Maintenance

In This Section:

This chapter includes procedures and reference information for maintaining your Gaia computer.

Licenses

Licenses can be added or deleted using the:

Maintenance > Licenses page of the WebUI

Command line by running: cplic_db_add or cplic del.

Note - While all the SecurePlatform cplic commands are available in Gaia, they are not grouped into a Gaia feature. To see a list of available commands and their parameters type cplic and press Enter.

Configuring Licenses - WebUI

If you need to obtain a license, visit the User Center.

Adding a license:

In the tree view, click Maintenance > Licenses.
Click New.
The Add License window opens.
Enter the license data manually, or click Paste License to enter the data automatically.
The Paste License button only shows in Internet Explorer. For other browsers, paste the license strings into the empty text field.
Click OK.

Deleting a license:

In the tree view, click Maintenance > Licenses.
Select a license in the table
Click Delete.

Configuring Licenses - CLI (cplic)

The cplic command and all its derivatives relate to Check Point license management.

Note - SmartUpdate GUI is the recommended way of managing licenses.

All cplic commands are located in $CPDIR/bin. License Management is divided into three types of commands:

Local licensing commands are executed on local machines.
Remote licensing commands are commands which affect remote machines are executed on the Security Management Server.

License repository commands are executed on the Security Management Server.

Syntax

Local Licensing:

        cplic put ...

        cplic del [-F <output file>] <signature>

        cplic print [-h help] [-n noheader] 
                    [-x print signatures] [-t type]

                    [-F <output file>] [-i <input file>] 
                    [-p preatures]

                    [-D print only Domain licenses]

        cplic check ...

        cplic contract ...


Remote Licensing:

        cplic put <object name> ...

        cplic del <object name> [-F <output file>] <signature>

        cplic get <object name | -all>

        cplic upgrade -l input file

License Database Operations:

        cplic db_add ...

        cplic db_rm <signature>

        cplic db_print <object name | -all> ...

For help on any command add the -h option

cplic check

Description Makes sure that the license includes the feature on the local gateway or Security Management Server.

Syntax

gw> cplic check [-p <product>] [-v <version>] [-c|-count] [-t <date>] [-r|-routers] [-S|-SRusers] <feature>

Parameter	Description
`-p <product>`	Product for which license information is requested. For example `fw1, netso`
`-v <version>`	Product version for which license information is requested
`-c\|-count`	Output the number of licenses connected to this feature
`-t <date>`	Check license status on future date. Use the format ddmmmyyyy. A feature may be valid on a given date on one license, but invalid in another
`-r\|-routers`	Check how many routers are allowed. The `feature` option is not needed
`-S\|-SRusers`	Check how many SecuRemote users are allowed.
`<feature>`	`<feature>` for which license information is requested

cplic db_add

Description Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, central licenses need to undergo the attachment process.

This command is a license repository command, and can only be executed on the Security Management server.

Syntax

> cplic db_add -l <license-file> [<host>] [<expiration-date>] [<signature>] [<SKU/features >]

Parameter	Description
`-l <license-file>`	Name of the file that contains the license
`<host>`	Security Management Server hostname or IP address
`<expiration-date>`	The license expiration date
`<signature>`	The License signature string. For example: `aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m` (The string is case sensitive and the hyphens are optional)
`<SKU/features >`	The SKU of the license summarizes the features included in the license. For example: `CPSUITE-EVAL-3DES-vNG`

Example If the file 192.0.2.11.lic contains one or more licenses, the command: cplic db_add -l 192.0.2.11.lic will produce output similar to the following:

Adding license to database ...

Operation Done

cplic db_print

Description Displays the details of Check Point licenses stored in the license repository on the Security Management Server.

Syntax

> cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached]

Parameter	Description
`Object name`	Print only the licenses attached to `Object name`. `Object name` is the name of the Check Point Security Gateway object, as defined in SmartDashboard.
`-all`	Print all the licenses in the license repository
`-noheader` (or `-n)`	Print licenses with no header.
`-x`	Print licenses with their signature
`-t` `(or -type)`	Print licenses with their type: Central or Local.
-`a` (or -`attached`)	Show which object the license is attached to. Useful if the `-all` option is specified.

Comments This command is a license repository command, and can only be executed on the Security Management server.

cplic db_rm

Description The cplic db_rm command removes a license from the license repository on the Security Management server. It can be executed ONLY after the license was detached using the cplic del command. Once the license has been removed from the repository, it can no longer be used.

Syntax

> cplic db_rm <signature>

Parameter	Description
`Signature`	The signature string within the license.

