Managing CloudGuard Central Licenses

The CloudGuard Central License tool (vsec_lic_cli) is an exclusive tool to manage CloudGuard licenses. Do not use other tools at the same time. CloudGuard licenses, already added with other tools such as SmartUpdate, are automatically added to the pools.

The vsec_lic_cli tool is disabled by default. When it is disabled, licenses are not distributed automatically to new CloudGuard Gateways. But existing licenses, remain on the CloudGuard Gateways.

The vsec_lic_cli tool provides both Command Line Interface (CLI) and an interactive CLI menu.

Operations only available from the CLI:

Operation	CLI command
Enable the Central License tool	vsec_lic_cli on
Disable the central license tool Note: This command clears the view table but does not effect the Security Gateway. To align the vsec_lic_cli view table with the environment's licenses, you must run the command vsec_lic_cli distribute.	vsec_lic_cli off
* Change the status of the tool's mode to be mode MDS	vsec_lic_cli mode mds
* Change the status of the tool's mode to be mode Domain	vsec_lic_cli mode domain
* Check the status of the tool's mode: MDS or Domain. (Available on R81 and higher)	vsec_lic_cli mode status

* Commands that are only available and relevant in Multi-Domain Server, from MDS context (see Multi-Domain Server Specifications).

vsec_lic_cli Command Line Interface Menu

Run vsec_lic_cli in the Expert mode on the Security Management or Multi-Domain Security Management Server to start the menu:

1. Add license

2. Remove license

3. View licenses usage

4. Run license distribution

5. Choose default license pool (available from R81 and higher)

6. Configure automatic license distribution for security gateway

7. Configure license pool for Gateway (available from R81 and higher)

8. Gateways core usage report

9. Exit.

Note - Not all options are available in all versions.

Add license

You can add a Central License to the license pool with the IP address of a Security Management Server, Multi-Domain Server or Domain Management Server.

To add a license:

1. Get a license from the User Center (see Obtaining a License from the User Center).

2. Copy the string text received in step 1.

3. Select the option Add license from the menu. This prompts this message: "Please insert license string: "

4. Paste the string text copied in step 2.

   Notes: Central License string format: <ip of Management> <expiration date> <signature key> <license string> <license string> includes all Macro's in the product and ends with the CK of this license. Central license signature starts with the letter d.

The license is added to the license pool that matches its blades. If the Management Server or Multi-Domain Server is connected to the Internet, then the contracts of the license are automatically collected from the User Center (see Prerequisites). Otherwise, attach the contracts manually with SmartUpdate. A license added to a pool with Subscribed Gateways is distributed to the CloudGuard Gateway as necessary.

Notes:

• Evaluation licenses are placed in a license pool based on the Software Blades included in the license (available for R81 and higher).

• When an Evaluation License expires, the license is moved automatically from its original pool to a unique pool called EXPIRED, and it is removed from the CloudGuard Gateways that use it.

• Licenses from the EXPIRED pool are never distributed again to CloudGuard Gateways.

Remove license

When you remove a Central License from the pool, it is also removed from all CloudGuard Gateways that have the license.

View license usage

With the Central Licensing feature, you can see usage details of the CloudGuard Gateways in the pool. The available information in the view is:

• Pool's total quota of cores.

• Pool's available quota of cores.

• Subscribed Security Gateways in the pool and the consumed cores by each Gateway.

Run license distribution

Distribution of licenses to the CloudGuard Gateways is done automatically in these cases:

• One time a day.

• In each policy installation.

• After a Gateway is moved from pool to another pool.

Manual distribution of licenses to the CloudGuard Gateways can be run at any time. Manual distribution is useful in these cases:

• An existing CloudGuard Gateway changed its number of cores.

• An existing CloudGuard Gateway changed its status from disabling to enabling automatic distribution from the menu option Configuring Automatic License Distribution for Security Gateways.

• An existing Central License changed and was updated with the CLI command "vsec_lic_cli update".

• A new Central License was added with the CLI command "vsec_lic_cli add" (and not in the menu).

• For testing and error handling purposes.

Note - After the distribution of the licenses, all CloudGuard Gateways receive the licenses from the configured license pool and are detached from any Central License that is not a part of the configured pool, if it exists.

Choose default license pool (available for R81 and higher)

This menu option displays a list of all the existing pools for you to select one of them to become the new default pool. When a pool is selected as default, the user can select to move all the gateways that were in the previous default pool to the new default pool. The licenses of the gateways that moved are removed and the gateways get new licenses from the new default pool.

