The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

FireWall-1 FAQ: Anatomy Of A FireWall-1 License

Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.


I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.


If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)


As of FireWall-1 4.1, license strings look like the following:

    Expiration Date:    21Dec1999 
    Host ID:            a.b.c.d 
    Features:           CPFW-EVAL-1-3DES-module-v41 
    License String:     aDxbb4F5j-d6tK6Mf3X-xSg4UvWZ6-owNuuj5fu (Validation code: XyZwa)
  • Expiration Date is either Never or, if an evaluation license, the expiration date of the license.
  • HostID is an IP address but on some legacy licenses, it will be the output of the "hostid" command. Some legacy evaliation licenses used 'eval' also.
  • Features correspond to the product SKUs the license is for.
  • License String is case-sensitive!

The command "cplic put" installs a VPN-1/FireWall-1 license locally on a host.

Syntax:

    cplic put [module IP] [License string]

Example:

    cplic put eval 2f540abb-d3bcb001-7e54513e-kfyigpwn CPSUITE-EVAL-3DES-NG Ck-0123456789ab

Produces output similar to the following:

    Host expiration features
    Eval 1.1.1.1   21dec2000 CPSUITE-EVAL-3DES-NG ck0123456789ab
    License file updated

License strings generally contain one or more product SKUs (corresponds to products and options purchased) as well as your certificate key. They also contain an expiration date. "Never" is used for permanent licenses, otherwise it is an evaluation license. This particular license is an evaluation license that expires on December 21, 2000.

After installing a license, it is best to do the following:

  1. Stop the VPN/FireWall Module (cpstop).
  2. Start the VPN/FireWall Module (cpstart).

Determine the current licenses with the cplic print -k command

Note: The "cplic put" command (located in the $CPDIR/bin directory, which is equivalent to /opt/CPshared/5.0/bin on Solaris, "C:\PROGRAM FILES\CHECKPOINT\CPSHARED\NG\BIN" on Windows NT, and /opt/Cpshared/5.0/bin on Linux) is used to install one or more Local licenses. This command installs a license on a local machine. This command cannot be performed remotely. Multiple licenses can be installed using a multi-license file received from the User Center. Use this command to install the following:

  1. NG local license for a FireWall-1 module on a firewall module
  2. NG local license for a FireWall-1 module on a management module

The license installation will fail if:

  • IP address of the module does not correspond to the IP address in the license
  • License is already installed on the machine
  • License is not valid

Local licenses can also be installed with the cpconfig configuration tool.

After installing a license, it is recommended to go through the following:

  1. Confirm that the appropriate license is being used by printing the licenses using the "cplic print" command (located in the $CPDIR directory).
  2. It is recommended that the licenses are retrieved to the SmartUpdate License Repository using the "cprlic get" (located in the $FWDIR directory) command or via the SmartUpdate GUI.

C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.