Support Center > Search Results > SecureKnowledge Details
CloudGuard (vSEC) Central License Management Utility Technical Level
Solution

Table of Contents:

  1. Introduction
  2. Prerequisites
  3. Procedure
  4. Limitations
  5. Related solutions
  6. Revision History

Notes:

  • Starting from R80.20, there is another Central License Utility (vsec_lic_cli) with different abilities and behavior. Refer to the "vSEC Central Licensing" section in the R80.20 CloudGuard Controller Administration Guide for more information. We recommend using the new tool.
  • The vsec_central_license tool that this sk refers to exists in all the specified versions (till R80.40).
  • Starting from R81, the vsec_central_license tool is not supported anymore. You can continue to manage and distribute licenses to all virtual Gateways using the vsec_lic_cli tool.
    Follow this procedure when upgrading the Security Management Server from a previous version that used the vsec_central_license tool to use the vsec_lic_cli tool on R81:
    1. Run: vsec_lic_cli on
    2. Install policy to all of your virtual Gateways.
    3. Run "vsec_lic_cli view", or view the License Pool usage using the interactive menu option when running vsec_lic_cli.
      At this point, all of your virtual Gateways should be assigned with the default License Pool.
    4. You can move your Gateways to a different desired pool using the interactive menu option ( "Configure license pool for Gateway"), or by using the command "vsec_lic_cli select <pool name> [optional CK] <gateway name>"

(1) Introduction

  • Background:

    CloudGuard (vSEC) Central License Management Utility for Gaia OS enables automatic distribution of licenses (for the total number of licensed virtual cores) for CloudGuard (vSEC) Virtual Edition and CloudGuard (vSEC) public IaaS Bring Your Own License (BYOL).

    The licenses are distributed from the Management Server to the managed Virtual Gateways and are provided as a single license string per SKU attached to the Management Server.

    In order to distribute the licenses, the security administrator first needs to attach the licenses to the Management Server, and then run the vsec_central_license command on the Management Server.
    As a result, the Security Management Server / Domain Management Server allocates licenses automatically from purchased licenses to all managed Virtual Gateways.

    License can be verified via SmartUpdate, or by running the cplic print command on the Virtual Gateways.

    For further licensing details:

    1. Connect to the User Center
    2. At the top, go to the QUOTING TOOLS menu - click on the Product Catalog & Quoting:
    3. Scroll down to the section SandBlast, Cloud Services and Mobility - click on the Virtual Security:
    4. In the Model row, select a vSEC solution - click on Select button:

    5. At the top, click on the Licensing instructions link:
      Example:
  • Affected SKUs:

    • CPSG-VEN-NGTP-GW
    • CPSG-VEN-NGTX-GW
    • CPSG-VEN-NGFW-GW
    • CPSG-VCA-NGTX-GW
    • CPSG-VCA-NGTP-GW
    • CPSG-AWS-NGTX-GW
    • CPSG-AWS-NGTP-GW
    • CPSG-AZURE-NGTX-GW
    • CPSG-AZURE-NGTP-GW
  • This article applies to:

    Security Gateway R77.30 (*)
    • CloudGuard (vSEC) Virtual Edition (VE) in Network Mode
    • CloudGuard (vSEC) for AWS
    • CloudGuard (vSEC) for Azure
    • CloudGuard (vSEC) for vCloud Air
    Management Server R77.30
    • Security Management Server
    • Multi-Domain Security Management Server
    Management Server R80
    • Security Management Server
    • Multi-Domain Security Management Server
    Management Server R80.10 and higher
    • Security Management Server
    • Multi-Domain Security Management Server

    (*) This article does not apply to CloudGuard (vSEC) for NSX.

 

(2) Prerequisites

Machine Prerequisites

Security Gateway
CloudGuard (vSEC) Virtual Edition (VE) in Network Mode
CloudGuard Security Gateway

  1. Must run one of the following:
  2. "Hardware" must be set to "Open server" or "vSEC" in the object of CloudGuard (vSEC) Gateway.
    Note: In R80.10, you can also use type "vSEC".

