Troubleshooting guide
Chapter 11 Troubleshooting Licensing Check Point Licensing Policy
Advanced Technical Reference Guide 4.1 • July 2000 118
Troubleshooting Licensing
For the latest information about operational aspects of Check Point product licensing, see the
Check Point License center http://license.checkpoint.com/
Check Point Licensing Policy
VPN-1/FireWall-1 Licensing
Licensing for Check Point VPN-1/FireWall-1 is based on the total number of internal nodes protected. For
licensing purposes, a node is any IP address protected by any VPN-1/FireWall-1 interface, excluding the
external interface. Protected nodes include all network devices with IP addresses, such as workstations, routers,
hubs, printers, etc.
FireWall-1 and VPN-1 gateways track the cumulative number of nodes (IP addresses) on all internal interfaces
beginning from initial installation. There is no expiration of IP addresses from this count. A multi-user
workstation is counted as a single node. For a multi-homed workstation, the number of nodes is equal to the
number of workstation interfaces.
When the FireWall-1 or VPN-1 gateway encounters an IP address that exceeds the license limit, messages will
be sent to the console of the VPN-1/FireWall-1 module, and the VPN-1/FireWall-1 administrator will be alerted
via email that the license has been violated and should be upgraded immediately.
Licensing based on the number of protected nodes is the most straightforward approach and ensures that all
internal users/hosts have secure Internet connectivity. There is never a concern about exceeding a vendor-
imposed limit on the number of concurrent sessions.
Licensing Example 1: Single VPN/-1FireWall-1 Gateway
The figure below shows a simple network configuration with VPN-1/FireWall-1 providing Internet security.
For this network, the organization would require a FireWall-1 or VPN-1 product license that supports “n”
nodes.
Node n Node 2 Node 1
External Network
FW-1
VPN-1
Figure 1. Single VPN-1/FireWall-1 Gateway Licensing requirements