Managing CloudGuard Central Licenses

The CloudGuard Central License A Central License is a CloudGuard Security Gateway license. It is deployed and managed on the Security Management Server or Multi-Domain Server and distributed from a license pool to all CloudGuard Security Gateways connected to corresponding Management Servers. tool (vsec_lic_cli) manages CloudGuard Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. licenses. CloudGuard Central Licenses already added with other tools (such as SmartUpdate Legacy Check Point GUI client used to manage licenses and contracts in a Check Point environment.) are automatically added to the applicable license pool A License Pool is a group of CloudGuard Central Licenses with the same blades and valid contracts. A Security Management Server or Multi-Domain Server can have multiple license pools. Each pool is defined by: - Pool Type - Total Quota - Available Quota - Certificate Keys - Subscribed Security Gateways.

The vsec_lic_cli tool is not up and running by default. You must put it on to start automatically distributing licenses to CloudGuard Security Gateways. If you put it off, already distributed licenses stay on respective CloudGuard Security Gateways, but no automatic distribution is performed.

The vsec_lic_cli tool provides a Command Line Interface (CLI) and an interactive CLI menu.

Operations only available from the CLI:

Operation

CLI command

Display help on the Central License tool.

vsec_lic_cli –h

Start the Central License tool. (It is not running by default.)

Note - Starting from version R81.20 with Jumbo Take 26 and above, the vsec_lic_cli tool is on by default.

vsec_lic_cli on

Stop the Central License tool.

Note -This command clears the view table but does not affect the Security Gateway. To align the vsec_lic_cli view table with the environment's licenses, you must run the command vsec_lic_cli distribute.

vsec_lic_cli off

* Switch the tool's operation mode to MDS (System).

vsec_lic_cli mode mds

* Switch the tool's operation mode to Domain.

vsec_lic_cli mode domain

* Show the tool's current operation mode. (Available on R81 and higher)

vsec_lic_cli mode status

Update an existing license in case of changes in the license string. For example, when you purchase more blades for this license.

See Obtaining a License from the User Center to fill in the parameters' values.

Note - This command is available in R81 and higher.

vsec_lic_cli update <IP-address> <expiration-date> <signature-key> <license-string>

* These commands are only available on the Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. (see Multi-Domain Server Modes).

`vsec_lic_cli` Command Line Interface Menu

To start working with the vsec_lic_cli interactive CLI menu, run the tool in the Expert mode on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Multi-Domain Server. The menu offers these options:

Add license
Remove license
View licenses usage
Run license distribution
Choose default license pool (available from R81 and higher)
Configure automatic license distribution for security gateway
Configure license pool for Gateway (available from R81 and higher)
Gateways core usage report
Run single distribution (available from R81.20 with Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 26 and higher)
Exit.

Add license

To add a Central License to the license pool on a Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server., Multi-Domain Server, or Domain Management Server Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS., make sure it is issued to the IP address of the corresponding server.

To add a license:

Issue the Central License with the required server IP address in the User Center (see Obtaining a License from the User Center).
Copy the license string text directly from the User Center (Not from the license file).
Run the vsec_lic_cli tool in the interactive mode.
Select the option Add license from the menu. This prompts the message: "Please insert license string: "

Paste the string copied in step 2.

Notes:

The Central License text string has the following format: <IP-address> <expiration-date> <signature-key> <license-string>.

For example: 1.2.3.4 never dUy6trBX8-jmVyWKQSX-xzdTkVFVT-76nMEXDks cpsg-ve+8 cpsb-base cpsb-fw cpsm-c-2 cpsb-vpn cpsb-adnc cpsb-npm cpsb-logs cpsb-ips cpsb-av cpsb-urlf cpsb-apcl cpsb-aspm cpsb-abot-s cpsb-ctnt CK-7979AABB1234
The <signature-key> starts with the letter "d".
The <license string> includes a set of Macros (licensed products' SKUs) and ends with the Certificate Key of this license.

