Check Point VPN-1/FireWall-1

Please regard, that not all listed license features are available today!

When obtaining a license, you will get a Certificate Key (CK), which isn't really a license. By entering this CK in your account at Check Point's Usercenter, you will get the "real license" to be imported at the SmartCenter (or at the Firewall, when still using local licensing).

The CK is generated when you have placed your order, which license(s) you need. In general, an order key has different parts, e.g. P-CPXP-SC3-250-NG. Let's divide this key into five different parts:

1. P
   Type of key
2. CPXP
   Product Category
3. SC3
   Product Description
4. 250
   Number of protected IP's or users, number of routers, gateways, etc.
5. NG
   Version of the software

There are only two possibilities here: P means Product, which is a new license for the Software. When having a Software Subscription (strongly recommended), it will be renewed every year. Then, the Order Key starts with M-SS. This means: Maintenance - Software Subscription.

Here you find a collection of very many categories. Today, there are less categories, but this page should help you with older licenses also...

CKPT
Check Point Enterprise based Software Subscription

CPAD
Active Defense, license for SmartDefense

CPFW
FireWall, Class of licenses for FireWall-1 without encryption.

CPGX
FireWall-1 GX, needed for securing GPRS.

CPIN
Reporting Center, now called SmartCenter Gateway, needed when using tools for e.g. extracting information from logs with the Reporting Module.

CPIS
Check Point InterSpect, appliance for securing the internal network

CPMI
Meta IP, license for the DHCP suite MetaIP.

CPMP
Management Product, necessary for e.g. SmartCenter.

CPPR
PRovider-1, licenses which are specific for Provider-1, the management tool for Managed Service Providers.

CPSB
Safe@ Box, license for a Safe@ Appliance from Check Point.

CPSM
Site Manager, like Provider-1, but with the option of managing small sites also.

CPTC
Traffic Control, part of FloodGate-1 for QoS (Quality of Service).

CPTS
Check Point Training Service for attending a training at an ATC (Authorized Training Center)

CPUA
UserAuthority, the system for reduced SignOn by Check Point.

CPVE
VPN-1 Edge, license for a centrally managed Check Point Appliance

CPVH
Very High performance acceleration for 3DES, license for Accelerator Cards.

CPVP
VPN Product for licensing a VPN-1, with Encryption.

CPWS
Check Point Web Security with the Connectra Web Security Gateway appliances

CPXM
EXtranet-Manager, necessary for configuration of an Extranet with VPN-1 Pro.

CPXP
EXpress Procuct, Basic license for Check Point Express for SmartCenter and a Gateway.

CSP
Check Point Support Program, necessary for opening troubleshooting Tickets at Check Point.

ST
Licenses for obtaining maintenance for Safe@Office appliances.

BAC
When having a license for VPN-1, this enables the encryption and decryption in hardware, e.g. VPN-1 Accelerator Card III.

CC
ConnectControl, License for Load Balancing of servers behind a gateway, requires at least a license for FireWall-1

CLM
Customer Log Module, SmartCenter for logging and not for pushing rules to the Firewalls.

CM
VPN-1 Certificate Manager, used in earlier versions for an easy to handle Certificate Authority.

CMA
Customer Management Add on, a "virtual" SmartCenter for managing the objects and rulesets of customers in Check Point Provider-1

CPLS
Check Point Load Sharing, needed for Load Sharing in ClusterXL, included in CXL-HA.

CRA
Check Point Connectra, licenses concerning these appliances, for HA see HCRA.

CXL-HA
Cluster XL, earlier license for ClusterXL with Load Sharing and High Availability.

CXLS
ClusterXL, license for additional Load Sharing, not High Availability only.

DBVR
Policy Versioning, License for revision control of policies.

DHCP
MetaIP DHCP Server, programmable DHCP-Server

DNS
MetaIP DNS, commercial Nameserver for MetaIP, BIND compatible, needs a license for MetaIP Manager.

DOCS
Printed version of the documentation for Check Point products.

ECM
Enterprise Traffic Management Console, additional Management Module for FloodGate-1.

EMC
Enterprise Management Console, Management of an unlimited number of Gateways.