Example cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn

Comments This command is a license repository command, and can only be executed on the Security Management server.

cplic del

Description Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines

Syntax

> cplic del [-F <output file>] <signature> <object name>

Parameter	Description
`-F <output file>`	Send the output to <`output file>` instead of the screen.
`<signature>`	The signature string within the license.

cplic del <object name>

Description Detach a Central license from a Check Point Security Gateway. When this command is executed, the license repository is automatically updated. The Central license remains in the repository as an unattached license. This command can be executed only on a Security Management server.

Syntax

> cplic del <object name> [-F <outputfile>] [-ip <dynamic ip>] <signature>

Parameter	Description
`<object name>`	The name of the Check Point Security Gateway object, as defined in SmartDashboard.
`-F <outputfile>`	Divert the output to `outputfile` rather than to the screen.
`-ip <dynamic ip>`	Delete the license on the Check Point Security Gateway with the specified IP address. This parameter is used for deleting a license on a DAIP Check Point Security Gateway. Note - If this parameter is used, then object name must be a DAIP gateway.
`<signature>`	The signature string within the license.

Comments This is a Remote Licensing command which affects remote machines that is executed on the Security Management server.

cplic get

Description The cplic get command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. This command helps you to synchronize the repository with the Check Point Security Gateways. When the command is run, all local changes are updated.

Syntax

> cplic get {<ipaddr>|<hostname>|-all} [-v41]

Parameter	Description
`<ipaddr>`	The IP address of the Check Point Security Gateway from which licenses are to be retrieved.
`<hostname>`	The name of the Check Point Security Gateway object (as defined in SmartDashboard) from which licenses are to be retrieved.
`-all`	Retrieve licenses from all Check Point gateways in the managed network.
-`v41`	Retrieve version 4.1 licenses from the NF Check Point gateway. Used to upgrade version 4.1 licenses.

Example If the Check Point Security Gateway with the object name caruso contains four Local licenses, and the license repository contains two other Local licenses, the command: cplic get caruso produces output similar to the following:

Get retrieved 4 licenses.
Get removed 2 licenses.

Comments This is a Remote Licensing Command which affects remote machines that is executed on the Security Management Server.

cplic put

Description Install one or more Local licenses on a local machine.

Syntax

Parameter	Description
`-o\|-overwrite`	On a Security Management server this will erase all existing licenses and replace them with the new license(s). On a Check Point Security Gateway this will erase only Local licenses but not Central licenses, that are installed remotely.
`-c\|-check-only`	Verify the license. Checks if the IP of the license matches the machine, and if the signature is valid
`-s\|-select`	Select only the Local licenses whose IP address matches the IP address of the machine.
`-F <outputfile>`	Outputs the result of the command to the designated file rather than to the screen.
`-P\|-Pre-boot`	Use this option after upgrading and before rebooting the machine. Use of this option will prevent certain error messages.
`-K\|-kernel`-`only`	Push the current valid licenses to the kernel. For Support use only.
`-l <license-file>`	Name of the file that contains the license
`<host>`	Security Management Server hostname or IP address
`<expiration-date>`	The license expiration date
`<signature>`	The License signature string. For example: `aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m` (The string is case sensitive and the hyphens are optional)
`<SKU/features >`	The SKU of the license summarizes the features included in the license. For example: `CPSUITE-EVAL-3DES-vNG`

Comments Copy and paste the following parameters from the license received from the User Center.

host - One of the following:

All platforms - The IP address of the external interface (in dot notation); last part cannot be 0 or 255.

Solaris2 - The response to the hostid command (beginning with 0x).

expiration date - The license expiration date. Can be never.
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. The hyphens are optional.)
SKU/features - A string listing the SKU and the Certificate Key of the license. The SKU of the license summarizes the features included in the license. For example: CPMP-EVAL-1-3DES-NG CK0123456789ab

Example cplic put -l 215.153.142.130.lic produces output similar to the following:

Host             Expiration SKU

215.153.142.130  26Dec2001  CPMP-EVAL-1-3DES-NG CK0123456789ab

cplic put <object name> ...

Description Use the cplic put command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated.

