In This Section: |
CloudGuard Central Licensing is a pooled license structure offered on the Check Point Security Management Server and Multi-Domain Server.
With this feature, you can dynamically change the properties of licenses on your Security Gateway architecture.
The license pool contains the licenses for every Security Gateway with its cores. A license is issued for each CloudGuard Gateway, and the number of cores in a CloudGuard Gateway determines the license you require.
The central licensing feature provides:
There are two modes for the Multi-Domain Server:
Mode |
Description |
---|---|
System Mode |
Default Mode generates a license for the IP address of the Multi-Domain Server. The license pool is on the Multi-Domain Server. The licenses are attached to all of the CloudGuard Gateways that the Domain Management Servers manage. To use this mode, run:
|
Domain Mode |
Domain Mode pools are managed on each individual Domain. Licenses are distributed to the CloudGuard Gateways that the Domain manages. The license is generated with the IP address of the Domain, to which it belongs. To use this mode, run:
|
Note - To go to the context of a Domain Management Server, run: mdsenv <
Name or IP Address of Domain Management Server>
Item |
Description |
---|---|
Licenses that can be managed in pools |
Note - Licenses with different contract blades will be in separate pools. The first license pool that is created is configured as the default pool. The licenses from the default pool are attached to CloudGuard Gateways. |
Gateways that receive a license from the pool |
CloudGuard Gateways on the public and private cloud. The supported Hypervisors in the private cloud are VMware ESXi, Hyper-V and KVM. The supported modules in the public cloud are AWS, Microsoft Azure, Google Cloud Platform and vCloud Air. |
Gateways that receive a license |
|
Distribution |
CloudGuard licenses are attached from the license pool to CloudGuard Gateway. The distribution procedure is permissive. Gateways will be issued a license even when the pool no longer has licenses available. |
You can activate the new CloudGuard Central Licensing utility on Security Gateways that already have a license. Licenses with the same Software Blades and contract expiration join together to make one pool. If multiple pools are established, one of the pools is the default pool. Any license that is not part of the pool is detached from all Security Gateways.
If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-Domain Server automatically activates the central license utility on each Domain Management Server.
Best Practice - We recommend that you have only one type of pool. Therefore, licenses with the same Software Blades and contract expiration are grouped together. Use the central license utility to ensure that licenses are distributed correctly.
CloudGuard central license is disabled by default. When it is disabled, licenses are not distributed automatically to new CloudGuard Gateways. Existing licenses, however, remain on the CloudGuard Gateways.
Operation |
CLI command |
---|---|
Enable the CloudGuard license |
|
Disable the CloudGuard license |
|
Manage the CloudGuard license pool |
|
The vsec_lic_cli
tool is exclusively for managing CloudGuard licenses, and other tools should not be used at the same time. CloudGuard licenses that were already added with other tools, such as SmartUpdate, are automatically added to the pools.
The vSEC License Manager Menu shows these options:
You can add a central license to the license pool with the IP address of a Security Management Server, Multi-Domain Server or Domain Management Server.
The license is added to the pool to match the contract blade. Use the User Center to automatically match the blade to the contract, or attach the contracts manually with SmartUpdate.
A license in a default pool will be distributed to the CloudGuard Gateway as needed.
When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which have the license.
With the Central Licensing feature, you can see usage details of the CloudGuard Gateways in the pool.
This information is available:
Distribution of licenses to the CloudGuard Gateways is done automatically, once a day.
If you need the license attached immediately, you can run the distribution manually.
You can monitor these changes on the CloudGuard Gateways and licenses:
After distribution of the licenses, a CloudGuard Gateway that did not have a license will now have one.
You can enable or disable the CloudGuard Gateway from receiving a license automatically.
You can generate a CSV file with an hourly core usage report for each CloudGuard Gateway.