Table of Contents
How to verify the status of Application Control contracts in all your Security Gateways
Notifications about insufficient contract coverage
What happens when there is no Application Control contract
Licensing and Contracts
Make sure that each gateway has a Security Gateway license and an Application Control contract. For clusters, make sure you have a contract and license for each cluster member.
New installations and upgraded installations automatically receive a 30 day trial license and updates.
Contact your Check Point representative to get full licenses and contracts.
If you do not have a valid contract for a gateway, the Application Control blade is disabled. When contracts are about to expire or have already expired, you will see warnings.
Warnings appear in:
- The Message and Action item section of the Overview page of the Application Control tab.
- The Check Point User Center, when you log in to your account.
Application Control Software Blade
The Application Control Software Blade is a Service Blade that requires annual renewal to enforce application control policy and to allow download of application updates from the Check Point Application Control Update Service. These updates enable you to recognize the most recent high risk applications, bandwidth consuming applications and more.
The Application Control Software Blade verifies renewal information for every Security Gateway and disables Application Control functionality, if the Application Control contract is expired.
How to verify the status of Application Control contracts on all your Security Gateways
Each Security Gateway needs to be covered by an Application Control contract in order to use an Application Control Software Blade. The contract covers both applications that are provided out-of-the-box, as well as new applications, downloaded from the Check Point Application Control Update Service. The Application Control contract covers all applications of the Application Control Software Blade. Without a valid Application Control contract, the Security Gateway is not entitled to use any Application Control applications.
There are 7 types of Application Control Software Blade contracts:
- CPSB-APCL-XL: Covers (ultra high-end appliances and software packages) 21400 appliance, 12600 appliance, Power-1 11000, IP 2400 and SG1201.
- CPSB-APCL-L: Covers (high-end appliances and software packages) Power-1 5070, Power-1 9070, IP 1200, SG801.
- CPSB-APCL-M: Covers most mid-sized appliances and software packages.
- CPSB-APCL-S: Covers 2200 appliance, 4200 appliance, 4400 appliance, 4600 appliance, UTM-1 130, UTM-1 270, UTM-1 570 and SG101.
- CPSB-APCL-L-HA: Covers (high-end appliances and software packages) Power-1 5070, Power-1 9070, Power-1 11000, IP 1200, IP 2400, SG801 and SG1201. (HA: For High Availability)
- CPSB-APCL-M-HA: Covers most mid-sized appliances and software packages. (HA: For High Availability)
- CPSB-APCL-S-HA: Covers 2200 appliance, 4200 appliance, 4400 appliance, 4600 appliance, UTM-1 130, UTM-1 270, UTM-1 570 and SG101. (HA: For High Availability)
Contracts are always associated with licenses, or containers. Each contract, including the Application Control Software Blade, must be attached to a Blade Container or, when using NGX licenses, to a valid gateway license.
When contracts are purchased, they appear in the relevant User Center account.
To verify if the Security Gateway has a valid Application Control contract:
- Go to the "My Products" page in the User Center.
- Look for the Security Gateway's Container in the Product column, e.g. CPSG-P407. (refer to sk44224: How to match the User Center Product/License to a specific Security gateway).
- Click the link to open the Product Information Page. When you click on a container, you will be able to see the contracts associated with it.
- In the Product Information tab, check if an Application Control blade is attached to the Container. The attached Application Control blade can be either a Built-in Blade or an Additional Blade.
Built-in Blades: are purchased as part of a predefined Software Blades system. They have a lock displayed.
Additional Blades: are purchased on their own, not as part of a predefined Software Blade system. They do not have a lock displayed.
- Look for the Support Renewal, to see if the Security Gateway is covered by the Application Control Service.
New installations and upgraded installations automatically receive a 30 day trial license and updates. Contact your Check Point representative to get additional evaluation licenses and contracts.
For more information, refer to sk44245: How to check if the security gateway is covered by an IPS or SmartDefense contract in User Center.
Notifications about insufficient contract coverage
- SmartUpdate: You can check the complete license and contract coverage status via SmartUpdate. For more information, refer to sk44175: IPS Software Blade contracts in R71.
- Application Control Overview page: (added in R75) The Overview page of the SmartDashboard Application Control tab includes the Messages and Action Items section. This section shows an alert when a gateway has invalid, or insufficient Application Control contract coverage. A different warning appears when contracts are about to expire.
- Application Control System Logs: (added in R75) The System log query of the SmartView Tracker Application Control Blade sub-tree shows Application Control update related logs. When a contract is expired, or about to expire, additional information is shown in the log description, describing the contract status.
- Contract Expiration window: (added in R75) During policy installation, the Contract Expiration window shows alerts with contract statuses.
What happens when there is no Application Control contract
You must have an Application Control Software Blade contract to use the Application Control Software Blade functionality on a gateway. If a valid Application Control contract is not associated with a gateway, the blade will be disabled.
When this change in functionality occurs, customers will be notified by:
- A pop-up warning message that appears on the screen, during policy installation.
- An audit log that is sent periodically, notifying that the Application Control Blade is disabled.
Once you purchase a valid contract, the blade is enabled again.
Important: When an Application Control Blade is disabled due to insufficient contract, all Application Control settings in SmartDashboard do not change. The blade will appear to be active in SmartDashboard; however it will not be active on the gateway.
New Installation or Upgrade of R75
A new or an upgraded R75 Security Gateway includes a special trial license. This license allows all Application Control functionality for 30 days, starting from the day when the blade was enabled for the first time. The only licensing difference between an upgrade and a new installation is that in a new installation, a Plug and Play license is granted for 15 days, and the trial license will be effective, only if a new license that does not contain Application Control blade is deployed on the gateway.
After the trial license expires, the Application Control Blade is disabled.
When using Evaluation Contracts
The Application Control Software Blade can be evaluated for 30 days with an evaluation contract. Evaluation contracts are treated the same as "regular" contracts, and they allow prospective customers to use full Application Control functionality on the gateway, on which they are installed, for the duration of the 30 day evaluation contract. When the evaluation contract expires, the Application Control Blade is disabled.
The grace period is the time period after the Application Control Blade license expires, during which the blade will still be active and no restrictions are made. However, warnings are issued regarding the missing contracts. The grace period is granted only after a "regular" contract is expired. The grace period is set for 90 days, starting from the latest contract expiration date on that gateway. The grace periods are calculated per gateway, individually.
Important: Starting R80.10 there is no grace period for APPI and URLF.
- How is the contract information updated?
When purchasing a new Application Control Blade contract, the contract is added to your User Center account. In most cases, the contract will already be associated to a container (e.g. a gateway). If this is not the case, you need to manually associate it (For more information, refer to sk44245: How to check if the security gateway is covered by an IPS or SmartDefense contract in User Center). On the Security Gateway, a task that runs every 2 hours updates the license and contract information from the User Center account to the Security Gateway. Since every contract is associated with a container (or gateway) license, the system must verify that all relevant gateways have valid licenses, before updating the contracts information). The automatic contract update task requires Internet connectivity from the Security Gateway machine.
- I have just manually installed a new gateway, or a new contract. When I install the policy, I still see a warning about a missing, or expired contract for that gateway. What is wrong?
The contract information is updated periodically: during the periodic scheduled update (every 2 hours). The update process may take a few minutes to complete, so allow up to 10 minutes for the new contract information to be available in the system.
- What are the Application Control contract requirements in cluster environments?
Generally, all cluster members must run the exact same policy. Specifically, they must use the same Application Control policy. In case one of the cluster members does not have a valid Application Control contract, the Application Control will be turned off on the specific member. Make sure all cluster members have valid Application Control contracts.
- How are the Application Control contracts managed in a Provider-1 environment?
Application Control contracts are managed per CMA. The MDS neither checks nor alerts on missing or expired Application Control contracts. All the Application Control contracts should be available on the CMA (or directly on the gateways), and all the notifications are provided through the CMAs.
- What should I do if my Security Gateway is not connected to the Internet?
If the Security Gateway is not connected to the Internet, it cannot be updated with new contracts. Its contract association status will be determined according to the last successful update. Update with new contracts requires Internet connectivity.
- How can I configure the automatic update to work through a proxy?
The automatic update process is performed independently on the Security Gateway and the Security Management server. In order to allow connections via proxy from the Security Gateway or the Security Management Server, in SmartDashboard, in the object properties of a gateway or Security Management Server, go to 'Topology > Proxy'. In a Multi-Domain Security Management environment, configure a proxy in 'Policy > Global Properties > Proxy'. Currently, it is not possible to use authenticated proxies to perform Application Control updates.
Note: In VSX, where the blade is enabled on a certain VS, the VSX (VS0) MUST have connectivity to the Internet.