, DLP) have a license that never expires; the only way these features would stop working is if someone manually removed the license or it became corrupt.

All remaining blades are Subscription Blades that require a service contract present to operate.   Once these features have 30 days or less left on their contracts prior to expiration, you will receive a warning every time you try to install policy to the gateway. There is no way to shut up this warning without loading a new contract.

Traditionally, Subscription Blades have had a 30-day grace period where they will keep working after expiration.  However in the latest Jumbo HFAs the grace period was extended to 90 days.  To my knowledge here is what will happen to the various subscription blades when they finally go beyond the 90 day grace period:

IPS - Continues enforcing Core Activations & Inspection Settings, but only enforces the "out of the box" ThreatCloud Protections.  Any updated/new ones stop being enforced.

APCL - Only custom-created applications still work, no classification for any other applications (would assume they are classed as "unknown")

URLF - Only custom-created Applications/Sites still work (no categorizations for any other sites)

Content Awareness - Not sure, would assume only custom-created Data/File types would work

Anti-spam & Email Security (which no one uses) - Don't know

AV/ABOT- I would assume they stop working completely, as they are constantly dependent on the Check Point ThreatCloud to operate

Threat Emulation/Extraction & Zero Phishing - Don't know, would assume that minimally cloud-based emulation sandboxing would stop working

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
Timothy_Hall
Legend Legend
Legend
a week ago
Jump to solution

It appears the grace period for license expiration is in the process of being formally documented:

sk183922: [Under Construction] Grace Period for Check Point Software Blades

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
rroihans
Explorer
Monday
In response to Timothy_Hall
Jump to solution

404 not found

0 Kudos
the_rock
Legend
Legend
Tuesday
In response to rroihans
Jump to solution

Is that users get when they try to connect outbound?

Andy

0 Kudos
Tal_Paz-Fridman
Employee
Employee
Tuesday
In response to rroihans
Jump to solution

I can see it is still under construction and therefore marked as Internal.

 

0 Kudos
the_rock
Legend
Legend
Tuesday
In response to rroihans
Jump to solution

Geesh, sorry, you meant the sk...yes, I checked it, definitely not accessible yet.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend
Tuesday
In response to Timothy_Hall
Jump to solution

Well, it did say "[Under Construction]", so while it was there at one point, it must be hidden now until it is completed.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to Timothy_Hall
Jump to solution

You're correct 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events