Configuring and Distributing the Metered License on the Management Server

The CloudGuard Central Metered License is a license structure offered on the Check Point Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..

The license is defined by the Check Point Software Blades for the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

The Central Metered Licensing provides:

One global license for as many Security Gateways deployed under the same domain
Scaled-up performance on a Security Gateway with all its Cores
Movement of Cores from one Security Gateway to another in the same domain
Movement of the Security Gateway license between the public and private cloud
Movement of the Security Gateway between license packages

For a Multi-Domain Server, the licenses are managed on each individual Domain. Licenses are distributed to the Security Gateways managed by the domain. The license must be generated with the IP address of the Domain to which it belongs.

Activate Central License Tool

To activate the central license A Central License is a CloudGuard Security Gateway license. It is deployed and managed on the Security Management Server or Multi-Domain Server and distributed from a license pool to all CloudGuard Security Gateways connected to corresponding Management Servers. tool on your Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., run these commands:

Note - If you use a Multi-Domain Server, the activation must be done in the MDS level.

On the Management Server run:

"vsec_lic_cli The Central License tool (vsec_lic_cli) runs on Management Servers and Multi-Domain Servers. It deploys and manages licenses for all subscribed Security Gateways. The tool can be used only in the Expert mode of the Management Server CLI. on"

On the Multi-Domain Server run:

"mdsenv"

"vsec_lic_cli on"

"vsec_lic_cli mode domain"

Configuring Metered Licenses

After you activate the Central License Tool, you must add a new Metered License.

Note - If you use a Multi-Domain Server, then it is necessary to run these commands for each domain explicitly.

To configure a Metered License, do these steps:

Step	Instructions
1	Open the Central License Tool Menu On the Management Server, run this command: `"vsec_lic_cli"` On the Multi-Domain Server, run this command: `"mdsenv <IP-of-the-domain>"` `"vsec_lic_cli"`
2	Configuring a Metered License Add a new Metered License: Select: Add license > Add metered license. Select the Check Point Infinity Portal Account. If no account is configured on the Management or Domain server: Enter the client id (see Create API Keys). Enter the secret key (see Create API Keys). Confirm the account details. If there are accounts configured on the Management or Domain server: Select an account. Or: Select Add new tenant and do the steps listed in 1-b-i.. Paste the Central License string saved in Obtaining a Metered License from the User Center. The license is automatically distributed to all Security Gateways connected to this Management Server. Registering an existing license as Metered: If you use an earlier version of the CloudGuard Metered License Solution, do these steps: Select: Configure existing license as metered. Select the Check Point Infinity Portal Account. If no account is configured, then on the Management or Domain server do these steps: Enter the client id (see Create API Keys). Enter the secret key (see Create API Keys). Confirm the account details. If there are accounts configured on the Management or Domain server: Select account Or: Select "Add new tenant" and do the steps listed in 2-b-i-i. Select CK Certificate Keys (CKs) of Central Licenses in the License Pool. to register as metered from the displayed list. Additional Security Gateways that you connect to the Management Server or Domain Server are added to the license's pool and obtain the Metered License automatically after policy is installed.

Step

Instructions

Open the Central License Tool Menu

On the Management Server, run this command:

"vsec_lic_cli"

On the Multi-Domain Server, run this command:

"mdsenv <IP-of-the-domain>"

"vsec_lic_cli"

Configuring a Metered License

Add a new Metered License:
1. Select: Add license > Add metered license.
2. Select the Check Point Infinity Portal Account.
  1. If no account is configured on the Management or Domain server:
    1. Enter the client id (see Create API Keys).
    2. Enter the secret key (see Create API Keys).
    3. Confirm the account details.
  2. If there are accounts configured on the Management or Domain server:
    1. Select an account.
      
      Or:
    2. Select Add new tenant and do the steps listed in 1-b-i..
  3. Paste the Central License string saved in Obtaining a Metered License from the User Center.
  4. The license is automatically distributed to all Security Gateways connected to this Management Server.
Registering an existing license as Metered:

If you use an earlier version of the CloudGuard Metered License Solution, do these steps:
1. Select: Configure existing license as metered.
2. Select the Check Point Infinity Portal Account.
  1. If no account is configured, then on the Management or Domain server do these steps:
    1. Enter the client id (see Create API Keys).
    2. Enter the secret key (see Create API Keys).
    3. Confirm the account details.
  2. If there are accounts configured on the Management or Domain server:
    1. Select account
      
      Or:
    2. Select "Add new tenant" and do the steps listed in 2-b-i-i.
  3. Select CK Certificate Keys (CKs) of Central Licenses in the License Pool. to register as metered from the displayed list.
Additional Security Gateways that you connect to the Management Server or Domain Server are added to the license's pool and obtain the Metered License automatically after policy is installed.

