Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
bintang1
Explorer

MGMT License required for CPEP-ACCESS?

Jump to solution

Hi,

We already have MGMT license cover by CPSM-NGSM25 and CPEP-ACCESS-1Y for 5500 endpoint Security. 

from MGMT perspective, is it enough if we purchase only CPSM-NGSM25 for manage CPEP-ACCESS 5500 endpoint?

please advise.

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend
Legend

See sk116598: Next Generation Endpoint Security Products Licensing

You need a MGMT license and Access Control and Data Protection package. If you use Cloud Management, you also need the Access Control and Data Protection package and Cloud Management license. But this usually is quoted by CP Sales according to customers demands.

View solution in original post

0 Kudos
G_W_Albrecht
Legend
Legend

Three different RA license possibilities exist:

- Mobile Access Blade SSL VPN is licensed per concurrent users, so there is no need to release anything

- EPS Server with EP Blades can be cleaned of messed licenses by PSQL commands you receive from TAC

- RA VPN managed by dashboard can be released in expert mode by clearing the users check table:

[Expert@GW]# fw tab -t userc_users -x -y

View solution in original post

12 Replies
Olga_Kuts
Advisor

Good question!

It is interesting for me too.

And I have additional question. Is it mandatory to use the management system to manage agents if we use this license (CPEP-ACCESS-1Y)?

0 Kudos
G_W_Albrecht
Legend
Legend

See sk116598: Next Generation Endpoint Security Products Licensing

You need a MGMT license and Access Control and Data Protection package. If you use Cloud Management, you also need the Access Control and Data Protection package and Cloud Management license. But this usually is quoted by CP Sales according to customers demands.

View solution in original post

0 Kudos
Olga_Kuts
Advisor

Thanks for your reply.

But why we need Access Control and Data Protection package?

CPEP-ACCESS-1y provide us Firewall and VPN Remote Access (following  sk116598). I understand that we attach this license to the management server. But in case when we use only VPN access with the license CPEP-ACCESS-1Y, do we need Endpoint Management? Or can we use unmanaged endpoints only for VPN access (similar to MOB license)?

0 Kudos
G_W_Albrecht
Legend
Legend

You have to decide if you need Endpoint Management Server (with Endpoint Security Clients) or just use Standalone Clients (Endpoint Security VPN). Desktop Firewall and RA VPN do not need an Endpoint Management Server.

0 Kudos
Olga_Kuts
Advisor

We have 20 CPEP-ACCESS licenses and we want to use standalone clients (without Endpoint Management). In case when 20 hosts connected to the GW and disconnected after some time - when is the license released? And can we release this license manually?

0 Kudos
G_W_Albrecht
Legend
Legend

According to sk33869:

 

  • "Used Licenses" column shows the number of users that have connected in the last 30 days. The Policy Server counts users on a monthly period basis. When the month is over, it resets to "zero". The dtps lic output "Used Licenses" column counts the users according to their name (or DN). This means that the same user is counted only once. The "Used Licenses" column does not display the number of currently connected users. Instead, it displays the number of unique users that have connected to this Policy Server during a month. The intention of the "Used License" column information is not to display how many users are being concurrently connected, but rather to display how many SecureClient users exist.

Users are stored in userc_users - This table holds remote access client's IP address. All connections from this IP address are expected to be encrypted.

Run the below command in expert mode to clear the users check table:

[Expert@GW]# fw tab -t userc_users -x -y

 

0 Kudos
PhoneBoy
Admin
Admin

The firewall + VPN features of CPEP-ACCESS can be managed with Network Management.
If you need Endpoint Compliance for some reason (instead of SCV), that does require Endpoint Management.
Believe the license is counted for each installed user once they connect and it’s held for 30 days.

bintang1
Explorer

HI Phoneboy,

So in our case if we already have NGSM25 + CPEP-ACESS -1Y for  5500 user, do we need additional license to cover 5500 user if we want to deploy endpoint access control ( firewall, application control, compliance and vpn ) ?

thanks n regards

0 Kudos
PhoneBoy
Admin
Admin

Believe Application Control is outside the scope of what Access licenses provide.
In current SKUs you’d probably need SBA Basic licenses and either Endpoint Management or you can leverage SBA Managed from the cloud which comes with SBA Basic licenses.

0 Kudos
Olga_Kuts
Advisor

Thanks for your reply!

You said that license held for 30 days. Can I release it mannualy for some way?

0 Kudos
G_W_Albrecht
Legend
Legend

Three different RA license possibilities exist:

- Mobile Access Blade SSL VPN is licensed per concurrent users, so there is no need to release anything

- EPS Server with EP Blades can be cleaned of messed licenses by PSQL commands you receive from TAC

- RA VPN managed by dashboard can be released in expert mode by clearing the users check table:

[Expert@GW]# fw tab -t userc_users -x -y

View solution in original post

Flanger
Participant

Hello.
In case of third scenario (RA VPN with standalone Endpoint Security clients in Office Mode connecting to R80.30 security gateway), is it possible to check how many licenses have been given out and to which LDAP users? We have installed CPEP-ACESS -1Y for only 1 seat on our SMS and have Mobile Blade disabled on Security Gateway. For some reason, more than one users are able to connect and obtain office mode IPs. Big bash one-liner command shows this output on security gateway:

 

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 9 (Peak: 11)
Capsule/Endpoint VPN Users : 8 (Peak: 12) using Visitor Mode: 7
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 500
Endpoint Connect Users : 1
Mobile Access Users : 5
SNX Users :

 

How is this possible?

#cplic print from SMS

 

Host             Expiration  Features            
10.20.100.60     never       cpep-c-1+1 cpsb-ep-fw+1 cpep-subscr cpsb-swb cpsb-ngep CK-D7E7DB6F6812
10.20.100.60     never       cpvp-vps-1-ngx cpvp-vsc-5-ngx+1 cpep-perp cpsb-swb CK-D7E7DB6F6812
10.20.100.60     never       CPSG-VE+8 CPSB-BASE CPSB-FW CPSM-C-2 CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-ADNC CPSB-SSLVPN-5 CPSB-IPS-S1 CPSB-URLF CPSB-APCL-S1 CPSB-AV CPSB-ABOT-S CPSB-ASPM CPSB-CTNT CK-149823EE8135
10.20.100.60     never       CPVP-SNX-5-NGX CPSB-SWB CPSB-ADNC-M CK-149823EE8135
10.20.100.60     never       CPSM-C-5 CPSM-NGSM CPSB-WKFL-5 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-5 CPSB-COMP-5 CPSB-COMP-5 CPSB-SME-5 CPSB-RPRT-N-C1000 CK-9FDDA77E676A

 

 

0 Kudos