If you work in the CLI, use these commands to add the Central License and update license information on subscribed Security Gateways:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli add <IP-address> <expiration-date> <signature-key> <license-string><Central License CK>`	Adds a Central License.
3	`vsec_lic_cli distribute`	Updates license information on subscribed Security Gateways.

The Central License is added to the license pool that matches its blades.

Pool Type

The Pool Type is based on the blades included in the pool's Central Licenses:

Pool Type	Included Blades
NGTP	Includes Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI., URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF., Anti-Spam Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM., Email Security, or IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). blades.
NGTX	Includes Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. or Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. blades.

Pool Type

Included Blades

NGTP

Includes Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT., Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV., Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI., URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF., Anti-Spam Check Point Software Blade on a Security Gateway that provides comprehensive protection for email inspection. Synonym: Anti-Spam & Email Security. Acronyms: AS, ASPAM., Email Security, or IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). blades.

NGTX

Includes Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE. or Threat Extraction Check Point Software Blade on a Security Gateway that removes malicious content from files. Acronym: TEX. blades.

If a license has the DLP (Data Loss Prevention Check Point Software Blade on a Security Gateway that detects and prevents the unauthorized transmission of confidential information outside the organization. Acronym: DLP.) blade, the pool type is appended by "+DLP".
Central Licenses with the same valid blades are grouped into the same pool type.

If the Security Management Server or Multi-Domain Server is connected to the Internet, then license contracts (validity terms) are automatically collected from the User Center (see Prerequisites). Otherwise, you must manually provide license contracts with SmartUpdate.

After the Central License is added to the license pool, it is automatically distributed to the subscribed Security Gateways.

Notes:

Evaluation licenses are placed in the license pool based on included Software Blades (available for R81 and higher).
When an Evaluation license expires, it is automatically moved from its initial pool to a special pool called EXPIRED and removed from the CloudGuard Security Gateways that used it.
Licenses from the EXPIRED pool are not distributed again to CloudGuard Security Gateways.

Remove license

When you remove a Central License from the license pool, it is also removed from all CloudGuard Security Gateways that use this license.

To remove a license:

Run this command on the license pool server: mgmt_cli -r true show central-licenses.
Find the Central License you want to remove and copy its Certificate Key.
Run the vsec_lic_cli tool in the interactive mode.
Select the option Remove license from the menu. This prompts the message: "Please insert license CK Certificate Keys (CKs) of Central Licenses in the License Pool.: "
Paste the Certificate Key copied in step 2.

If you work in the CLI, use these commands to remove the Central License and update license information on subscribed Security Gateways:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli remove <Central License CK>`	Removes a Central License.
3	`vsec_lic_cli distribute`	Updates license information on subscribed Security Gateways.

View license usage

The Central Licensing tool shows license usage license usage details for all CloudGuard Security Gateways subscribed to the license pool. This information is available:

The total number of licensed cores.
The number of available licensed cores.
Subscribed Security Gateways and the number of cores consumed by each Security Gateway.

If you work in the CLI, use these commands to see the license usage:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli view`	Shows license usage.

Run license distribution

Central Licenses are automatically distributed to subscribed CloudGuard Security Gateways in these cases:

Once daily.
After policy installation.
When a Security Gateway moves between the pools.

Manual license distribution can be performed any time, which is helpful in these cases:

Changing the core count of the subscribed CloudGuard Security Gateway.
Adding, updating or removing Central Licenses using vsec_lic_cli CLI commands.
Enabling and disabling automatic license distribution on a CloudGuard Security Gateway.
Testing and error handling.

Note - Once you distribute the licenses, all subscribed CloudGuardGateways start receiving them from the configured license pool and are detached from any Central License that is not part of the configured pool.

If you work in the CLI, use these commands to distribute the licenses:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli distribute`	Distributes licenses to subscribed Security Gateways

Choose default license pool (available for R81 and higher)

This menu option displays a list of existing pools so you can select one of them as a new default pool A pool created by the first Central License that is added with the Central License tool. The pool type is defined based on the blades package of the first added Central License. CloudGuard Security Gateways automatically receive licenses from that pool. When all licenses in the Default License Pool are removed, a random pool is set as a default. When there are multiple pools, the user can select the default license pool.. When a pool is set as default, you can move all the Security Gateways that were in the previous default pool to it. In this case, the old licenses are removed from the Security Gateways, and new licenses are distributed.

Important - EXPIRED pool cannot be selected as the default pool.

If you work in the CLI, use these commands to set a new default pool and subscribe Security Gateways to it:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli view`	Shows information on existing license pools and allows you to select the name of the pool you want to set as a default.
3	`vsec_lic_cli default <pool-name> [optional-single-CK-from-the-pool] <move-gateways-to-new-default-pool:true\|false>`	Sets the pool as a default and subscribes Security Gateways that were previously subscribed to a different default pool
4	`vsec_lic_cli distribute`	Distributes licenses from the new default pool to subscribed Security Gateways.

Note:

If multiple pools have the same name, use the additional parameter optional-single-CK-from-the-pool to specify an CK of any license from the required pool. For example, vsec_lic_cli default VE-NGTP B - to select a pool named "VE-NGTP" that also contains a license with the CK "B".
The parameter move-gateways-to-new-default-pool is set to true by default.

Configure automatic license distribution for Security Gateway

When the Central License tool is enabled, automatic license distribution is performed by default on all configured Security Gateways on the Management Server. You can manually enable or disable receiving licenses from the Central License tool for each Security Gateway. If a Security Gateway has already received a Central License, and then you disable the automatic license distribution for it, the current Central License is removed from this Security Gateway.

If you work in the CLI, use these commands to enable or disable automatic license distribution:

Step

Command

Description

vsec_lic_cli on

Enables the tool.

vsec_lic_cli configure <disable|enable> <gateway-name>
vsec_lic_cli configure <disable|enable> <domain> <gateway-name>

Configures automatic license distribution for a Security Gateway working with a Management Server
Configures automatic license distribution for a Security Gateway working with the Domain of a Multi-Domain Server

vsec_lic_cli distribute

Pushes changes (and distribute licenses if necessary) to subscribed Security Gateways.

Configure license pool for Security Gateway (available from R81 and higher)

This menu option displays a list of existing pools so you can add a CloudGuard Security Gateway to a specific pool. After the mapping is done, a distribution command runs and the Security Gateway gets a license from the selected pool. All licenses from previous pools are removed from this Security Gateway.

If you work in the CLI, use these commands to subscribe a Security Gateway to a specific pool:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli view`	Shows information on existing license pools, including the name of the specific pool.
3	`vsec_lic_cli select <Pool Name> [Optional CK from the pool] <gateway-name>` `vsec_lic_cli select <Pool Name> [Optional CK from the pool] <domain> <gateway-name>`	Subscribes to the specific pool a Security Gateway working with a Management Server Subscribes to the specific pool a Security Gateway working with the Domain of a Multi-Domain Server
4	`vsec_lic_cli distribute`	Distributes licenses from the new pool to subscribed Security Gateways.

Gateways core usage report

You can create a CSV report with hourly core usage details for each subscribed CloudGuard Security Gateway. These details include Time Range, Domain, Given Pool, GW Allocated, Total up Time, and Total Core Hours.

Selecting this option from the menu displays these options:

=================================================
|         Gateways Core Usage Report Menu       |
=================================================
   1.   Enable collecting data for core usage report
   2.   Disable collecting data for core usage report
   3.   Generate core usage report

To create a core usage report, select Enable collecting data for core usage report. Starting from this moment, information about Security Gateways core usage is collected.

If you work in the CLI, use these commands to enable or disable data collecting for core usage reports:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli report <enable\|disable>`	Enables or disables collection of core usage data.
3	`vsec_lic_cli distribute`	Pushes changes to subscribed Security Gateways.

To export a file with an hourly core usage report, select Generate a core usage report. Then, specify the report's start date and end date in this format: YYYY/MM/DD. (You must not enter dates that are in the future.)

If you work in the CLI, use these commands to generate a core usage report:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli report generate <YYYY/MM/DD> <YYYY/MM/DD>`	Generates a report for the specified time period (where the first date is the start date, and the last date is the end date).