Distributing the Metered Licenses

After licenses are distributed, each additional Security Gateway connected to the Management Server gets this license automatically, after the policy is installed.

(Optional) Verify the Metered License Distribution

Deployed Security Gateways, that already have installed policy, get the distributed license immediately.

To verify that a Security Gateway obtained the license:

Connect to the Security Gateway.
In the Expert mode, run: cplic print

Make sure the printed license has the same string as the one copied to the Management Server. The license must include the IP of the Management Server or the IP of the specific Domain Server.

Using Multiple License Pools

The CloudGuard Central License Tool enables you to have multiple pools of licenses.

The pools are created automatically by pooling together similar licenses based on their Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities. package (for example NGTP or NGTX).

The multiple license pools can be used with CloudGuard Metered Licenses by having multiple types of Metered Licenses distributed from the same Management Server.

Central License Default Pool

The Central License Tool automatically defines the first pool created as the default pool A pool created by the first Central License that is added with the Central License tool. The pool type is defined based on the blades package of the first added Central License. CloudGuard Security Gateways automatically receive licenses from that pool. When all licenses in the Default License Pool are removed, a random pool is set as a default. When there are multiple pools, the user can select the default license pool..

Each new Security Gateway is added to the default pool.

Note - In a Multi-Domain Server, each Domain can have a different default pool.

To change the default pool, do these steps:

Open the Central License Tool Menu.

On the Management Server, run this command:

"vsec_lic_cli"

On the Multi-Domain Server, run these commands:

"mdsenv <IP-of-the-domain>"

"vsec_lic_cli"
Select: Choose default license pool.
Select a pool from the list.
Confirm if to move all Security Gateways from the current pool to the new default pool.

Changing CloudGuard Gateway Pool

To change the license pool A License Pool is a group of CloudGuard Central Licenses with the same blades and valid contracts. A Security Management Server or Multi-Domain Server can have multiple license pools. Each pool is defined by: - Pool Type - Total Quota - Available Quota - Certificate Keys - Subscribed Security Gateways from which a Security Gateway gets its licenses, do these steps:

Open the Central License Tool Menu.

On the Management Server, run this command:

"vsec_lic_cli"

On the Multi-Domain Server, run these commands:

"mdsenv <IP-of-the-domain>"

"vsec_lic_cli"
Select Configure license pool for Security Gateway.
Select a pool from the list.
Select which Security Gateway from the list to move to the selected pool.

For more information about the use of multiple License Pools, see the CloudGuard Central License Tool Administration Guide.

Managing Check Point Infinity Portal Accounts

The CloudGuard Central License Tool enables you to manage the Check Point Infinity Portal accounts on your Management or Domain server.

Note - If you use a Multi-Domain Server, then it is necessary to run these commands for each domain explicitly.

Open the Central License Tool Menu.

On the Management Server, run this command:

"vsec_lic_cli"

On the Multi-Domain Server, run these commands:

"mdsenv <IP-of-the-domain>"

"vsec_lic_cli"
Select Manage metered tenants.
Select one of these options:
1. Add tenant:
  
  Adds a new Check Point Infinity Portal account to the current Management or Domain server.
  1. Enter the client id (see Create API Keys).
  2. Enter the secret key (see Create API Keys).
  3. Confirm the account details.
2. Delete tenant:
  
  Deletes a configured Check Point Infinity Portal account from the current Management or Domain server.
  - Select which account to delete.
3. Verify tenant keys are active:
  
  Verifies if the configured Check Point Infinity Portal account API keys on the current Management or Domain server are still active (not expired or deleted).
  - Select which account to verify its keys.
4. View tenants:
  
  Prints a table of all of the configured Check Point Infinity Portal accounts on the current Management or Domain server. The printed table is in this format: