Here is a logics exercise. Read the following quote from the Check Point licensing instruction:
"Starting from the 4800 model and above, each appliance running R75.40VS, R76 includes a total of 2 Virtual Systems (all SW Blades available on the GW are automatically supported on the free VS)"
Now, tell me, how many Virtual Systems can one run on a cluster of middle and high end appliances with the default, non VSX, licensing, according to Check Point?
Two, right?
Wrong. You can easily test it by yourself. Convert your physical cluster of R75.40VS or R76 to a VSX cluster. Once done, you will have your firewall converted to a Virtual System. That is VS number one. Now, try to add another VS. No, you cannot.
Why? Because there is only a single VS licensed, according to vsx stat:
Number of Virtual Systems allowed by license: 1
But where is the second one we should have? Where is our freebee FW?
Well, it was all just an illusion, according to
a very recent Check Point SecureKnowledge case number 93415. Here is the quote from it (original orthography used): "
the answer is that it comes with an initial gateway +1. so in the bottom line initial 2 vs license only covers VS0 and VS1."
Let me translate this for you from Checkpoint-ish. In plain English, that means you only have one VS licensed (VS1). VS0 is representing your physical cluster environment. After conversion to VSX it cannot route traffic anymore.
I wonder, how many customers have already misunderstood the quoted price list statement? R75.40VS is out for a year, and this confusion must be one year old. Then again, the
mentioned SecureKnowledge case is only about two weeks old.
21.08.2013 - Update:
Peter Sandkuill, Check Point SE manager network security for Europe, was kind to reply to this article. I am quoting his email:
"In the latest versions, starting R75.40vs, we consider VS0 to be the first virtual system. We can debate whether you want to use that exclusively for management (as a best practice) or deploy it as a full-fledged VS that runs just like other VS’s and happens to also accept management traffic as one of its interfaces is the management interface. If you convert a gateway all regular gateway interfaces become a member of VS0. This will route traffic just fine. Only if you decide to remove all interfaces and leave only a single one for management would it no longer route, as you would expect.
Especially when designing virtualization in smaller environments this is a compromise I have seen customers willing to make.
For the licensing part, VS0 is the licensed system. You get VS1 for free. Also note that when adding an additional VS package you lose that free VS. In example in a (to VSX) converted gateway you could have 2 * VS. VS0 and VS1. Adding a VS-10 package will give you a grand total of 11 * VS. VS0 and 10 additional ones."
