The VPN features of FireWall-1 require licenses that enable VPN. In FireWall-1 4.1 and earlier, you also had to have the appropriate binaries. In NG, there is only one version of the binaries, which all support encryption. With the release of NG AI R55, Check Point removed fire-wall only licenses from their price list, thus newly purchased licenses will be VPN enabled. Older licenses may need an upgrade (at extra cost) to support VPN functions.
To ensure that you have licenses capable of supporting the appropriate level of encryption, check Table 11.1 against your license string, which includes the product SKU as listed on Check Point's price lists. This will tell you what level of encryption you have purchased, if any.
SKU | Encryption Strength |
---|---|
3DES | Strongest encryption available |
DES | 56-bit encryption and lower |
FWZ1 | 48-bit encryption and lower |
40bit | 40-bit encryption only |
Check Point has introduced a new type of VPN license in NG: VPN-1 Net. VPN-1 Pro is the more traditional license, which supports a custom security policy and can be licensed by the number of protected nodes. VPN-1 Net allows for relatively simple security and VPN policies that cannot be customized; it is licensed by the number of tunnels created, not by the number of hosts. A VPN-1 Net license is far less expensive than a comparable VPN-1 Pro license, though the VPN-1 Net is less functional.
The vast majority of this chapter covers VPN-1 Pro, not VPN-1 Net.