Important - EXPIRED pool, if it exists, cannot be selected as the default pool.

Configure automatic license distribution for Security Gateway

By default, when the Central License tool is enabled, automatic distribution is enabled on all configured CloudGuard Gateways on the Management Server. For each CloudGuard Gateway, you can enable or disable receiving licenses from the Central License tool. If a CloudGuard Gateway has already received a license, and then disabled from the automatic distribution, the license is removed from the Gateway.

Configure license pool for Gateway (available from R81 and higher)

This menu option displays a list of all the existing pools for you to select one of them to add a CloudGuard Security Gateway to this pool. After the mapping is done, a distribution runs and the Gateway gets a license from the selected pool. All the licenses from the previous pool are removed from the Gateways.

Gateways core usage report

You can generate a CSV file with an hourly core usage report for each CloudGuard Gateway.

The file contains these columns: Time Range, Domain, Given Pool, GW Allocated, Total up Time, Total Core Hours

Selecting this option from the menu displays these options:

=================================================
|         Gateways Core Usage Report Menu       |
=================================================
   1.   Enable collecting data for core usage report
   2.   Disable collecting data for core usage report
   3.   Generate core usage report

To generate a core usage report:

1. Select Enable collecting data for core usage report.

   Starting from this moment, information about Gateways core usage is collected.

2. To export a file with an hourly core usage report.

   Select the option Generate a core usage report:

   • Insert the start date and end date for the report in this format YYYY/MM/DD.

   • The specified dates must be in the present or the past. Future dates are not valid.

Important: The core usage information is collected only from the moment you enabled collecting data for core usage report. Information about core usage that existed before enabling collecting data for core usage report is not available. The core usage information is collected only if the gateway's Management Server is on, regardless if the gateway itself is on.

vsec_lic_cli Command Line Interface

CLI Command	Description
vsec_lic_cli –h	Displays help
vsec_lic_cli	Displays the CLI menu
vsec_lic_cli on	Enables the tool. By default the tool is disabled
vsec_lic_cli off	Disables the tool Note: This command clears the view table but does not effect the Security Gateway. To align the vsec_lic_cli view table with the environment's licenses, you must run the command vsec_lic_cli distribute.
vsec_lic_cli add <IP-address> <expiration-date> <signature-key> <license-string>	This is the CLI command for the menu option Add License See Obtaining a License from the User Center to fill in the parameters' values. After running this CLI operation, it is necessary to run vsec_lic_cli distribute
vsec_lic_cli update <IP-address> <expiration-date> <signature-key> <license-string>	Update an existing license in case of changes in the license string. For example, when you purchase additional blades for this license. See Obtaining a License from the User Center to fill in the parameters' values. Note - this command is available in R81 and higher.
vsec_lic_cli remove <CK>	This is the CLI command for the menu option Remove License Specify the Certificate Key (CK) to be deleted
vsec_lic_cli view	This is the CLI command for the menu option View License Usage
vsec_lic_cli distribute	This is the CLI command for the menu option Run License Distribution
vsec_lic_cli default <pool-name> [optional-single-CK-from-the-pool] <move-gateways-to-new-default-pool:true|false>	This is the CLI command of the menu option Change default pool Replace <pool-name> with the pool name as it appears when you run vsec_lic_cli view Example: vsec_lic_cli default VE-NGTX In case there are multiple pools with the same name, use the additional parameter < optional-single-CK-from-the-pool> Where you can specify one CK from the desired pool. For example: pool VE-NGTP contains CK "A" pool VE-NGTP contains CK "B" To select the pool with CK "B" run: vsec_lic_cli default VE-NGTP B The parameter <move-gateways-to-new-default-pool> gets true/false values and lets you move all the gateways from the previous default to the new default pool. (Default is true)
In Single Management Server: vsec_lic_cli configure <disable|enable> <gateway-name> In Multi-Domain Server: vsec_lic_cli configure <disable|enable> <domain> <gateway-name>	This is the CLI command for the menu option Configure Automatic License Distribution for Security Gateway Use the parameter value enable/disable with gateway name of a CloudGuard Gateway to enable/disable automatic distribution. In Multi-Domain Server, specify the specific Domain in which the CloudGuard Gateway is configured. To do this replace the argument <domain> with the Domain's name
vsec_lic_cli report <enable|disable>	This CLI command enables or disables the collection of the Gateways Core Usage information, as described in the menu option Gateways Core Usage Report Note - It does not generate the report.
vsec_lic_cli report generate <YYYY/MM/DD> <YYYY/MM/DD>	This CLI command generates the Gateways Core Usage Report, as described in the menu option Gateways Core Usage Report. Replace the arguments <YYYY/MM/DD> with a start date and end date to generate a report of core usage between these dates. Example: vsec_lic_cli report generate 2020/01/30 2020/10/30 In this case a gateways core usage report from 2020/01/30 to 2020/10/30 is generated.
In Single Management Server: vsec_lic_cli select <Pool Name> [Optional CK from the pool] <gateway-name> In Multi-Domain Server: vsec_lic_cli select <Pool Name> [Optional CK from the pool] <domain> <gateway-name>	This CLI command lets you select a CloudGuard Gateway to be in a specific Pool. After the mapping is done, the gateway gets the licenses from the selected pool. In Multi-Domain Server, specify the specific Domain in which the CloudGuard Gateway is configured. To do this replace the argument <domain> with the Domain's name.

