High Availability Environment

In a High Availability environment, when you run some of the vsec_lic_cli tool CLI commands (see Managing CloudGuard Central Licenses) in the Primary Management Server or Primary Multi-Domain Server, the vsec_lic_cli tool instructs you to run the same commands in the Secondary Management Server or Secondary Multi-Domain Server, respectively.

If the tool does not instruct you to run the command in other High Availability machines, the information synchronizes automatically between the machines.

Management High Availability Environment

You can manage, add, remove and distribute the licenses only from the Active Management Server.

Multi-Domain Server High Availability Environment

In Multi-Domain Server the tool can run in 2 different modes, MDS/(System) Mode, and Domain Mode (Multi-Domain Server Specifications)

  1. In Domain mode, you can manage (e.g., add, remove and distribute) the licenses only from the Active Domain Server (CMA).

  2. In MDS (System) Mode, each MDS manages (e.g., add, remove and distribute) the licenses to all of the Security Gateways that are connected to the MDS’s Active Domain Servers (CMAs). Any Domain Server (CMA) that is active and managed from another MDS requires to run the operation from their managing MDS.

Distributing Licenses for Security Gateways on HA Environment with MDS Mode

In order to add and distribute licenses to the Security Gateways, you are required to add and distribute the licenses from the active Multi-Domain Server. Once the licenses are synchronized between all of the members (synchronization can take up to 3 minutes or by running Sync Now from the SmartConsole), you must distribute them from all of the Multi-Domain Servers. This way, each Multi-Domain Server distributes the licenses to all Gateways that are connected to its active Domain Servers (CMAs).

Important - In versions R81.20 with Jumbo HFA Take 26 and higher, you must add and distribute the licenses from all of the Multi-Domain Servers using cplic commands.

This example shows how to add and distribute license in Multi-Domain Server HA environment in MDS/System mode:

On the primary Multi-Domain Server run:

  1. vsec_lic_cli on [if it was not run before]

  2. vsec_lic_cli add <license string related to the IP of the primary MDS>

  3. vsec_lic_cli distribute

On the Secondary Multi-Domain Server run:

  1. vsec_lic_cli on [if it was not run before]

  2. In versions R81.20 with Jumbo HFA Take 26 and higher, run:

    cplic put <The same license string related to the IP of the primary MDS>

  3. vsec_lic_cli distribute

Example of how to remove a license in Multi-Domain Server HA environment in MDS/System mode:

On the primary Multi-Domain Server run:

  1. vsec_lic_cli on [if it was not run before]

  2. vsec_lic_cli remove <license CK>

  3. vsec_lic_cli distribute

On the Secondary Multi-Domain Server run:

  1. vsec_lic_cli on [if it was not run before]

  2. Only in versions R81.20 with Jumbo HFA Take 26 and higher, run:

    cplic del <license signature>

    To make sure that the license's signature is removed, you can run one of these commands on the Secondary Multi-Domain Security Server:

    • cplic print -n -x | grep <the deleted CK in the primary MDS>

    • mgmt_cli -r true show central-licenses

  3. vsec_lic_cli distribute

Notes:

  • The daily periodic license distribution is run from each Multi-Domain Server and distributes licenses to all active Domain Servers (CMAs).

  • In case of Policy installation from any active Domain Server (CMA) the licenses are distributed to the Domain Server (CMA) Gateways. In the case of AWS Auto Scaling Group/Azure VMSS/etc. a newly deployed Gateway will start a policy installation from the active domain on the Gateway, and later the distribution will start automatically