Thursday, June 25, 2015

Curious story of VSX Management bundle

Once upon a time there was something called VSX Management Bundle for multi-domain management servers.

Licenses with SKU like CPPR-VSX-CMA-CX were allowing people to manage X Virtual System on any kind of Provider-1. The beauty of these license was all about flexibility. It only defines how many VSs one could manage. It does not limit you to particular number of Management Security Domains (CMAs in old terms) and/or number of security gateways per domain, as long as you only manage Virtual Systems and not physical firewalls.

Even more interesting, this bundle was able to extend the original amount of CMAs in the container with Provider-1 NGX licenses.

Let be me more specific. Say, you have MDS with a container for 10 CMAs. Normally, with physical GWs you would not be able run more than 10 CMAs. But after adding CPPR-VSX-CMA-C25 licenses to MDS one could spin out up to 25 CMAs for VSX management. It was also possible to manage multiple VSs from the same CMA. The only thing that mattered was the total amount of managed Virtual Systems and nothing else.

This is all history now. If you look into Software Blades price list, there is still something there called VSX Domain Blade: CPSB-DMNVSX. It allows you to run a CMA that could manage a single Virtual System.

At first glance, this sounds quite similar to the old NGX bundle model. Now you just need to purchase a bunch of VSX blades to run as many VSs as you want.

Well, not exactly. The main limitation for the new VSX blade is that it allows your Domain Management Server to manage just a single Virtual System. Just one. And it is not additive. You could not add two of those blades to the same CMA to manage a couple of VSs.

So if you want two or more VSs in the same domain, You have to jump to 10 GWs domain (CPSB-DMN1000). Why 10? Because as Check Point counts as GWs physical nodes, with 2 Virtual Systems in a cluster your count spikes to 4 GWs to manage.

CPSB-DMN1000 is 5 times more expensive than CPSB-DMNVSX.

I do miss NGX VSX management bundle. It is a great blow that flexible and inexpensive bundles are no longer available.


  1. Hi Valeri,

    A couple of comments:
    The behavior with requirement for 4 gateways for 2 virtual systems is new to me. Back on R70/R71 I used a CPSB-DMN200 license for a CMA with two virtual systems. Has this changed without Check Point mentioning it? It has happened before which is quite frustrating.

    As I remember you are able to stack CPSB-DMN200 licenses. This was at least done back in R71.x - are you able to confirm if this is the case in R77 as well? Buying 2 x CPSB-DMN200 is still almost twice as expensive than 2 x CPSB-DMNVSX, but cheaper than the CPSB-CMN1000 :-)


    1. Jonas, I am pretty sure now domain blades are not additive. That means you cannot combine DMN200 and DMN1000 and have 12 GWs in the domain. You have to jump to unlimited.

      As for the first one, That is what CP licensing expert has told me. I did not check by myself, but that statement makes sense to me.

    2. I can confirm that domain blades are not additive - just found out the hard way for a domain with 3 gateways. Bugger - Now I need to trade in 2 x DMN200 to a DMN1000.

    3. Regular domain blades were never additive. Nevertheless VSX NGX bundle was additive. In brief, we are screwed now more than before.

  2. Hi Valeri
    I totally agree with you. When they created the limitation on the dmnvsx license, that it only can be used in a single CMA, they really "killed" all the flexibility that they had before. You cannot have one DNMVSX and one physical license in the same CMA. You have to go for 10 or unlimited. I also heard that it is not allowed to use DMN200 to manage two VS's, even if that works. I guess that this is something that was not supposed to be supported, so i guess it will disappear in a later version, so i dont dare to sell it.

    I think that Check Point will loose a lot of cases because of this. It is not cost effective to sell Check Point in cases where you would need two or three VS' in each CMA.

    Another showstopper is that it should also be allowed to move VS licenses between VSX clusters. If you deside to have two VSX clusters, with for example 10 VS'es on each, and if you use all 10 on one cluster, but only two or three on the other, you will have to buy another 10, instead of just moving one of the licenses from thet other cluster.

    I really hope that Check Point will do something about this, because i think we loose a lot of business because of it.

  3. It looks like they did this for legal reasons, from reading the VSX guide it states that in order for legal separation you need to use Provider-1.

    "Note - According to the Check Point EULA (End User License Agreement), a Security Gateway can only manage security policies for Virtual Systems belonging to a single legal entity. In order to manage Virtual Systems belonging to multiple legal entities, you need to deploy a Multi-Domain Security Management solution with a separate Domain Management Server for each legal entity. For more information regarding Licensing, refer to your Check Point Reseller."

    1. I am afraid you have misunderstood what this post is about. I have never mentioned hosting multiple or single legal entities. We are not talking about legal entities at all. We are talking about bundle licensing which is not longer working as before.