Troubleshooting
-
On the Multi-Domain Server
Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., when you use the vsec_lic_clitool in MDS (System) Mode, there is a Domain that is not listed in the View License Usage output.Explanation:
Only Domain Servers with active Security Gateways show in the View License Usage output.
To make sure the Security Gateway is on:
-
Make sure the Domain Server can reach the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. (use pingortelnetcommands). -
Make sure Check Point processes are running.
-
Make sure Secure Internal Communication (SIC
Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server.) is established between the Domain and the Security Gateway and the policy is successfully installed.
-
-
The View License Usage option shows multiple pools with the same name.
Explanation:
This can occur when different Central Licenses have different blade packages that map to the same pool name.
For example:
-
License "A" with the blades URL Filtering
Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. and Application Control Check Point Software Blade on a Security Gateway that allows granular control over specific web-enabled applications by using deep packet inspection. Acronym: APPI. belongs to a pool called VE-NGTP. -
License "B" with the blades URL Filtering, Application Control, Anti-bot, and Anti-Virus
Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV. belongs to a pool called VE-NGTP. But it is a different pool than that of license "A".
To have Central Licenses grouped in the same pool, make sure they have the same blades and valid contracts.
-
Known Limitations
|
ID |
Description |
|---|---|
|
CGIS-785 |
In the HA MDS (System) mode, every |
-
To use the
vsec_lic_clitool in the MDS (System) mode, the Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. must have Internet connectivity. Make sure that DNS and proxy settings are configured correctly (each domain must configure its own proxy). -
The MDS (System) mode requires a license whose IP address has not been changed more than the maximum allowed by UserCenter. If your license has reached this limit, contact your sales representative.
-
The
vsec_lic_clitool does not support the distribution of licenses to CloudGuard for NSX Security Gateways. (Refer to the CloudGuard Gateway for NSX Managed by R80.10 Platforms Administration Guide for details on licensing.) -
The
vsec_lic_clitool cannot provide a license to a standalone Configuration in which the Security Gateway and the Security Management Server products are installed and configured on the same server. machine in a Full HA cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. configuration.For each Full HA cluster member
Security Gateway that is part of a cluster., install a separate non-central license A Central License is a CloudGuard Security Gateway license. It is deployed and managed on the Security Management Server or Multi-Domain Server and distributed from a license pool to all CloudGuard Security Gateways connected to corresponding Management Servers., generated for that member's IP address. Other Security Gateways will receive the Central License from the vsec_lic_cli. -
On the Multi-Domain Security Management Server, the license report with CloudGuard Central License data can be viewed only from the relevant context. In the Domain mode, it can be viewed from the domain; in the MDS (System) mode, it can be viewed only from the MDS level. The other license reports will be empty on the CloudGuard licenses page.
-
The
vsec_lic_clitool can operate in either MDS (System) mode or Domain mode. Do not use both modes simultaneously. If you need to change the mode, delete all CloudGuard licenses from the Security Management Server (usingvsec_lic_cli) before making the change. -
Operations from SmartUpdate
Legacy Check Point GUI client used to manage licenses and contracts in a Check Point environment., such as attach or detach licenses, are ignored by the vsec_lic_clitool. Do not perform any such operations on CloudGuard licenses after turning on thevsec_lic_clitool. -
An update to a Security Gateway's Vcore count is reflected one day after the changes are made.To expedite the update, initiate a policy installation or run a license distribution command from the
vsec_lic_climenu. -
The Security Gateway must have a policy installed to receive the license.
-
When the core usage report is generated, time periods in which the Security Management Server was down are considered as if the Security Gateway was down.