    Example:
Security Management Server /
Multi-Domain Security Management Server
  1. Must run:
    • R77.30 GA on Gaia OS with the relevant hotfix (Install the CloudGuard (vSEC) Central License Management Utility on R77.30)
    • R80 GA on Gaia OS with the relevant hotfix (Install the CloudGuard (vSEC) Central License Management Utility on R80)
    • R80.10 or higher on Gaia OS
  2. Must have sufficient number of licenses attached
    (will be distributed until depleted from the license pool).

 

(3) Procedure

  • Instructions for distributing a new license that contains SKUs for NGTP, NGTX (and DLP)

    This section provides the instructions for the following specific case:

    1. New license is generated that contains SKUs either for NGTP + NGTX only, or for NGTP + NGTX + DLP
    2. This license is attached for the first time to the Virtual Gateways using the vsec_central_license tool

    Instructions:

    1. Install the CloudGuard (vSEC) Central License Management Utility on the Management Server:

      Important Note: The CloudGuard (vSEC) Central License Management Utility is supported only on Management Server running on Gaia OS. The CloudGuard (vSEC) Central License Management Utility is integrated since R80.10 version.

      • Instructions for Management Server R77.30

        Install the following hotfix. (Note: This hotfix can be installed above any take of Jumbo Hotfix Accumulator for R77.30 (there is no limitation). However, the Jumbo Hotfix Accumulator cannot be installed above this hotfix. (You need to uninstall the hotfix, install the Jumbo Hotfix Accumulator and then reinstall the hotfix.)

        • Installation using CPUSE (Check Point Update Service Engine)
          • Online installation

            1. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions page.
            2. In the upper right corner, click on the Add hotfixes from the cloud button in the upper right corner.
            3. Paste the CPUSE Identifier Check_Point_R77_30_vSEC_sk109713_FULL.tgz and start the search.
            4. When the package is found, click on the link to add the package to the list of available packages.
            5. Select the hotfix package Check Point vSEC Central License hotfix for R77.30 (sk109713) - click on Install Update button on the toolbar.
            6. No need to reboot, or manually start Check Point services with "cpstart" / "mdsstart" command.

            For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".
          • Offline installation

            Package Download
            R77.30 Hotfix (CPUSE Offline Package) (TGZ)

            1. Download the Gaia CPUSE Offline package from the table above.
            2. Connect to the Gaia Portal on your Check Point machine and navigate to Upgrades (CPUSE) section - click on Status and Actions page.
            3. On the toolbar, click on the More button - select Import Package - browse for the CPUSE Offline package (TGZ file) - click on Upload.
            4. Select the hotfix package Check Point vSEC Central License hotfix for R77.30 (sk109713) - click on Install Update button on the toolbar.
            5. No need to reboot, or manually start Check Point services with "cpstart" / "mdsstart" command.

            For detailed installation instructions, refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(4) How to work with CPUSE".


        • Installation using Legacy CLI

          Package Download
          R77.30 Hotfix (Legacy CLI Package) (TGZ)

          1. Download the Legacy CLI Package from the table above, transfer it to the machine and unpack it:
            [Expert@HostName:0]# tar -zxvf Check_Point_R77_30_VSEC_Gaia_sk109713.tgz
          2. Install the hotfix:
            [Expert@HostName:0]# ./fw1_wrapper_HOTFIX_VSEC_CENTRAL_LIC_001_<BUILD>
            Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
          3. No need to reboot, or manually start Check Point services with "cpstart" / "mdsstart" command.

        Notes:

        • Make sure to take a snapshot of your Check Point machine before installing this hotfix.
        • In Management HA environment, this procedure must be performed on both Management Servers.
        • This CloudGuard (vSEC) Central License hotfix does not conflict with Jumbo Hotfix Accumulator for R77.30 (i.e., can be installed on top of it).


      • Instructions for Management Server R80
    2. In User Center, generate a new license (that contains SKUs either for NGTP + NGTX only, or for NGTP + NGTX + DLP) to the Management Server.

    3. In User Center, activate the license as "Central" license and enter the main IP address of Security Management Server / Domain Management Server object.

