Print Download PDF Send Feedback

Previous

Next

vSEC Central Licensing

In This Section:

License Pooling

License Distribution

Using the Central Licensing Utility with Existing Licenses

Managing CloudGuard Central Licenses

License Pooling

CloudGuard Central Licensing is a pooled license structure offered on the Check Point Security Management Server and Multi-Domain Server.

With this feature, you can dynamically change the properties of licenses on your Security Gateway architecture.

The license pool contains the licenses for every Security Gateway with its cores. A license is issued for each CloudGuard Gateway, and the number of cores in a CloudGuard Gateway determines the license you require.

The central licensing feature provides:

There are two modes for the Multi-Domain Server:

Mode

Description

System Mode

Default Mode generates a license for the IP address of the Multi-Domain Server.

The license pool is on the Multi-Domain Server.

The licenses are attached to all of the CloudGuard Gateways that the Domain Management Servers manage.

To use this mode, run:

vsec_lic_cli mode mds

Domain Mode

Domain Mode pools are managed on each individual Domain.

Licenses are distributed to the CloudGuard Gateways that the Domain manages.

The license is generated with the IP address of the Domain, to which it belongs.

To use this mode, run:

vsec_lic_cli mode domain

Note - To go to the context of a Domain Management Server, run: mdsenv <Name or IP Address of Domain Management Server>

License Distribution

Item

Description

Licenses that can be managed in pools

  • Virtual security licenses for public and private clouds.
  • Licenses with the same contract blade package.

Note - Licenses with different contract blades will be in separate pools. The first license pool that is created is configured as the default pool. The licenses from the default pool are attached to CloudGuard Gateways.

Gateways that receive a license from the pool

CloudGuard Gateways on the public and private cloud.

The supported Hypervisors in the private cloud are VMware ESXi, Hyper-V and KVM.

The supported modules in the public cloud are AWS, Microsoft Azure, Google Cloud Platform and vCloud Air.

Gateways that receive a license

  • New CloudGuard Gateways receive the license from the pool after policy installation.
  • Existing CloudGuard Gateways receive the license immediately after the license is added.

Distribution

CloudGuard licenses are attached from the license pool to CloudGuard Gateway.

The distribution procedure is permissive. Gateways will be issued a license even when the pool no longer has licenses available.

Using the Central Licensing Utility with Existing Licenses

You can activate the new CloudGuard Central Licensing utility on Security Gateways that already have a license. Licenses with the same Software Blades and contract expiration join together to make one pool. If multiple pools are established, one of the pools is the default pool. Any license that is not part of the pool is detached from all Security Gateways.

If you have a Multi-Domain Server, enable the central license utility on the Multi-Domain Server. Multi-Domain Server automatically activates the central license utility on each Domain Management Server.

Best Practice - We recommend that you have only one type of pool. Therefore, licenses with the same Software Blades and contract expiration are grouped together. Use the central license utility to ensure that licenses are distributed correctly.

Managing CloudGuard Central Licenses

CloudGuard central license is disabled by default. When it is disabled, licenses are not distributed automatically to new CloudGuard Gateways. Existing licenses, however, remain on the CloudGuard Gateways.

Operation

CLI command

Enable the CloudGuard license

vsec_lic_cli on

Disable the CloudGuard license

vsec_lic_cli off

Manage the CloudGuard license pool

vsec_lic_cli

The vsec_lic_cli tool is exclusively for managing CloudGuard licenses, and other tools should not be used at the same time. CloudGuard licenses that were already added with other tools, such as SmartUpdate, are automatically added to the pools.

The vSEC License Manager Menu shows these options:

  1. Add a license
  2. Remove a license
  3. View license usage
  4. Run license distribution
  5. Configure automatic license distribution
  6. Generate a core usage report

Adding a License

You can add a central license to the license pool with the IP address of a Security Management Server, Multi-Domain Server or Domain Management Server.

The license is added to the pool to match the contract blade. Use the User Center to automatically match the blade to the contract, or attach the contracts manually with SmartUpdate.

A license in a default pool will be distributed to the CloudGuard Gateway as needed.

Removing a License

When you remove a license from the pool, it is also removed from all CloudGuard Gateways, which have the license.

Viewing License Usage

With the Central Licensing feature, you can see usage details of the CloudGuard Gateways in the pool.

This information is available:

Running License Distribution

Distribution of licenses to the CloudGuard Gateways is done automatically, once a day.

If you need the license attached immediately, you can run the distribution manually.

You can monitor these changes on the CloudGuard Gateways and licenses:

After distribution of the licenses, a CloudGuard Gateway that did not have a license will now have one.

Configuring Automatic License Distribution for Security Gateways

You can enable or disable the CloudGuard Gateway from receiving a license automatically.

Generating a Core Usage Report

You can generate a CSV file with an hourly core usage report for each CloudGuard Gateway.