dsmith

I have a Checkpoint FW-1 license for the 100 address Gateway product. We need to re-use the firewall elsewhere which means I have to change the outside interface to which the licence is tied.

How to I go about getting the licence moved for the new outside interface IP address ?

Product is: CPFW-FIG-100-V41 (Firewall Internet Gateway/100)
I have the Certificate Key but the support has expired and wont be renewed.

Thanks

Deano


[Edited by dsmith - 11/26/2002 4:44:44 PM]

Jeff Wiltshire

You'll need to register the product at
http://usercenter.checkpoint.com

Once you have added the Certificate Key the site will allow you to re-license the product to another external IP address.

The chances are, however that the vendor of the product has already registered the Cert Key and you'll need to request (via the web site) that they release the Key to your companies logon.

Alternatively contact the Vendor and get them to relicense the product for you and send you the new license information.


Jeff

dsmith

Ta Jeff.

Just need to get it transferred to me and I'm away.

Deano

rich101

Jeff,

I thought Checkpoint will only issue a license to the new IP address when it is under support.

rich

HHxx

Deano, don't think you can generate a new key on the Usercenter as it was most likely generated using the old version Licensing center.

But hey, give it a go anyway

H

Jeff Wiltshire

Checkpoint will allow a new license key to be generated even if the product isn't under support. You can't get the updates however.

This will work under the usercenter because it will be migrated once the user has requested the key under the new system.


Jeff

shunty

Jeff - on the same subject, but different area, do you know if you can register & use 2 IP's on 1 licensed version of FW1 NG ?? 2 seperate networks, with a 2 meg pipe on each but use 1 firewall & share the rule base (not ideal I know).
cheers

shunty

dsmith

Transferred, IP address changed, license received and "Putlic"'d successfully

Thanks
Deano

Jeff Wiltshire

Shunty

You can't license 2 external IP address (there are versions of FW-1 that run virtual firewalls which may be able to do this VSX?).

However you may not need too. You only need to use the external address on one circuit to license the product. You then can set the rulebase to allow/disallow/NAT for each of the external interfaces. The only problem while arise if you have a license for a limited number of Hosts because FW-1 will see the 2nd circuit as part of your internal network.

There could be a number of other issues as well to do with the security of the rulebase.

You might be better off look at the amplifynet.com product that we're discuss on the other thread.


Jeff

shunty

Jeff, would it be possible to have a quick chat with you regarding this (puts Jeff right on the spot), as we have a situation houston
2 offices have moved to 1 location in Spain & ordered 2 seperate lines, there is however only 1 firewall on the new site (although there are 2 physical networks) which gets it's policy pushed from UK & our security manager left @ short notice & I'm no expert on FW1 NG. We would need to run 2 public IP's through 1 gateway/router & 1 firewall.

shunty

shunty

ps - if you can help me out on this Jeff, I will send you some nice trial software out, you will be impressed I promise

shunty

dsmith

The issue with IPs & FW-1 is purely a licensing one.

Some versions (liek the one I have) limit the IP addresses it will talk to "except" out of the single nominated outside interface. If you have the 2 lines for resilience then Jeff's box sounds ideal.

If you just need to get it to work there are other ways you can do it - dpends entirely on what traffic flows you need to arrange over which line and in which direction they are.

For example My firewall has 2 indpendant WAN routers on its outside - One Dial, one fixed WAN link (we're migrating a particular site). I'm happily arranging some traffic to use the Dial, some to use the fixed link - dpending on whether the far end allows the DIAL attached subnet or WAN attached subnet to connect - all with a single firewall with a single "outside" interface.

A bit of NAT/routing on the routers and Bob's you uncle.

Deano

Of course if the routers are provided by an unhelpful service provider who wont bugger about for you - then you could be stuffed - fortunately I am both service provider and customer in this instance.

shunty

Deano - thanks for the reply, very useful info.
The routers at the other end are managed as you say by the service provider, unfortunatly we have NO router/switch/firewall people within the company at the mo. Apart from my firewall knowledge (raptor, ISA & some earlier versions of FW1), but not enough I feel to risk me configuring it wrongly. My router/switch knowledge is roughly the same, some cli stuff(basic) & basic vlan as well.

I will pick both yours & Jeffs brains a bit more tomorrow if that is ok ? I am in Manchester unfortunatly till about 2 pm, so I will come back to you both later on.
thanks very much

shunty

Jeff Wiltshire

Shunty

YHM


Jeff

shunty

Jeff, thanks for the advice over the phone mate, you are indeed a star.
I will come back to you asap.

cheers

shunty

shunty

Jeff - YHM back.

shunty

Jeff Wiltshire

Shunty

And again....glad I could help on the phone.


Jeff