Syntax

> cplic put <object name> [-ip dynamic ip] [-F <output file>]
-l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature>

Parameter	Description
`object name`	The name of the Check Point Security Gateway object, as defined in SmartDashboard.
`-ip dynamic ip`	Install the license on the Check Point Security Gateway with the specified IP address. This parameter is used for installing a license on a DAIP Check Point gateway. NOTE: If this parameter is used, then object name must be a DAIP Check Point gateway.
`-F <outputfile>`	Divert the output to <`outputfile>` rather than to the screen.
`-l <license-file>`	Installs the license(s) from <`license-file>`.
`-l <license-file>`	Name of the file that contains the license
`<host>`	Security Management Server hostname or IP address
`<expiration-date>`	The license expiration date
`<signature>`	The License signature string. For example: `aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m` (The string is case sensitive and the hyphens are optional)
`<SKU/features >`	The SKU of the license summarizes the features included in the license. For example: `CPSUITE-EVAL-3DES-vNG`

Comments This is a Remote Licensing Command which affects remote machines that is executed on the Security Management server.

Copy and paste the following parameters from the license received from the User Center. More than one license can be attached.

host - the target hostname or IP address.
expiration date - The license expiration date. Can be never.
signature -The License signature string. For example:
aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (Case sensitive. The hyphens are optional)
SKU/features - A string listing the SKU and the Certificate Key of the license. The SKU of the license summarizes the features included in the license. For example: CPMP-EVAL-1-3DES-NG CK0123456789ab

cplic print

Description The cplic print command (located in $CPDIR/bin) prints details of Check Point licenses on the local machine.

Syntax

> cplic print [-n|-noheader][-x prints signatures][-t type][-F <outputfile>] [‑p preatures]

Parameter	Description
`-n\|-noheader`	Print licenses with no header.
`-x`	Print licenses with their signature
`-t\|-type`	Prints licenses showing their type: Central or Local.
`-F <outputfile>`	Divert the output to `outputfile`.
`-p\|-preatures`	Print licenses resolved to primitive features.

Comments On a Check Point gateway, this command will print all licenses that are installed on the local machine — both Local and Central licenses.

cplic upgrade

Description Use the cplic upgrade command to upgrade licenses in the license repository using licenses in a license file obtained from the User Center.

Syntax

> cplic upgrade –l <inputfile>

Parameter	Description
`–l <inputfile>`	Upgrades the licenses in the license repository and Check Point gateways to match the licenses in `<inputfile>`

Example The following example explains the procedure which needs to take place in order to upgrade the licenses in the license repository.

Upgrade the Security Management Server to the latest version.
Ensure that there is connectivity between the Security Management Server and the Security Gateways with the previous version products.
Import all licenses into the license repository. This can also be done after upgrading the products on the remote gateways.
Run the command: cplic get –all. For example:

Getting licenses from all modules ...

count:root(su) [~] # cplic get -all

golda:

Retrieved 1 licenses.

Detached  0 licenses.

Removed  0 licenses.

count:

Retrieved 1 licenses.

Detached  0 licenses.

Removed   0 licenses.

To see all the licenses in the repository, run the command cplic db_print -all –a

count:root(su) [~] # cplic db_print -all -a

Retrieving license information from database ...

The following licenses appear in the database:

==================================================

Host        Expiration Features

192.0.2.11  Never      CPFW-FIG-25-53        CK-49C3A3CC7121 golda

192.0.2.11  26Nov2012  CPSUITE-EVAL-3DES-NGX CK-1234567890   count

In the User Center, view the licenses for the products that were upgraded from version NGX to a Software Blades license and create new upgraded licenses.
Download a file containing the upgraded licenses. Only download licenses for the products that were upgraded from version NGX to Software Blades.
If you did not import the version NGX licenses into the repository, import the version NGX licenses now using the command cplic get -all
Run the license upgrade command: cplic upgrade –l <inputfile>
- The licenses in the downloaded license file and in the license repository are compared.

- If the certificate keys and features match, the old licenses in the repository and in the remote Security Gateways are updated with the new licenses.

- A report of the results of the license upgrade is printed.
In the example, there are two Software Blades licenses in the file. One does not match any license on a remote Security Gateway, the other matches a version NGX license on a Security Gateway that should be upgraded:

Comments This is a Remote Licensing Command which affects remote Security Gateways, that is executed on the Security Management Server.

Further Info. For more about managing licenses, see the R77 Installation and Upgrade Guide.

License Activation

On a Check Point 2012 Appliance, you can get a license automatically from the User Center and activate it.

To Activate a License on a Check Point 2012 Appliance:

Open the Maintenance > License Activation page.
If there is a proxy server between the appliance and the Internet:
1. Click Use a Proxy Server.
2. Enter the proxy server IP Address and Port.
On a Security Gateway-only appliance: Enter the Security Management Server IP address and follow the instructions.
Click Activate License.