FW-1 Encryption Module

[hotrod_952@hotmail.com]

I tried to setup a VPN Remote user. Whenever the secure client tries to connect, they receive a gateway communication error. Also, I notice that the Smart Tracker shows, "No license for VPN" for packet. Does this mean that they customer needs to upgrade their license to VPN-1?

[MrSnakey]

Quote:

Originally Posted by hotrod_952@hotmail.com

I tried to setup a VPN Remote user. Whenever the secure client tries to connect, they receive a gateway communication error. Also, I notice that the Smart Tracker shows, "No license for VPN" for packet. Does this mean that they customer needs to upgrade their license to VPN-1?

Yes. Have them contact a competent Check Point reseller with their license ready.

[Thorpuse]

Wow... they either have an extremely old license (pre-2001, when VPN became a standard offering) or an extremely new one (R70, when we went Back to the Future about VPN and other features....).

[hotrod_952@hotmail.com]

I can no longer connect the Dashboard with the external IP address. Any reasoning this is occurring?

[MrSnakey]

Quote:

Originally Posted by hotrod_952@hotmail.com

I can no longer connect the Dashboard with the external IP address. Any reasoning this is occurring?

Are you connecting from a different IP address? The Management Server component has what's called a 'GUI Client' list configured with the 'cpconfig' command that lists the IP addresses that the SmartDashboard is allowed to connect from.

If you are not connecting from an IP that's not on that list, then being denied is normal behavior.

You might want to check the logs too, and the out put of 'cplic print' just incase the customer has been running off of 30 day evals for the last some many years.

[hotrod_952@hotmail.com]

cplic print shows they have the external IP license with cpfw-enc-u-mgmt-ng which allows you to upgrade to the VPN-1 module.

[Thorpuse]

Please provide a sanitised complete output of the cplic print command. Those licenses are very old, I think you're missing some.

Is it just me, or does anyone else find it extremely ironic that R70 goes back to the model of having to get a separate license for encryption? And that in both cases, CP claimed it was done to simplify the license system and provide better value? Hmmmm....

[chillyjim]

The "VPN" part is at customer request.

I want the equivalent of the old "Enterprise Encryption Center" license (All the features that were available in one SKU).

[Thorpuse]

Quote:

Originally Posted by chillyjim

The "VPN" part is at customer request.

I want the equivalent of the old "Enterprise Encryption Center" license (All the features that were available in one SKU).

Seems ironic that "customers" are requesting this, when years ago "customers" were responsible for getting FW-1 and VPN-1 consolidated into a single product. And that consolidation was universally accepted and appreciated too!

All features in one license! It still exists.... sadly, it only works for 30 days.... I agree with the sentiment though - bundling only gets you so far.

[Yasushi Kono]

Hi to all,

before making thoughts about if the correct licensing is being installed or not, you should first of all check, if the license is bound to the system. For that, you should type the following command on the securiy gateway (not "cplic print"):

cpstat polsrv -f default


There, you can see how many clients are licensed and how many of them are connected.

Kind regards,
Yasushi

[Izzio]

...ehm it looks like as our SC license is a little bit oversized ;-)

cpstat polsrv -f default

Status Full Description: Policy Server is up
Licensed users: 4294967294
Connected users: 39

[Thorpuse]

LOL! Wow... at $50 a license....