EMI
Extranet Management Interface, necessary for configuring the Extranet Feature

ENC
Encryption Module, additional license for upgrading a FireWall-1 to VPN-1.

ENT
Enterprise Coverage for Software Subscription, since the Software Subscription has changed starting with April 2004.

EPC
Enterprise Center, combination of a SmartCenter with a FireWall-1 (without encryption) for an unlimited number of protected hosts.

ESC
Enterprise Security Center, Enterprise Management Console for an unlimited number of Enforcement Points.

ESO
Additional license for enlarging the number of managed SmallOffice devices, additional to VSO.

ETC
Enterprise Traffic Control, unlimited version of FloodGate-1 (ETM and FGM), identical with ETF.

ETF
FloodGate-1 Enterprise Center, SmartCenter and Gateway for an unlimited number of IP addresses.

ETM
Enterprise Traffic Management Console, Management Module for FloodGate-1. Compared to ECM, the Gateways can be administered remotely.

EVAL
License for Evaluation, mostly valid for 30 days. All features free for testing.

FGG
FloodGate-1 Internet Gateway, for 25 to 250 internal IP addresses.

FGM
FloodGate-1 Module for 25 to unlimited number of internal IP addresses, SmartCenter is needed for administration.

FIG
Firewall Internet Gateway, Single Gateway combining a Management Module and a Gateway without encryption. Management and Enforcement Point have to reside on the same system.

FM
Firewall Module, protecting 25 to unlimited internal IP addresses, needs a Management Module for administration.

FSO
License for Small Office, e.g. Nokia IP120 or IP130. Protection of up to 100 users.

FSS
FireWall-1 SecureServer, Module to protect a single system without IP forwarding enabled, no encryption, SmartCenter for administration needed.

GMC
Management of an unlimited number of GX-Gateways.

GME
Management of an unlimited number of GX-Gateways, protecting an unlimited number of IP addresses.

GX
License for Evaluation of Firewalls with GPRS.

HA
High Availability, License for a further Firewall Module in ClusterXL.

HA-MGMT
High Availability Management.

HCRA
Check Point Connectra, licenses concerning the high availability of these appliances.

HFM
Combination of two Firewalls without encryption for HA solutions, number of protected IP addresses between 25 and unlimited. For High Availability, the license for ClusterXL or an OPSEC product is needed. Needs a SmartCenter for management.

HVG
SVN Packet with two Firewalls with encryption (VPN-1 Pro) including FloodGate-1. Number of protected IP addresses between 25 and unlimited. For High Availability, the license for ClusterXL or an OPSEC product is needed. Needs a SmartCenter for management.

HVM
Package with two Firewalls with encryption (VPN-1 Pro), number of protected IP addresses between 25 and unlimited. For High Availability, the license for ClusterXL or an OPSEC product is needed. Needs a SmartCenter for management.

HVPG
Additional Firewalls with encryption (VPN-1 Pro) including FloodGate-1 for use in a Cluster. Number of protected IP addresses between 25 and unlimited. Needs a SmartCenter for management and, if wanted, ClusterXL for Load Sharing.

HVPX
additional Gateway for configuring High Availability with Check Point Express.

HVSX
High availability for Virtual System Extension, needs VSX.

HWIT
Web Intelligence, licenses needed for making this feature high available.

INSP
Check Point InterSpect, licensed concerning the appliances and their licenses.

INSP
License for an Internal Security Gateway (InterSpect). License depends on the Hardware and Type of InterSpect.

INT-SPEC
Old name for License of an Internal Security Gateway (InterSpect). License depends on the Hardware and Type of InterSpect.

IP
Client licenses for MetaIP, licensing depends on the number of IP addresses. Needs the MetaIP Manager and MetaIP DHCP server.

IPV6
License for the use of NG under IP version 6, not yet available for all platforms.

MDS
Multi Domain Server for Check Point Provider-1, divided into Manager (additional M), Container (additional C) and the combination of these two.

MEDIA
CD with the software, mostly includes a Certificate Key for an Evaluation license.

MEP
License for configuring Multiple Entry Points, included in VPN-1 Pro

MGM-HA
High Availability for the Management. This license is necessary besides two licenses for SmartCenter or SmartCenter Pro.

