The IPS Software Blade is a Service Blade that requires annual renewal to enforce IPS protections and download protection updates from the Check Point IPS Update Service. The IPS updates are required to protect against the most recent vulnerabilities and exploits.
The IPS Software Blade verifies renewal information for every Security Gateway and reduces IPS functionality if the IPS contract is expired.
This document explains:
How to view the status of IPS contracts in all your gateways
What the notifications mean that are provided about missing or expiring contracts
How the enforcement mechanism detects invalid or missing contracts
Each Security Gateway needs to be covered by an IPS contract in order to use IPS Protections. The contract covers both Protections which are provided "out-of-the-box" as well as new Protections downloaded from Check Point IPS Update Service. The IPS contract covers all protections of the IPS Software Blade.
Without a valid IPS contract, the gateway is not entitled to use any IPS protections.
There are 8 types of IPS Software Blade contracts:
- CPSB-IPS-XL-# of years: This contract covers high end appliances and software packages.
- CPSB-IPS-L-# of years: This contract covers large-sized appliances and software packages.
- CPSB-IPS-M-# of years: This contract covers mid-sized appliances and software packages.
- CPSB-IPS-S-# of years: This contract covers small appliances and software packages.
- CPSB-IPS-XL-# of years-HA: This contract covers select appliances and software packages. (HA: For High Availability)
- CPSB-IPS-L-# of years-HA: This contract covers large-sized appliances and software packages. (HA: For High Availability)
- CPSB-IPS-M-# of years-HA: This contract covers mid-sized appliances and software packages. (HA: For High Availability)
- CPSB-IPS-S-# of years-HA: This contract covers small appliances and software packages. (HA: For High Availability)
Note: IPS High Availability contracts are not available for some products, such as Power-1 and IP series appliances; therefore, refer to the online Price List for assistance with determining the appropriate contract for your product.
Contracts are always associated with licenses or containers. Each contract, including the IPS Software Blade, must be attached to a Blade Container or, when using NGX licenses, to a valid gateway license.
This document discusses Software Blades and containers, but the same information is also true for NGX licenses.
When contracts are purchased, they appear in the relevant User Center account.
When you click on a container, you will be able to see the contracts associated with it:
For further information on managing IPS contracts in the User Center, refer to sk44245.
Notifications about insufficient contract coverage
The best way to view the complete license and contract coverage status is through SmartUpdate.
When you launch SmartUpdate, a list of all expired and about-to-expire licenses and contracts is shown.
Also, all expired contracts will be shown in red in the Licenses and Contracts view of SmartUpdate.
There are additional notifications so you can understand the contract coverage status easily. The additional notifications are:
- IPS Overview page
The Overview page of the SmartConsole IPS tab includes the Messages and Action Items section. This section shows an alert when a gateway has invalid or insufficient IPS contract coverage. A different warning appears when contracts are about to expire.
- During policy installation process
During policy installation, the Contract Expiration window shows alerts with contract statuses.
"On June 11 2010, IPS protection set will be limited to protections installed before Mar 21, 2007"
Alternative error message can be: "The policy includes changes to services that have an expired contract or a contract that is about to expire. Services with expired contracts have limited functionality."
The description will remain "Not associated with a contract"
What happens when there is no IPS contract
You must have an IPS Software Blade contract to use the full IPS Software Blade functionality on a gateway. If a valid IPS contract is not associated with a gateway:
Protections will be limited to only those protections that were available as of March 2009 (the same protection set that existed when R70 was released). All protections produced after March 2009 will be disabled.
When this change in functionality occurs, customers will be notified by:
- A pop-up warning message will appear on the screen during policy installation.
- An audit log will be sent after policy installation notifying that some IPS protections were disabled.
Once you purchase a valid contract, all previously disabled protections to begin working again.
When protections are disabled as a result of a contract issue, the protection's settings in SmartConsole will not change. The protection will appear to be active in SmartConsole; however it will not be active on the gateway.
You can download IPS updates even when some gateways have contract issue.
You must enter User Center credentials so that the contract data can be automatically updated from the Security Management server. You can enter User Center credentials from the Online Updates section of the IPS tab.