      Note: In Management High Availability environment, the license should be issued for the main IP address of the Primary Management Server, even if the tool would be run from the Secondary Management Server.
    4. Attach the new license (that contains SKUs either for NGTP + NGTX only, or for NGTP + NGTX + DLP) to Security Management Server / Domain Management Server (either in SmartUpdate, or on CLI with the "cplic put" command).

    5. Verify that objects of Virtual Gateways are configured in the R7x SmartDashboard / R8x SmartConsole.

    6. Allocate the licenses automatically to all managed Virtual Gateways:

      1. Connect to the command line on the Security Management Server / Multi-Domain Security Management Server.

      2. Log in to Expert mode.

      3. On Multi-Domain Security Management Server, switch to the context of the involved Domain Management Server:

        [Expert@HostName:0]# mdsenv <Name of Domain Management Server>
      4. Allocate the licenses to Virtual Gateways:

        [Expert@HostName:0]# vsec_central_license

        Notes:

        1. The vsec_central_license command is activated from the Security Management Server / context of the Domain Management Server.

        2. The Security Management Server / Domain Management Server connects to all the managed Virtual Gateways and attaches license to eligible Virtual Gateways.

        3. The vsec_central_license command provides one of the following outputs per managed Virtual Gateway:

          Command output Explanation
          <Name_of_Virtual Gateway> - attaching licenses.... Trying to attach the license to this Virtual Gateway
          <Name_of_Virtual Gateway> - not R77.30 License was not attached because this Virtual Gateway is not R77.30
          <Name_of_Virtual Gateway> - not CloudGuard (vSEC) gateway License was not attached because this Virtual Gateway is not one of the supported types:
          • vSEC Virtual Edition (VE)
          • vSEC for AWS
          • vSEC for Azure
          • vSEC for vCloud Air
          <Name_of_Virtual Gateway> - vsx gateway License was not attached because this Virtual Gateway is a VSX gateway
          <Name_of_Virtual Gateway> - failed to access gateway License was not attached due to connectivity issues with this Virtual Gateway
    7. Verify that licenses were distributed (either in SmartUpdate, or on Virtual Gateway's CLI with the "cplic print" command).

    8. Each time you add a new Virtual Gateway on this Security Management Server / Domain Management Server, you need to repeat Step 6.



  • Instructions for adding a DLP license to the already distributed license that contained SKUs only for NGTP, NGTX

    This section provides the instructions for the following specific case:

    1. License was previously generated with SKUs only for NGTP and NGTX
    2. This license was attached to the Virtual Gateways using the vsec_central_license tool
    3. SKU for the DLP blade was added in User Center to this license
    4. The new license (that now contains SKUs for NGTP, NGTX and DLP) has to be attached to the Virtual Gateways

    Instructions:

    1. In User Center, generate a new license that contains SKUs for NGTP, NGTX and DLP to the Management Server.

    2. In User Center, activate the new license as "Central" license and enter the main IP address of Security Management Server / Domain Management Server object.

      Note: In Management High Availability environment, the license should be issued for the main IP address of the Primary Management Server, even if the tool would be run from the Secondary Management Server.
    3. Detach the currently assigned license (that contains SKUs only for NGTP and NGTX) from all Virtual Gateways (either in SmartUpdate, or on Management Server's CLI with the 'cplic del' command).

    4. Detach the currently assigned license (that contains SKUs only for NGTP and NGTX) from the Security Management Server / Domain Management Server (either in SmartUpdate, or on Management Server's CLI with the 'cplic del' command).

    5. Attach the new license (that contains SKUs for NGTP, NGTX and DLP) to Security Management Server / Domain Management Server (either in SmartUpdate, or on Management Server's CLI with the "cplic put" command).

    6. Verify that objects of Virtual Gateways are configured in R7x SmartDashboard / R8x SmartConsole.

    7. Allocate the licenses automatically to all managed Virtual Gateways:

      1. Connect to the command line on the Security Management Server / Multi-Domain Security Management Server.

      2. Log in to Expert mode.

      3. On Multi-Domain Security Management Server, switch to the context of the involved Domain Management Server:

        [Expert@HostName:0]# mdsenv <Name of Domain Management Server>
      4. Allocate the licenses to Virtual Gateways:

        [Expert@HostName:0]# vsec_central_license

        Notes:

        1. The vsec_central_license command is activated from the Security Management Server / context of the Domain Management Server.

        2. The Security Management Server / Domain Management Server connects to all the managed Virtual Gateways and attaches license to eligible Virtual Gateways.

        3. The vsec_central_license command provides one of the following outputs per managed Virtual Gateway:

          Command output Explanation
          <Name_of_Virtual Gateway> - attaching licenses.... Trying to attach the license to this Virtual Gateway
          <Name_of_Virtual Gateway> - not R77.30 License was not attached because this Virtual Gateway is not R77.30
          <Name_of_Virtual Gateway> - not CloudGuard (vSEC) gateway License was not attached because this Virtual Gateway is not one of the supported types:
          • vSEC Virtual Edition (VE)
          • vSEC for AWS
          • vSEC for Azure
          • vSEC for vCloud Air
          <Name_of_Virtual Gateway> - vsx gateway License was not attached because this Virtual Gateway is a VSX gateway
          <Name_of_Virtual Gateway> - failed to access gateway License was not attached due to connectivity issues with this Virtual Gateway
    8. Verify that licenses were distributed (either in SmartUpdate, or on Virtual Gateway's CLI with the "cplic print" command).

    9. Each time you add a new Virtual Gateway on this Security Management Server / Domain Management Server, you need to repeat Step 7.

 

(4) Limitations

Category Limitations
Full HA environment The CloudGuard (vSEC) Central License Management Utility is not able to give license to another StandAlone machine - i.e., to the Secondary Full HA cluster member.
On the Secondary Full HA cluster member, it is required to install a separate non-Central license generated for the IP address of the Secondary Full HA cluster member.
License Currently, it is not possible to check how many virtual cores are remaining in license "management pool".
Hardware type "Hardware" type "CloudGuard" is not yet supported. 

 

 

(6) Revision History

Show / Hide revision history

Date Description
17 Sep 2018
  • Updated Prerequisites and Limitations
01 Oct 2017
  • "Limitations" section - added a limitation that currently, it is not possible to check how many virtual cores are remaining in license "management pool"
30 Sep 2017
  • Updated the vSEC Central License hotfix for Management Server R77.30 to Build 000001012_1
    (to resolve a compatibility issue with Take 232 and higher of R77.30 Jumbo Hotfix Accumulator)
23 July 2017
  • Added a note that vSEC Central License Management Utility is integrated since R80.10
24 Apr 2017
  • Updated steps to get to the "Licensing instructions " in the User Center
30 Mar 2017
  • Added new section "Limitations"
07 Mar 2017
  • "Procedure" section - added link to R80 vSEC Controller v2
06 Mar 2017
  • "Procedure" section - split the instructions to cover the addition of the SKU for DLP blade
01 Nov 2016
  • Added a note about issuing the license in a Management High Availability environment
17 Oct 2016
  • Added a note that vSEC Central License Management Utility is supported only on Gaia OS
06 Sep 2016
  • "Prerequisites" section - updated "vSEC for AWS" and "vSEC for Azure"
02 Sep 2016
  • "Prerequisites" section - added "vSEC for AWS" and "vSEC for Azure"
25 July 2016
  • Added clarification that this article applies to vSEC Virtual Edition (VE) in Network Mode, and does not apply to vSEC for NSX
14 July 2016
  • Added the instructions for R80 Security Management Server / Multi-Domain Security Management Server
01 May 2016
  • Added the requirement for "Hardware" being set to "Open server" in the object of vSEC Gateway
17 Mar 2016
  • Added the vSEC Central License hotfix packages to be available directly from this article
14 Mar 2016
  • "Procedure" section - added a note that the vSEC Central License hotfix does not conflict with Jumbo Hotfix Accumulator for R77.30
13 Mar 2016
  • Changed the design on this document
  • "Product" section - updated the list of involved products
  • "Background" section - updated the description
  • "Procedure" section - updated the instructions
02 Mar 2016
  • "Product" section - updated the list of involved products
  • "Background" section - updated the description and the list of affected SKUs
27 Jan 2016
  • First release of this document
Applies To:
  • 01968678
  • 01872347

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment