13. Check Point Getting Started R80.20. Licensing
Greetings friends! And we finally got to the last, final Check Point Getting Started lesson . Today we will talk about a very important topic - Licensing . I hasten to warn that this lesson is not an exhaustive guide to the selection of equipment or licenses. This is just a summary of the key points that any Check Point administrator should know. If you are really puzzled by the choice of a license or device, then it is better to turn to professionals, i.e. to us :). There are a lot of pitfalls about which it is very difficult to talk about as part of the course, and remembering this also will not work right away.
The lesson will be completely theoretical, so you can turn off your breadboard servers and relax. At the end of the article you will find a video lesson where I talk in more detail
Let's start by describing the licensing features of security gateways. And this applies to both iron uplays and virtualoks. Suppose you decide to buy a gateway. It’s impossible to buy just a piece of iron or a virtual machine without “subscriptions”! There are three subscription options:
Now, the first interesting feature! You can buy a device or virtual machine only with NGTP or NGTX subscriptions. But when you renew your subscription, you can already choose the NGFW package if you do not need AV, AB, URL, AS, TE, and TX blades. Here is a moment. Subscriptions themselves can be purchased for a period of one, two or three years.
I can predict your first question! “ What happens if the subscription is not renewed?" I specifically highlighted in green those blades that will ALWAYS work, and WITHOUT renewals. The so-called perpetual bled. The remaining blades, which require constant updating, will simply stop working. Well, except that IPS will still work with key signatures (but there are very few of them). This is true for both glands and virtual machines, i.e. vSec.
As a separate item, I highlighted three blades that are not included in any set, these are: DLP, MAB and Capsule.
Also remember that if you are buying a cluster solution, then select the model with the HA suffix (i.e.High Availability) as the second device. There is an example for the 5400 gateway in the picture. This is for gateways. Now the management server.
Management Server Licensing
As we already said in the first lessons, there are two scenarios for implementing Check Point: Standalone (when both the gateway and management are on the same device) and Distributed (when the management server is moved to a separate device). However, the options do not end there. Let's look at three typical management server deployment scenarios:
- Buying a dedicated NGSM. The most popular option. Choose either a Smart-1 piece of hardware or a Virtalka. Of course, you choose based on how many gateways you will administer, 5, 10, 25, etc. By deploying this device, you can use the 4 key blades of the management server: NPM (i.e., policy management), Logging and Status (i.e., logging), Smart Event (SIEM from Check Point, which gives us all the reporting) and Compliance (this is an assessment of the quality of settings, either for compliance with any regulatory requirements, the same PCI DSS, or simply Best Practice). It is immediately evident that NPM and LS blades are permanent blades, i.e. will work without renewal of subscriptions, but Smart Event and Compliance blades are included only for the first year! Then they need to be renewed for some money. This is an important point, do not forget. And if you can still live without the Compliance blade,
- Buying a dedicated Event Management serverIn addition to an existing NGSM management server. Why is this needed? The fact is that the logging functionality and especially Smart Event “eats up” very decent system resources. And if there are a lot of logs, then this can lead to “brakes” on the management server. Therefore, they often practice the removal of this functionality to a separate device, a Smart-1 piece of hardware or, again, a virtual machine. Large integrations with a large number of logs almost always require a dedicated server for Smart Event. He can take logs. Thus, your management server will only perform management functions. This greatly improves system stability and response. As you can see, when you purchase a dedicated Smart Event server, you get these two blades for continuous use, even without an extension. In the horizon of 3-4 years it will be even more economical,
- Dedicated Log management server , which comes in addition to NGSM and Smart Event servers. I think I understood it. With a VERY large number of logs, we can take the logging function to a separate server. Dedicated Log server also has a permanent license and does not require renewal.
Here you will find additional information about license management and Check Point technical support: