Somewhat OT - Firewall Licencing

Hi all

We have been using a Checkpoint Firewall for a few years and the licencing
method is a pain.
Do all firewalls work in the same way?

Explanation:

Our firewall is licenced for 50 users.
However, instead of considering the number of concurrent users, it simply
stores all ip addresses that have used the device.
This means that:
a) the DHCP scope has to be real tight to avoid any overspill
b) when you want to retire one piece of kit and replace with another, you
can't afford the luxury of overlap and have to re-assign static ips on
change over

Maybe I'm just tight, but the current setup seems so inflexible.
I get the ISP emailing to say we are over our allocated licence level, but
if I get their tech department to check genuine on-going usage we are always
well below the 50 limit.

Phil

"TheScullster" wrote:

> Hi all
>
> We have been using a Checkpoint Firewall for a few years and the licencing
> method is a pain.
> Do all firewalls work in the same way?
>
<snip>
>
No - time to find another supplier!
--
Newell White


>

TheScullster <(E-Mail Removed)> wrote:
> Hi all
>
> We have been using a Checkpoint Firewall for a few years and the
> licencing method is a pain.
> Do all firewalls work in the same way?
>
> Explanation:
>
> Our firewall is licenced for 50 users.
> However, instead of considering the number of concurrent users, it
> simply stores all ip addresses that have used the device.
> This means that:
> a) the DHCP scope has to be real tight to avoid any overspill
> b) when you want to retire one piece of kit and replace with another,
> you can't afford the luxury of overlap and have to re-assign static
> ips on change over
>
> Maybe I'm just tight, but the current setup seems so inflexible.
> I get the ISP emailing to say we are over our allocated licence
> level, but if I get their tech department to check genuine on-going
> usage we are always well below the 50 limit.
>
> Phil

I use Sonicwalls, and although the concurrent usage tracking is sometimes a
little flaky? (licenses aren't always released when you wish) it doesn't
work as your Checkpoint does. Look at the Sonicwall PRO 2040 - at 50
users, you really should be getting an unlimited node device. Just make sure
you keep your maintenance/support contract paid up annually.

Checkpoint, like many other software subscription services does keep an
account of numbers of subscribers. As the administrator it is your job to
increase (or decrease) license counts to match your user community.

Just because the "current" users actively logged on is below the 50
threshold, it is more or less irrelevant, what is at issue is the total
number of potential nodes. I have used Checkpoint too, it is a PITA to have
to actually manually update the count, but that is how they encourage truth
from their subscribers. As mentioned, if you are unwilling to abide by the
license agreement, it may be time to find a lesser firewall solution
provider.

On a personal note: it don't think the alternatives are anywhere near as
flexible or as feature rich as Checkpoint. If you haven't assessed your
license needed since it was installed, several years ago, it may be time to
get those additional licenses. Think of this way - its no more or less
onerous than getting a volume license agreement from MS for servers, if your
connections are above the license you can use a management package that will
check for actual concurrent users on the system, but that is not what the
license is for...you are complaining about a technicality. Go to your
accounting dept. give them the facts and let them make the decision. Its a
pain, but its more of a pain to be found in a non-compliant license state.
Remember, there are bounty hunters out there!
"TheScullster" <(E-Mail Removed)> wrote in message
news:-(E-Mail Removed)...
> Hi all
>
> We have been using a Checkpoint Firewall for a few years and the licencing
> method is a pain.
> Do all firewalls work in the same way?
>
> Explanation:
>
> Our firewall is licenced for 50 users.
> However, instead of considering the number of concurrent users, it simply
> stores all ip addresses that have used the device.
> This means that:
> a) the DHCP scope has to be real tight to avoid any overspill
> b) when you want to retire one piece of kit and replace with another, you
> can't afford the luxury of overlap and have to re-assign static ips on
> change over
>
> Maybe I'm just tight, but the current setup seems so inflexible.
> I get the ISP emailing to say we are over our allocated licence level, but
> if I get their tech department to check genuine on-going usage we are
> always well below the 50 limit.
>
> Phil
>

On Mar 2, 7:27*pm, "beoweolf" <beowe...@pacbell.net> wrote:
> Checkpoint, like many other software subscription services does keep an
> account of numbers of subscribers. As the administrator it is your job to
> increase (or decrease) license counts to match your user community.
>
> Just because the "current" users actively logged on is below the 50
> threshold, it is more or less irrelevant, what is at issue is the total
> number *of potential nodes. I have usedCheckpointtoo, it is a PITA to have
> to actually manually update the count, but that is how they encourage truth
> from their subscribers. As mentioned, if you are unwilling to abide by the
> license agreement, it may be time to find a lesser firewall solution
> provider.
>
> On a personal note: it don't think the alternatives are anywhere near as
> flexible or as feature rich asCheckpoint. If you haven't assessed your
> license needed since it was installed, several years ago, it may be time to
> get those additional licenses. Think of this way - its no more or less
> onerous than getting a volume license agreement from MS for servers, if your
> connections are above the license you can use a management package that will
> check for actual concurrent users on the system, but that is not what the
> license is for...you are complaining about a technicality. Go to your
> accounting dept. give them the facts and let them make the decision. Its a
> pain, but its more of a pain to be found in a non-compliant license state.
> Remember, there are bounty hunters out there!"TheScullster" <p...@dropthespam.com> wrote in message
>
> news:-(E-Mail Removed)...
>
>
>
> > Hi all
>
> > We have beenusingaCheckpointFirewall for a few years and the licencing
> > method is a pain.
> > Do all firewalls work in the same way?
>
> > Explanation:
>
> > Our firewall is licenced for 50 users.
> > However, instead of considering the number of concurrent users, it simply
> > stores all ip addresses that have used the device.
> > This means that:
> > a) the DHCP scope has to be real tight to avoid any overspill
> > b) when you want to retire one piece of kit and replace with another, you
> > can't afford the luxury of overlap and have to re-assign static ips on
> > change over
>
> > Maybe I'm just tight, but the current setup seems so inflexible.
> > I get the ISP emailing to say we are over our allocated licence level, but
> > if I get their tech department to check genuine on-going usage we are
> > always well below the 50 limit.
>
> > Phil- Hide quoted text -
>
> - Show quoted text -

I'd suggest migrating to a juniper SSG solution. fully intergrated
high performance box with full user licensing as standard.
no seperate hw and sw to support - makes life a breeze. I'd be happy
to send you a quote!