vSEC Central Licensing

In This Section: License Distribution Using the Central Licensing Utility with Existing Licenses Managing vSEC Central Licenses

vSEC Central Licensing is a pooled license structure offered on the Check Point Security Management Server and Multi-Domain Server. With this feature, you can dynamically change the properties of licenses on your gateway architecture.

The license pool contains the licenses for every gateway with its cores. A license is issued per gateway, and the number of cores in a gateway determines the license you require.

The central licensing feature provides:

• One global license for as many gateways as needed.
• Scaled-up performance on a gateway with all its vCores.
• Movement of vCores from one gateway to another.
• Movement of the vSEC Gateway between the public and private cloud.

There are two modes for the Multi-Domain Server:

System Mode

Default Mode generates a license for the IP address of the Multi-Domain Server. The license pool is on the Multi-Domain Server and the licenses are attached to all of the vSEC gateways on all Domain Management Servers.

Domain Mode

Domain Mode pools are managed on each individual Domain, and licenses are distributed to the vSEC gateways that the Domain manages. The license is therefore generated with the IP address of the Domain to which it belongs.

To switch between Domain Management Servers, use mdsenv with the DOMAIN_IP

To switch from the Domain Management Server or Multi-Domain Server modes, from the Multi-Domain Server run: vsec_lic_cli mode domain/mds

License Distribution

	Description
Licenses that can be managed in pools	Virtual security licenses for public and private clouds. Licenses with the same contract blade package. Note - Licenses with different contract blades will be in separate pools. The first license pool that is created is configured as the default pool. The licenses from the default pool are attached to the vSEC gateways.
Gateways that receive a license from the pool	vSEC gateways on the public and private cloud. The supported Hypervisors in the private cloud are VMware ESXi, Hyper-V and KVM. The supported modules in the public cloud are AWS, Microsoft Azure, Google Cloud Platform and vCloud Air.
Gateways that receive a license	New vSEC gateways receive the license from the pool after policy installation. Existing vSEC gateways receive the license immediately after the license is added.
Distribution	vSEC licenses are attached from the license pool to the vSEC gateway. The distribution procedure is permissive. Gateways will be issued a license even when the pool no longer has licenses available.

Using the Central Licensing Utility with Existing Licenses

You can activate the new vSEC central licensing utility on Security Gateways that already have a license. Licenses with the same Software Blades and contract expiration join together to make one pool. If multiple pools are established, one of the pools is the default pool. Any license that is not part of the pool is detached from all Security Gateways.

If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-Domain Server automatically activates the central license utility on each Domain Management Server.

Best practice - We recommend that you have only one type of pool. Therefore, licenses with the same Software Blades and contract expiration are grouped together. Use the central license utility to ensure that licenses are distributed correctly.

Managing vSEC Central Licenses

vSEC central license is off by default. When it is off, licenses are not distributed automatically to new vSEC gateways. Existing licenses however, remain on the gateways.

Use the vsec_lic_cli tool to manage vSEC licenses.

• To turn the vSEC license on, run: vsec_lic_cli on
• To turn the vSEC license off, run: vsec_lic_cli off
• To manage the vSEC license pool with the CLI, run: vsec_lic_cli

Important - Use vsec_lic_cli to manage vSEC licenses. Do not use other tools at the same time.

Any vSEC licenses that were added with other tools, such as SmartUpdate, or central_license, are automatically added to the pools. See sk109713.

The vSEC License Manager Menu shows these options:

1. Add a license
2. Remove a license
3. View license usage
4. Run license distribution
5. Configure automatic license distribution
6. Generate a core usage report

Adding a License

You can add a central license to the license pool with the IP address of a Security Management Server. The license is added to the pool to match the contract blade. Use the User Center to automatically match the blade to the contract, or attach the contracts manually with SmartUpdate.

A license in a default pool will be distributed to the vSEC gateway as needed.

Removing a License

When you remove a license from the pool, it is also removed from all vSEC gateways which have the license.

Viewing License Usage

With the Central Licensing feature, you can see usage details of the gateways in the pool.

This information is available:

• Quota of cores
• Unused cores
• Security Gateways licensed in the pool

Running License Distribution

Distribution of licenses to the vSEC gateways is done automatically, once a day. If you need the license attached immediately, you can run the distribution manually.

You can monitor these changes on the gateways and licenses:

• New vSEC gateways
• Core changes on existing gateways
• Contract changes on existing licenses

After distribution of the licenses, any gateway that did not have a license, will now have one.

Configuring Automatic License Distribution for Security Gateways

You can enable or disable the vSEC gateway from receiving a license automatically.

Generating a Core Usage Report

You can generate a csv file with an hourly core usage report for each vSEC gateway.