Tuesday, August 20, 2013

How to read some of Check Price licensing instructions (not a happy post)

Here is a logics exercise. Read the following quote from the Check Point licensing instruction:

"Starting from the 4800 model and above, each appliance running R75.40VS, R76 includes a total of 2 Virtual Systems (all SW Blades available on the GW are automatically supported on the free VS)"

Now, tell me, how many Virtual Systems can one run on a cluster of middle and high end appliances with the default, non VSX, licensing, according to Check Point?

Two, right?

Wrong. You can easily test it by yourself. Convert your physical cluster of R75.40VS or R76 to a VSX cluster. Once done, you will have your firewall converted to a Virtual System. That is VS number one. Now, try to add another VS. No, you cannot.

Why? Because there is only a single VS licensed, according to vsx stat:

Number of Virtual Systems allowed by license:     1

But where is the second one we should have? Where is our freebee FW?

Well, it was all just an illusion, according to a very recent Check Point SecureKnowledge case number 93415. Here is the quote from it (original orthography used): "the answer is that it comes with an initial gateway +1. so in the bottom line initial 2 vs license only covers VS0 and VS1."

Let me translate this for you from Checkpoint-ish. In plain English, that means you only have one VS licensed (VS1). VS0 is representing your physical cluster environment. After conversion to VSX it cannot route traffic anymore.

I wonder, how many customers have already misunderstood the quoted price list statement? R75.40VS is out for a year, and this confusion must be one year old. Then again, the mentioned SecureKnowledge case is only about two weeks old.

21.08.2013 - Update:

Peter Sandkuill, Check Point SE manager network security for Europe, was kind to reply to  this article. I am quoting his email:

"In the latest versions, starting R75.40vs, we consider VS0 to be the first virtual system. We can debate whether you want to use that exclusively for management (as a best practice) or deploy it as a full-fledged VS that runs just like other VS’s and happens to also accept management traffic as one of its interfaces is the management interface. If you convert a gateway all regular gateway interfaces become a member of VS0. This will route traffic just fine. Only if you decide to remove all interfaces and leave only a single one for management would it no longer route, as you would expect.
Especially when designing virtualization in smaller environments this is a compromise I have seen customers willing to make.

For the licensing part, VS0 is the licensed system. You get VS1 for free. Also note that when adding an additional VS package you lose that free VS. In example in a (to VSX) converted gateway you could have 2 * VS. VS0 and VS1. Adding a VS-10 package will give you a grand total of 11 * VS. VS0 and 10 additional ones."


  1. Thanks for the timely post Valeri. I was just getting ready to pitch VSX for our next hardware refresh. I'll keep this in mind when getting my quotes.

    1. No prob. I expect some more customers be a bit upset about misreading this.

  2. I was expecting this since its similar with Cisco ASA as well with two contexts... :)

  3. Hi Valeri

    No problem here. Peter is right.
    We are using R75.40VS on all our appliances (6 in total) and converted all to VSX.
    for example, we have 5 VSX licenses and we can provision 6 VSX's, VS0-VS5 - a total of 6 VSX.

    We have been using VSX R65 since and upgraded beginning of the year and R75.40VS is a major improvement apart from some failover bugs. We just can't wait for R77.


    1. Alex, a couple of notes.

      1. Running VS0 as a routed FW is not the best practice because it is non-DMI VSX deployment. One wrong policy pushed to it, and you are not having a cluster anymore.

      2. What kind of license are you using to have 5 VSs licensed? The new SB licenses only have VS-3, VS-10, VS-25 and VS-50 as options

  4. This is unrelated to this licensing topic. I would like to get your input on the following -
    I am working on a new Checkpoint 61000 installation. We have 10 VS that we need to migrate to this platform. We have a pair of 61K for redundancy. Can we have 5 VS active (and 5 standby) on one 61K and the other 5 active (plus 5 standby of the active ones) on the other 61K? On the same lines, we also have a pair of Smart-1 150 for the management of these VS. Can we have 5 VS managed by one Smart-1 box while the other 5 VS managed by the other Smart-1? Thank you!

    1. I suspect the first answer is no. Although it is possible to use VSLS config for most of appliances, I am not sure about 61K. If two chassies can for ClusterXL, then yes. If only VRRP is an option, than no.

      For the second question, you can manage different Virtual Systems from different security domains. So if your Smart-1 150 boxes are part of the same MDM, you can set some domains on one and other on the second.

      Hope this helps. When you know for sure about 61K, please let me know. The best is to send these questions to your local Check Point SE.

    2. Thanks Valeri. I will definitely post it after I figured out the 61K answer. Meanwhile do you know of any documentation that explains the configuration of setting up 2 domains on each of the Smart-1 boxes that are in an HA setup? I have to discontinue the current provider-1 R65 with all 10 VS in one CMA. I was planning to use the migration scripts of R75 on R65 first and then import those configs into R75 Smart-1. After the import, can I reconfigure the old setup (all 10 VS in 1 CMA) to 5 of the VS in one domain and the other 5 VS in another domain? Also how can I make this into an HA config? ie, if one of the Smart-1 boxes die, then the other should be able to manage all 10 VS, ie, both domains. Is that possible? Do you see any issue? Thanks much!

    3. Well, you already have some experience managing Provider-1, I guess.

      You need two domains, with two CMA in each. Set up active CMAs on different HW. If one of the boxes fails, you still have HA CMA to use.

  5. This comment has been removed by the author.

  6. When migrating from Checkpoint R65 to R77, which additional license is required?