MLM
Multi Domain Log Module, available for additional central logging in Check Point Provider-1

MOTIF-GUI
Separate license for running the GUI under Sun Solaris.

MPU
Multiple CPU, License for Gateways with more than 1 CPU, licensing depends on number of Gateways.

MSM
MetaIP Manager Service, Management of  MetaIP DNS and DHCP Services for the licensed number of IP addresses.

NSC
Network Security Center, License for administration of an unlimited number of routers with the GUI.

NIC
Network Interface, part number of additional interfaces for Check Point InterSpect.

OSE
Open Security Extension, License for managing Access Control Lists (ACLs) for Routers directly with the GUI, available for one or an unlimited number of Routers.

PPK
Performance Pack for Linux, Sun Solaris and SecurePlatform, activates SecureXL and can handle more than one CPU.

PRO
Additional license for Check Point Provider-1 as a Management Add-On.

PS
Power Supply, part number for additional and redundant power supplies for appliances from Check Point.

PTR
Number of partners when configuring the Extranet Feature.

QOS
Quality of Service by FloodGate-1, add on for Check Point Express.

RM (since NG FP3 also SSV or SVR)
Reporting Module to generate reports from the logs, licenses depend on the number of Management Modules.

RTM
Real Time Monitoring of the Gateway. License is included in FloodGate-1 and SVN bundles.

S8
License for VPN-1 Edge Appliance S8 for 8 internal users.

SC1
License for managing one Gateway with a SmartCenter, relevant for Check Point Express.

SC3
License for managing three Gateways with a SmartCenter, relevant for Check Point Express.

SC5
License for managing a maximum of five Gateway with a SmartCenter, relevant for Check Point Express.

SCP
Older license for SmartCenter Pro, Management Module including SmartUpdate, SmartMap, Management HA, and SmartDirectory.

SCPRO
Current license for SmartCenter Pro, Management Module including SmartUpdate, SmartMap, Management HA, SmartDirectory, and Smart LSM, which is the Large Scale Manager for managing many Check Point Appliances like e.g. VPN-1 Edge.

SCT
SmartCenter, Management Module for an unlimited number of Enforcement Points

SEP
Single Entry Point, early license for High Availability, included in ClusterXL.

SMC
SmartCenter, Management Module for a Firewall with 250 or unlimited internal IP addresses.

SMDF
see SMRD, SmartDefense.

SMP
Security Management Portal for managing many S-boxes (e.g. Safe@Office)

SMRD
SmartDefense, follow-up to CPMAD, giving more security on the Network Layer and Application Layer deploying Application Intelligence (since NG R54).

SSV
SmartView Gateway, License for the use of a tool to generate reports for one Gateway, consists of SmartView Reporter and SmartView Monitor.

STC
When having a license for VPN-1, this enables the encryption and decryption in hardware, e.g. SecureXL Turbocard.

SU
Security Updates, necessary for Software Subscription for SmartDefense.

SUP
SmartUpdate, (ex Secure Update). License for a central Product Management for a SmartCenter, available for one or 20 Management Modules and included in SmartCenter Pro.

SVR
SmartView unlimited Gateways, License for the use of a tool to generate reports of an unlimited number of Gateways and protected IP addresses, consists of SmartView Reporter and SmartView Monitor.

SX
Virtual System Extension, second license for deployment of virtual machines to manage different rulesets on one system, important for securing VLANs and needed for setting up a Cluster.

SXL
SecureXL, License for a "tuned version" of FireWall-1 and VPN-1, respectively. This license enables the API which is used by the Performance Pack or Nortel ASF.

UAG/UAS
UserAuthority Server, License for the configuration of one Server for the UserAuthority.

UAU
UserAuthority Users, Licensing of authentication and authorization of users for UserAuthority.

VCT
Check Point Enterprise, unlimited number of users, includes SmartCenter and an unlimited Gateway (FireWall-1, VPN-1, FloodGate-1).

VEE
VPN Enterprise Center, combination of a SmartCenter with a Gateway (VPN-1 Pro) for an unlimited number of protected IP addresses.

