A Word about Licensing | Essential Check Point FireWall-1 NG: An Installation, Configuration, and Troubleshooting Guide

The VPN features of FireWall-1 require licenses that enable VPN. In FireWall-1 4.1 and earlier, you also had to have the appropriate binaries. In NG, there is only one version of the binaries, which all support encryption. With the release of NG AI R55, Check Point removed fire-wall only licenses from their price list, thus newly purchased licenses will be VPN enabled. Older licenses may need an upgrade (at extra cost) to support VPN functions.

To ensure that you have licenses capable of supporting the appropriate level of encryption, check Table 11.1 against your license string, which includes the product SKU as listed on Check Point's price lists. This will tell you what level of encryption you have purchased, if any.

Table 11.1. FireWall-1 NG SKUs and encryption strength

SKU	Encryption Strength
3DES	Strongest encryption available
DES	56-bit encryption and lower
FWZ1	48-bit encryption and lower
40bit	40-bit encryption only

VPN-1 Pro versus VPN-1 Net

Check Point has introduced a new type of VPN license in NG: VPN-1 Net. VPN-1 Pro is the more traditional license, which supports a custom security policy and can be licensed by the number of protected nodes. VPN-1 Net allows for relatively simple security and VPN policies that cannot be customized; it is licensed by the number of tunnels created, not by the number of hosts . A VPN-1 Net license is far less expensive than a comparable VPN-1 Pro license, though the VPN-1 Net is less functional.

The vast majority of this chapter covers VPN-1 Pro, not VPN-1 Net.