Troubleshooting guide
Chapter 11 Troubleshooting Licensing Resolving Common Licensing Problems
Advanced Technical Reference Guide 4.1 • June 2000 123
Type Expiration Ver Features
Eval 15Jul96 4.x pfm control routers
807dafa7 Never 4.x pfm control routers encryption [Invalid]
807dafa8 Never 4.x pfm control routers encryption
807dafa7 Never 3.x pfm control routers encryption
807dafa7 Never 4.x pfm control routers encryption
The FireWall in question contains four licenses. The first is an evaluation license, which is valid for all
computers, but only until July 15th, 1996. The second is an invalid license, probably because of typos in the
license string. The third is a permanent license for hostid 807dafa8, which is perfectly valid but irrelevant
because the hostid is 807dafa7. The fourth license is also valid, but allows us to run FireWall-1 v. 3.x only,
and not VPN-1/FireWall-1 4.x. Only the latter license (which never expires, is valid, and is for the correct
hostid, and has the correct version), is actually used.
When verifying licenses on the firewall, it is important to remember that even if a license is displayed as valid,
it may still be irrelevant because of either date or hostid. If several relevant licenses are installed, their features
are “OR”ed together.
To check whether a certain license feature exists in your license (whether explicitly, or included in a combined
license feature), use the command fw checklic <feature>.
Both the fw printlic and the fw checklic commands allow you to use a "-k" switch in order to
perform the check upon the license embedded in the kernel module rather than upon the one in
$FWDIR/conf/fw.LICENSE (%systemroot%\fw\conf\fw.LICENSE on NT)
See the SecureKnowledge Solution (Solution ID: 3.0.698740.2304823) in the Check Point Technical Services
site
Licensing synchronized VPN/FireWall modules
Two synchronized VPN/FireWall modules need to have two 'pfm'orpfi licenses. If these modules are limited
modules (25, 50, 100, or 250 hosts), you also need the highav feature in the license. It is recommended to also
have a management station with the control feature, which is able to control both modules. It can be on the
same machine as the two modules, or on a third machine.
Two machines, both with 'stdlight25' licenses (i.e. two FIG-xxx products), may also be synchronized,
though this is far less convenient. A connect control module, however, is not needed for this feature.
Licensing non IP hosts
You have to buy a license based on the number of internal network computers that run TCP/IP only, rather than
including the non-TCP/IP ones.
The structure of the license as maintained on the system
The internal structure of the license maintained in the system cannot be seen. It is described here for a better
understanding of the way license is enforced.
Host id or ip address Expiration Features Signature
There can be up to 32 licenses on one machine.
The signature is built by an algorithm that uses the “host id”or“ip address”, ”expiration”and
“features” values. The putlic command installs the license. The generated structure is the following:
Host id/ip address K1-k2-k3 (license string) The features