13. Check Point Getting Started R80.20. Licensing

Greetings, friends! And we finally got to the last, final lesson Check Point Getting Started . Today we will talk about a very important topic - Licensing . I hasten to warn you that this lesson is not an exhaustive guide for choosing equipment or licenses. This is just a brief summary of the key points that any Check Point administrator should know. If you are really puzzled by the choice of a license or device, it is better to turn to professionals, i.e. to us :). There are a lot of pitfalls, about which it is very difficult to tell within the course, and remembering this too will not work right away.

Our lesson will be completely theoretical, so you can turn off your layout servers and relax. At the end of the article you will find a video tutorial, where I tell in more detail.

Gateway licensing

Let's start with a description of the license features of security gateways. And this applies to both iron uplinks and virtualok. Suppose you decide to buy a gateway. It’s impossible to buy just a piece of metal or a virtual machine without “subscriptions”! There are three options for subscriptions:
')


And now the first interesting feature! You can buy a device or virtual machine only with NGTP or NGTX subscriptions. But when you renew your subscription, you can already choose the NGFW package, if you do not need AV, AB, URL, AS, TE and TX blades. Here is a moment. You can buy subscriptions for a year, two or three years.

I can predict your first question! “ What happens if the subscription is not renewed? ". I specifically highlighted in green those blades that will work ALWAYS, and WITHOUT renewals. The so-called perpetual bledy. The rest of the blades that require constant updating just stop working. Well, except that the IPS will work key signatures (but they are very few). This is true for both hardware and virtual machines, i.e. vSec.

As a separate item, I identified three blades that are not included in any set, these are: DLP, MAB and Capsule.

Also remember that if you buy a cluster solution, then as a second device, choose a model with the suffix HA (i.e. High Availability). In the picture there is an example for the 5400 gateway. This is about the gateways. Now the management server.

Management Server Licensing

As we already said in the first lessons, there are two scenarios for Check Point implementation: Standalone (when both the gateway and management on one device) and Distributed (when the server management is placed on a separate device). However, the options do not end there. Let's look at three typical deployment scenarios for server management:

1. Buying a dedicated NGSM . The most popular option. Choose either a Smart-1 piece of hardware or a virtualka. Of course, you choose based on how many gateways you will administer, 5, 10, 25, etc. By deploying this device, you can use 4 key management server blades: NPM (i.e. policy management), Logging and Status (i.e. logging), Smart Event (Check Point's SIEM, which gives us all reporting) and Compliance (this is an assessment of the quality of the settings, either for compliance with any regulatory requirements, the same PCI DSS, or simply Best Practice). It is immediately apparent that the NPM and LS blades are permanent blades, i.e. will work without renewal of subscriptions, but the Smart Event and Compliance blades are included only for the first year! Then they need to renew for some money. This is an important point, do not forget. And if you can still live without a Compliance blade, then absolutely everyone needs a Smart Event.
2. Purchase of a dedicated Event Management server in addition to the existing NGSM management server. Why do you need it? The fact is that logging functionality, and especially the Smart Event, “eats away” very decent system resources. And if there are a lot of logs, then this can lead to “brakes” on the management server. Therefore, it is often practiced to take this functionality to a separate device, a Smart-1 piece of hardware or, again, a virtual machine. Large integrations with a large number of logs almost always require a dedicated server for the Smart Event. He can take logs. Thus, your management server will only perform management functions. This greatly improves the stability and response of the system. As you can see, when you buy a dedicated Smart Event server, you get these two blades for permanent use, even without renewal. In the horizon of 3-4 years, it will be even more economical than buying renewals of a Smart Event for a regular NGSM server every year.
3. Dedicated Log management server , which is in addition to NGSM and Smart Event servers. Smyla think clear. With a VERY large number of logs, we can transfer the logging function to a separate server. The dedicated Log server also has a permanent license and does not require renewal.

Video lesson

Here you will find additional information about license management and Check Point technical support: