Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Collaborator

Check Point Scale Sets, licensing

Hi,

I am having a hard time on understandig central licesing of scale sets. First off, will I even be able to lab on this using eval lics - or do I need proper lic's ? 

I got a scale set in Azure and the management is on-prem (r80.30). I create eval lics and attach them to the management, and then run 'vsec_lic_cli' .... But then, nothing, there is no licenses available 'No pools of vSEC licenses.' 

So that brings me back to the first question - should I be able to lab on this working with eval's ? Or is there some tips n trickes Im missing out on either with the generation of evals ? (i specify azure on hw during eval creation,,,tried other options to) - or with the usage of vsec_lic_cli in general ? ...  I do understand that there will be different pools if there are different contracs, but for me, eval and lab, there is no contracts.

 

Anyone got any pointers ? 🙂

 

7 Replies
Admin
Admin

When you initially fire up a gateway instance it should have a 15-day PnP license.
That should work for testing purposes.
Obviously for longer-term use you’ll need more permanent licenses.
Collaborator

Yes, I know.. But thats not really my issue. 🙂

We do have several customers where we have issues with the vsec licenses distrubution.. using the vsec_lic_cli. This can be customers running on mds or 'standard management'. There are also considerations, at least when looking into mds, about how these pools are set up..how can we report/log/whatever on them - that we want to do lab on.

I have tried creating tons of evals - but I am not able to get them working with the vsec central lic tool.. and is just wondering if anyone has got this working ? Or if its even an option ? Anyone knows of a bug or something ?
0 Kudos
Reply

This was a HUGE struggle for me to get working (don't even get me started on the autoprovisioning service!).  Make sure your VMSS gateways have internet access.  Some way, some how.  If they don't have internet access, you're going to have a bad time with licensing and it just won't work for more than a few hours.

Check out sk83520 for a how-to to validate internet connectivity is working.

From an MDS perspective, licensing is still the same steps.  You just have to use the vsec licensing tool to push the license to the gateway.  Make sure you mdsenv into the correct CMA before you run vsec licensing if you connect to the root management IP of your MDS appliance (vs hitting the CMA directly).

Also, make sure the connectivity between your VMSS gateways and MDS is solid.  I struggled with that for a bit until I realized what was broken (crazy intermediate firewall was in the way).

Participant

That was not answer expected from you PhoneBoy, seeing your other post and vastly experience, perhaps can advise us.

0 Kudos
Reply
Champion
Champion

This was not a comment i would have expected here for a good reply from PhoneBoy, either ! 😎

0 Kudos
Reply
Participant

did you manage to work out this? I am also having same situation using eval icense to test this utility properly, I was provided 90days eval licenses,  but when I try to run the vsec_lic_cli it just does not work.

My previous experience is that with normal proper  license it worked, but screwed everything as some resources  had more CPU than licenses we had, so half of the state in blind of a eye got the licenses wiped, so we literally rolled it back quickly  to manual allocation.  This was last year, but see the utility has now evolved more and obviously better consideration are to have  for licenses to match the number of core. 
Overall is nice idea for provisioning automatically, but if no careful existing services would get screwed and if you are not round to fix them, disruption would happen as Firewall would stop working as they are.

Contributor

See sk128612 ( R80.20 and R80.30 CloudGuard Controller Known Limitations ) or sk164293 ( R80.40 CloudGuard Central License Known Limitations 😞

PMTR-3949 - Evaluation license will not be distributed.

The only way to apply evals to CloudGuard IaaS is using the SmartUpdate mechanism as for standard gateways - which is of no use for testing the operation of vsec_central_license or vsec_lic_cli . Pretty frustrating that this still doesn't work in R80.40. If anyone from CP is looking at fixing this, please add an eval option for CG IaaS with NGTX, the current eval is NGTP only.