Hello friends! And we finally got to the last one final lesson Check Point Getting Started. Today we will talk about a very important topic - Licensing. I hasten to warn you that this lesson is not an exhaustive guide to choosing equipment or licenses. This is just a summary of the key points that any Check Point administrator should know. If you are really puzzled by the choice of license or device, then it is better to turn to professionals, i.e. to us :). There are a lot of pitfalls, which are very difficult to talk about in the framework of the course, and itβs also impossible to remember it right away.
Our lesson will be completely theoretical, so you can turn off your mock servers and relax. At the end of the article you will find a video tutorial where I explain everything in more detail.
Gateway Licensing
Let's start with a description of the licensing features of security gateways. And this applies to both iron uplines and virtual machines. Let's say you decide to buy a gateway. It is impossible to buy just a piece of iron or a virtual machine without βsubscriptionsβ! There are three subscription options:
And now the first interesting feature! You can buy a device or virtual machine only with NGTP or NGTX subscriptions. But when you renew your subscription, you can already choose the NGFW package if you do not need AV, AB, URL, AS, TE and TX blades. Here is such a moment. Subscriptions themselves can be purchased for a period of one, two or three years.
I can guess your first question! βWhat happens if the subscription is not renewed?". I specifically highlighted in green those blades that will ALWAYS work, and WITHOUT renewals. The so-called perpetual pales. The rest of the blades that require constant updating will simply stop working. Well, except that IPS will still have key signatures (but there are very few of them). This is true for both hardware and virtual machines, i.e. vsec.
As a separate item, I singled out three blades that are not included in any kit, these are: DLP, MAB and Capsule.
Also remember that if you buy a cluster solution, then choose a model with the suffix HA (i.e. High Availability) as the second device. The picture has an example for the 5400 gateway. This is about gateways. Now the management server.
Management Server Licensing
As we said in the first lessons, there are two Check Point implementation scenarios: Standalone (when both the gateway and management are on the same device) and Distributed (when the management server is placed on a separate device). However, the options don't end there. Let's look at three typical management server deployment scenarios:
- Purchasing a Dedicated NGSM. The most popular option. Choose either a Smart-1 piece of iron or a virtual machine. Of course, you choose based on how many gateways you will administer, 5, 10, 25, etc. By deploying this device, you can use 4 key management server blades: NPM (i.e. policy management), Logging and Status (i.e. logging), Smart Event (SIEM from Check Point, which gives us all reporting) and Compliance (this is an assessment of the quality of settings, either for compliance with some regulatory requirements, the same PCI DSS, or simply Best Practice). It is immediately clear that the NPM and LS blades are permanent blades, i.e. will work without renewing subscriptions, but the Smart Event and Compliance blades are included only for the first year! Then they need to be extended for separate money. This is an important point, don't forget. And if you can still live without a Compliance blade, then absolutely everyone needs a Smart Event.
- Buying a Dedicated Event Management Server IN ADDITION to the existing NGSM management server. Why is this needed? The fact is that the logging functionality, and especially the Smart Event, βeats offβ very decent system resources. And if there are quite a lot of logs, then this can lead to βbrakesβ on the management server. Therefore, it is often practiced to transfer this functionality to a separate device, a Smart-1 piece of hardware, or, again, a virtual machine. Large integrations with a large number of logs almost always require a dedicated server for Smart Event. It can also receive logs. Thus, your management server will only perform management functions. This greatly improves the stability and response of the system. As you can see, when buying a dedicated Smart Event server, you get these two blades for permanent use, even without renewal. In the horizon of 3-4 years, it will be even more cost-effective than buying Smart Event renewals for a regular NGSM server every year.
- Dedicated log management server, which comes in addition to NGSM and Smart Event servers. Washed away I think is understandable. With a VERY large number of logs, we can move the logging function to a separate server. A dedicated Log server also has a permanent license and does not require renewal.
Video tutorial
Here you will find more information about license management and Check Point technical support:
Source: habr.com