In This Section:
vSEC Central Licensing is a pooled license structure offered on the Check Point Security Management Server and Multi-Domain Server. With this feature, you can dynamically change the properties of licenses on your gateway architecture.
The license pool contains the licenses for every gateway with its cores. A license is issued per gateway, and the number of cores in a gateway determines the license you require.
The central licensing feature provides:
There are two modes for the Multi-Domain Server:
Default Mode generates a license for the IP address of the Multi-Domain Server. The license pool is on the Multi-Domain Server and the licenses are attached to all of the vSEC gateways on all Domain Management Servers.
Domain Mode pools are managed on each individual Domain, and licenses are distributed to the vSEC gateways that the Domain manages. The license is therefore generated with the IP address of the Domain to which it belongs.
To switch between Domain Management Servers, use
mdsenv with the
To switch from the Domain Management Server or Multi-Domain Server modes, from the Multi-Domain Server run:
vsec_lic_cli mode domain/mds
Licenses that can be managed in pools
Note - Licenses with different contract blades will be in separate pools. The first license pool that is created is configured as the default pool. The licenses from the default pool are attached to the vSEC gateways.
Gateways that receive a license from the pool
Gateways that receive a license
vSEC licenses are attached from the license pool to the vSEC gateway.
The distribution procedure is permissive. Gateways will be issued a license even when the pool no longer has licenses available.
You can activate the new vSEC central licensing utility on Security Gateways that already have a license. Licenses with the same Software Blades and contract expiration join together to make one pool. If multiple pools are established, one of the pools is the default pool. Any license that is not part of the pool is detached from all Security Gateways.
If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-Domain Server automatically activates the central license utility on each Domain Management Server.
Best practice - We recommend that you have only one type of pool. Therefore, licenses with the same Software Blades and contract expiration are grouped together. Use the central license utility to ensure that licenses are distributed correctly.
vSEC central license is off by default. When it is off, licenses are not distributed automatically to new vSEC gateways. Existing licenses however, remain on the gateways.
vsec_lic_cli tool to manage vSEC licenses.
Important - Use
vsec_lic_cli to manage vSEC licenses. Do not use other tools at the same time
Any vSEC licenses that were added with other tools, such as SmartUpdate, or
central_license, are automatically added to the pools. See sk109713.
The vSEC License Manager Menu shows these options:
You can add a central license to the license pool with the IP address of a Security Management Server. The license is added to the pool to match the contract blade. Use the User Center to automatically match the blade to the contract, or attach the contracts manually with SmartUpdate.
A license in a default pool will be distributed to the vSEC gateway as needed.
When you remove a license from the pool, it is also removed from all vSEC gateways which have the license.
With the Central Licensing feature, you can see usage details of the gateways in the pool.
This information is available:
Distribution of licenses to the vSEC gateways is done automatically, once a day. If you need the license attached immediately, you can run the distribution manually.
You can monitor these changes on the gateways and licenses:
After distribution of the licenses, any gateway that did not have a license, will now have one.
You can enable or disable the vSEC gateway from receiving a license automatically.
You can generate a
csv file with an hourly core usage report for each vSEC gateway.