FireWall-1 FAQ: How licensing is enforced on node-limited licenses
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
FireWall-1 listens for any IP-based traffic on all interfaces but ones deemed “external.” In the NG release, external interfaces are defined in the firewall’s workstation object, topology frame. Multiple external interfaces can be defined in NG, but FireWall-1 will not allow traffic to be routed between the external interfaces. In 4.1 and earlier releases, it is defined by the contents of the external.if file. Only a single external interface is permitted in 4.1 and earlier releases.
Anytime FireWall-1 hears hosts talking to each other with IP on non-external interfaces, it notes the IP addresses of the machines (In $FWDIR/database/fwd.h and $FWDIR/database/fwd.hosts). Once FireWall-1 has heard ‘n’ IP’s (plus a 10% fudge factor), connections from the ‘n+1’ hosts will generate emails to root and messages to syslog or the event viewer. When the license is exceeded by a large number of hosts on a busy network, FireWall-1 will consume itself with logging and mailing out messages about exceeding your license. In many cases, this will cause the firewall to process traffic very slowly, if at all.
So what are the implications of this? Anything behind your firewall with an IP address will eventually be found out about. This includes non-computer things like printers, coffee makers, etc. Anything with an IP address that talks on your LAN will be heard. Eventually. Also, machines with multiple IP addresses will most likely be counted more than once. Things that don’t talk TCP/IP should not be counted at all. Machines talking only AppleTalk, IPX, NetBEUI, etc, should not be counted. Since FireWall-1 only looks for IP traffic, it should safely ignore these machines.
There are plenty ways to “fake out” the license. For example, hide machines behind a choke router, a switch, a proxy server, or another FireWall-1 box. However, section 2.5 of the January 2000 End-User License Agreement clearly states this not permitted (similar verbage exists in more recent versions of the End-User License Agreement):
The Product is licensed to You based on the applicable Licensed Configuration purchased. The License permits the use of the Product in accordance with the designated number of IP addresses[…]. It is a violation of this End User License Agreement to create, set-up, or design any hardware, software, or system which alters the number of readable IP addresses presented to the Product with the intent, or resulting effect, of circumventing the Licensed Configuration.