Examples of several possible scenarios
- New installation of R71 and higher
A new management server includes a special trial license. This license allows all gateway functionality for 15-days. This lets all gateways managed by this Security Management server use all IPS protections.
After the trial license expires, a grace period starts (see below, scenario #4), in which the protections still work, but warnings are issued regarding the missing/expired contracts. When the grace period is over, protections newer than March 2007 (the release date of NGX R65) will be turned off on all gateways without valid contract, as described above.
- Evaluation contracts
The IPS Software Blade can be evaluated for a specified period of time with an Evaluation contract. Evaluation contracts are treated the same as "regular" contracts, and they allow prospective customers to use all IPS protections on the gateway on which they are installed for the duration of the 30 day evaluation contract. When the grace period is over, protections newer then March 2007 (for clean installation) or March 2009 (for upgrade) will be turned off as described above.
- IPS Software Blade Grace Period
Grace periods are periods after the IPS blade license expires, in which the protections will still be active and no restrictions are made, but warnings are issued regarding the missing contracts. The grace period is set for 60 days starting from the latest contract expiration date on that gateway. The grace periods are calculated per gateway individually.
- Q. How is the contract information updated?
A. When purchasing a new IPS blade contract, the contract is added to your User Center account. In most cases, the contract will already be associated to a container (a gateway). If this is not the case - you need to manually associate it (see sk44245 for further information on this stage).
On the Security Management server, a task is running every 6 hours (by default) which updates the license and contract information from the User Center account into the Security Management server. It is also possible to manually update the information from the SmartUpdate application (go to Licenses & Contracts -> Update Contracts -> From User Center). Since every contract is associated with a container (or gateway) license, it is also required to make sure all relevant gateways have valid licenses as well before updating the contracts information). The automatic contract update task requires Internet connectivity from the Security Management server box. If the Security Management server does not have internet connectivity, see instructions below.
- Q. I have just manually installed a new gateway, or a new contract. I install the policy but still see a warning about missing or expired contract for that Gateway.
A. The contract information is update in several points in time: during the periodic scheduled update (by default - every 6 hours and when updating the User Center credentials in SmartConsole). The update process may take a few minutes to complete, so allow up to 10 minutes for the contract information to be reflected in the system
- Q. What are the IPS contract requirements in cluster environments?
A. Generally, All cluster members must run the exact same policy. Specifically, they must use the same IPS policy. In case one of the cluster members does not have a valid IPS contract, IPS will be turned off on the ENTIRE CLUSTER in order to avoid certain connectivity problems. Make sure all cluster members have valid IPS contracts.
- Q. How are the IPS contracts managed in Multi-Domain Management environment?
A. IPS contracts are managed per CMA. The MDS neither checks nor alerts on missing or expired IPS contracts. All the IPS contracts should be available on the CMA (or the directly on the gateways), and all the notifications are provided through the CMAs.
- Q. What should I do if my Security Management server is not connected to the Internet?
A. If the Security Management server does not have internet connectivity, there are 2 alternatives for updating the IPS contracts:
- If the SmartConsole client has Internet connectivity - use the SmartUpdate application to perform online contract update. (Go to Licenses & Contracts -> Update Contracts -> From User Center).
- If the SmartConsole clients also don't have Internet connectivity, you can still update the contracts as follows:
- From a machine connected to the internet, login to UserCenter.checkpoint.com, go to products page, and choose the containers to which the contracts are associated.
- From the menu to the right, click "Save file". The file produced contains the updated license for this container. Save it locally.
- Copy the file to the machine running the SmartConsole.
- From the SmartUpdate application, choose Licenses & Contracts -> Update Contracts -> From File, and then choose the file you just copied.
You should perform this routine manually every time you renew a contract or add a new gateway to the Security Management server/CMA.
- Q. How can I configure the automatic contracts update to work through a proxy?
A. The automatic update process is performed on the Security Management server box. To allow proxied connections from the Security Management server, in SmartConsole, go to IPS:
Go to Global Porperties -> Proxy view and configure the proxy settings:
Refer to sk89920 - How to enable Proxy Server credentials in SmartConsole for supporting IPS and Application Control scheduled updates.