Important:

The core usage information is collected only from the moment you enabled the data collection.
The core usage information is collected only if the Management Server of the corresponding Security Gateway is on (it does not matter if the Security Gateway itself is on).

Note - Enabling or disabling the core usage report on a Multi-Domain Server affects all domain servers even if it was enabled or disabled on one Domain.

Run single distribution (available from R81.20 with Jumbo Hotfix Accumulator Take 26 and higher)

This menu option shows a list of existing CloudGuard Security Gateways for license distribution.

Note - If the Security Gateway already has a license (shown in the view), the license distribution command stops without execution and the vsec_lic_cli tool shows this message:

Gateway <GW_Name> already has all licenses, no need to run distribution.

If you work in the CLI, use these commands to distribute a license to a specific Security Gateway:

Step	Command	Description
1	`vsec_lic_cli on`	Enables the tool.
2	`vsec_lic_cli single_distribution <gateway-name>` `vsec_lic_cli single_distribution <domain> <gateway-name>`	Distributes a license to the specific Security Gateway working with a Security Management Server. Distributes a license to the specific Security Gateway working with a certain Domain of the Multi-Domain Server.

Managing Licenses through the API

Starting from R81.20 with Jumbo HFA Take 26, the Central License tool supports Management APIs v1.9.1. This version lets you manage licenses through API requests sent to the API server running on the Management Server.

Available API commands:

API Command	Description
`show cloud-licenses-usage`	Shows usage of attached licenses.
`distribute-cloud-licenses`	Distributes licenses to target Security Gateways.
`add central-license`	Adds a new Central License.
`show central-licenses`	Lists all attached Central Licenses.
`delete central-license`	Removes a Central License.
`show central-license`	Shows details of a specific license.

Important - To run these API commands, you must have administrator privileges with super-user permissions.

To learn more about the Management APIs, see code samples, and participate in user forums, use:

The API Documentation:

Online - Check Point Management API Reference > Misc > Licenses

Local - https://<Server IP Address>/api_docs

By default, access to the local API Documentation is disabled. Follow the instructions in sk174606.

Note - On a Standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. server (a server that runs a Security Management Server and a Security Gateway), the API Documentation web portal (https://<Server IP Address>/api_docs) stops working when you open SmartView Web Application (https://<Server IP Address>/smartview).

The Developers Network section of the Check Point CheckMates Community.

API Tools

You can use these tools to work with the API server on the Management Server:

Standalone management tool, included with Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. operating system:

mgmt_cli
Standalone management tool, included with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

mgmt_cli.exe

You can copy this tool from the SmartConsole installation folder to other Windows operating system computers.
Web Services APIs that allow communication and data exchange between the clients and the Management Server over the HTTP protocol.

These APIs also let other Check Point processes communicate with the Management Server over the HTTPS protocol.

https://<IP Address of Management Server>/web_api/<command>

Configuring the API Server

To configure the API Server:

In SmartConsole, connect to the Security Management Server or applicable Domain Management Server.
From the left navigation panel, select Manage & Settings.
In the top left section, click Blades.
In the Management API section, click Advanced Settings.

The Management API Settings window opens.
Configure the Access Settings.
Configuring Access Settings
Select one of these options to configure which clients can connect to the API Server:
- Management server only - Only the Management Server can connect to the API Server. This option lets you use the mgmt_cli utility on the Management Server to send API requests. You cannot use SmartConsole or Web services to send API requests.
- All IP addresses that can be used for GUI clients - You can send API requests from all IP addresses defined as Trusted Clients in SmartConsole. This includes requests from SmartConsole, Web services, and the mgmt_cli tool on the Management Server.
- All IP addresses - You can send API requests from all IP addresses. This includes requests from SmartConsole, Web services, and the mgmt_cli tool on the Management Server.
Publish the SmartConsole session.

Restart the API server on the Management Server with this command:

api restart

Note - On a Multi-Domain Server, run the restart command in the context of the applicable Domain Management Server.