Managing Licenses through API

Starting from R81.20 with Jumbo HFA Take 26, the Central License tool supports Management APIs v1.9.1. In this version you can run some license management tasks through API Requests you send to the API Server that runs on the Management Server.

The available API commands:

API Command	Description
show cloud-licenses-usage	Show attached licenses usage.
distribute-cloud-licenses	Distribute licenses to target CloudGuard gateways.
add central-license	Add central license.
show central-licenses	Show attached licenses.
delete central-license	Delete central license.
show central-license	Show given license.

Important - In order to run the API commands, it is required that the user is an administrator with super-user permissions.

To learn more about the Management APIs, to see code samples, and to have the advantage of user forums, see:

• The API Documentation:

  • Online - Check Point Management API Reference > Misc > Licenses

  • Local - https://<Server IP Address>/api_docs

    By default, access to the local API Documentation is disabled. Follow the instructions in sk174606.

    Note - On a Standalone server (a server that runs both a Security Management Server and a Security Gateway), the API Documentation web portal (https://<Server IP Address>/api_docs) stops working when you open SmartView Web Application (https://<Server IP Address>/smartview).

• The Developers Network section of Check Point CheckMates Community.

API Tools

You can use these tools to work with the API Server on the Management Server:

• Standalone management tool, included with Gaia operating system:

  mgmt_cli

• Standalone management tool, included with SmartConsole:

  mgmt_cli.exe

  You can copy this tool from the SmartConsole installation folder to other Windows operating system computers.

• Web Services APIs that allow communication and data exchange between the clients and the Management Server over the HTTP protocol.

  These APIs also let other Check Point processes communicate with the Management Server over the HTTPS protocol.

  https://<IP Address of Management Server>/web_api/<command>

Configuring the API Server

To configure the API Server:

1. Connect with SmartConsole to the Security Management Server or applicable Domain Management Server.

2. From the left navigation panel, click Manage & Settings.

3. In the top left section, click Blades.

4. In the Management API section, click Advanced Settings.

   The Management API Settings window opens.

5. Configure the Startup Settings and the Access Settings.

   Configuring Startup Settings

   Select Automatic start to automatically start the API server when you start or reboot the Management Server.

   Notes : If the Management Server has more than 4GB of RAM installed, the Automatic start option is activated by default during Management Server installation. If the Management Server has less than 4GB of RAM, the Automatic Start option is deactivated.

   Configuring Access Settings

   Select one of these options to configure which clients can connect to the API Server:

   • Management server only - Only the Management Server can connect to the API Server. This option only lets you use the mgmt_cli utility on the Management Server to send API requests. You cannot use SmartConsole or Web services to send API requests.

   • All IP addresses that can be used for GUI clients - You can send API requests from all IP addresses that are defined as Trusted Clients in SmartConsole. This includes requests from SmartConsole, Web services, and the mgmt_cli tool on the Management Server.

   • All IP addresses - You can send API requests from all IP addresses. This includes requests from SmartConsole, Web services, and the mgmt_cli tool on the Management Server.

6. Publish the SmartConsole session.

7. Restart the API Server on the Management Server with this command:

   api restart

   Note - On a Multi-Domain Server, you must run this command in the context of the applicable Domain Management Server.