VEPRO
Check Point Enterprise Pro, unlimited number of users, includes SmartCenter and an unlimited Gateway (FireWall-1, VPN-1, FloodGate-1), includes SmartUpdate, SmartMap, SmartDirectory, Smart LSM, Management High Availability, SmartView Tracker and SmartView Monitor.

VES
VPN-1 Enterprise Security Center, combination of VEE with ConnectControl for Load Balancing of servers.

VFE
VPN Enterprise Center with FloodGate-1, combination of a SmartCenter with a Gateway (VPN-1 Pro and FloodGate-1) for an unlimited number of protected IP addresses.

VFF
Combination of the modules of VPN-1 Pro with FloodGate-1

VFG
VPN Gateway with FloodGate-1, combination of a SmartCenter with a Gateway (VPN-1 Pro and FloodGate-1) for a limited number of protected IP addresses, Management has to reside on the Gateway.

VFM
VPN-1 Pro (VPN Firewall Module), needs like FM a SmartCenter, with Encryption.

VGS
VPN-1 Global Security Center, combination of VEE and administration of an unlimited number of Routers.

VIG
VPN Internet Gateway, Single Gateway as a combination of a Management Module and a Firewall (VPN-1 Pro) for a limited number of protected IP addresses, Management has to reside on the Gateway.

VMC
VPN-1 Mac Client, SecuRemote/SecureClient R56 for Macintosh OS X, needs a valid license for encryption, is licensed for the number of users and as SecuRemote also available for Mac OS8 and Mac OS9. 

VNT
VPN-1 Net, licensing the number of parallel VPN tunnels, basic Firewall only, needs a Management Module.

VPE
Visual Policy Editor, aka SmartMap. License for graphic view of the objects. Included in SmartCenter Pro.

VPG
VPN-1 Pro Gateway, needs a SmartCenter and is licensed per number of users.

VPS
Policy Server, necessary when using SecureClient, included in VSC, but here for an unlimited number of users.

VPX
Additional Enforcement Point for Check Point Express, limited number of users (25 - 500)

VSC
VPN-1 SecureClient, VPN Client like SecuRemote, but with a centrally managed Personal Firewall for the users, needs a Policy Server at the Gateway and is licensed per user.

VSO
License for the use of VPN-1 for Small Office solutions like e.g. Nokia IP120 or IP130. No User-Authentication and no synchronization of the State Tables possible, up to 100 users.

VSR
VPN-1 SecuRemote, VPN Client for encrypted connections to a VPN-1 Pro at the Gateway. License is free of charge.

VSS
VPN-1 SecureServer, Module to protect a single system without IP forwarding enabled, with encryption, SmartCenter for administration needed.

VSX
Virtual System Extension, Deployment of virtual machines to manage different rulesets on one system, important for securing VLANs.

WIT
Web Intelligence, special protection for web servers starting with version NG AI R55W.

X16
License for protecting 16 internal users with a VPN-1 Edge appliance.

X32
License for protecting 32 internal users with a VPN-1 Edge appliance.

XU
License for protecting an unlimited number of internal users with a VPN-1 Edge appliance.

Usually, here a number can be found. If the number of protected users is unlimited, a U is shown. 
Please be aware, that Check Point changed the licensing with the introduction of Check Point Express!

• Old licensing scheme:
  A license has to be obtained for every IP device which is protected by the gateway. So not only users sending packets across the Firewall have to be licensed, but also internal servers, routers, switches, printers - every device having an IP address.
• Licensing since Check Point Express:
  Here, only "internal users" have to be licensed. This means, that every user or IP address crossing the Firewall from an internal IP address (internal net, but also DMZ) has to be licensed. Additionally, servers being contacted from external IP addresses are counted.

Concerning Check Point Connectra or Check Point InterSpect, this number stands for the model. The higher the number, the higher is the performance and flexibility of the appliance.

In global, the version is 41 or NG. 
41 means version 4.1, which isn't supported any more. So your new, valid license should have the NG at the end. If you have a valid Software Subscription, you can upgrade to NG free of charge. If not, please contact your reseller to get a license for NG. Be aware that a reinstatement fee is charged.