Step 4 - License Installation in Maestro

Notes:

  • Quantum Maestro Orchestrators do not require a license.

  • On the Management Server, each Security Group is one Security Gateway object.

    Therefore, each Security Group consumes a Management license of one Security Gateway.

  • Installing or removing a license is supported only on the SMO Security Group Member.

  • For each Security Appliance, you must generate a Security Gateway license.

  • You can install the licenses on the SMO Security Group Member before or after you add other Security Group Members to the Security Group.

    The Security Group keeps the installed licenses in a "license bank".

  • When you add a new Security Group Member with a MAC address that matches one of the installed licenses on this Security Group, the new Security Group Member receives the correct license immediately.

  • When you remove a Security Group Member from a Security Group, the Security Group keeps the corresponding license in a "license bank".

Adding Licenses

  1. Get the MAC address of the Management port on each Security Appliance.

    1. Connect to the command line on the Security Group.

    2. Get the MAC address of the eth1-Mgmt1 interface.

      Run the command in one of the shells:

      • In Gaia gClish, run:

        show interface eth1-Mgmt1 mac-addr

      • In the Expert mode mode, run:

        g_all ifconfig eth1-Mgmt1 | grep HWaddr

      Make sure you copy the MAC address of the correct Security Appliance.

    1. Connect to the command line on the Security Appliance.

    2. Get the MAC address of the Mgmt interface.

      Run the command in one of the shells:

      • In Gaia Clish, run:

        show interface Mgmt mac-addr

      • In the Expert mode mode, run:

        ifconfig Mgmt | grep HWaddr

  2. Log in to Check Point User Center.

  3. Generate a new Security Gateway license for each Security Appliance:

    1. For an IP address, enter the IP address of the Security Group that you assigned to in on the Orchestrator.

      All Security Group Members in the Security Group have the same Management IP address.

    2. For a MAC address, enter the MAC address of the Management port on the Security Appliance.

      Each Security Group Member must have a license generated for its MAC address.

    Notes - Check Point User Center sends you an email with the full "cplic put" command.

    You can also see the full syntax in the generated license details in the User Center.

  4. Attach the licenses on the SMO Security Group Member:

    1. Connect to the command line on the Security Group.

    2. Run the required command in one of the shells:

      • In Gaia gClish, run:

        cplic put <License String>

      • In the Expert mode mode, run:

        g_all cplic put <License String>

Removing Licenses from a Specific Security Group Member

  1. Connect to the command line on the Security Group.

  2. Get the license signature (and copy it) in one of the shells:

    • In Gaia gClish, run:

      cplic [-b <ID of Security Group Member>] print -x

      Example for Security Group 1 and Security Group Member 2:

      cplic -b 1_02 print -x

    • In the Expert mode mode, run:

      g_all cplic [-b <ID of Security Group Member>] print -x

  3. Remove the license from this Security Group Member in one of the shells:

    Note - This command works only on the SMO Security Group Member.

    • In Gaia gClish, run:

      cplic del <License Signature>

    • In the Expert mode mode, run:

      g_all cplic del <License Signature>

    Notes:

    • Error messages can appear about deleting licenses that do not exist.

      These errors come from other Security Group Members.

    • This procedure removes the license from the "license bank" on the Security Group.