Thank you very much! Is it possible to unload licenses via Smart Update?

You can uninstall / delete licenses via Smart Update from GW and/or SMS. But you shuld always be able to download a copy of the last generated license from your Product Center:

You can easily copy the two license strings!

Would indeed use this as a source to make a 'copy'

If you buy a new license it will end up there and you assign it to the relevant system. Then you place the license on the box itself. 

If you are there, not only backup license but also contract files (for example, is used for IPS updates). 

You can't really use central licenses with Maestro or ElasticXL, since the management server sees the whole collection of members as a single object. It can't see them separately, so it can't license them separately.

You can always get the license from a box using cplic print -x, like so:

[Expert@DallasticXL-s01-01:0]# g_all "cplic print -x | egrep '^([0-9\.]{3}|Host)'"
1_01:
Host             Expiration  Signature                             Features            
192.0.2.1        never       s9fOdEmd0P70idPRmk0P1outtdw036hocgvg	CPAP-SG360X CPSB-FW CPSM-C-2 CPSG-C-4-U CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-URLF CPSB-APCL CPSB-AV CPSB-ABOT-L CPSB-ASPM CPSB-CTNT CK-00-1C-7F-AB-CD-EF
1_02:
Host             Expiration  Signature                             Features            
192.0.2.2        never       AcAKEmP7O57PdgGYo4zVdYtOdI94S0DjkJA3	CPAP-SG360X CPSB-FW CPSM-C-2 CPSG-C-4-U CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-URLF CPSB-APCL CPSB-AV CPSB-ABOT-L CPSB-ASPM CPSB-CTNT CK-00-1C-7F-AB-CD-F0

I've faked the signature and redacted the MAC, but that shows the general form. You can then convert the license to a cplic put command like so:

cplic put <Host> <Expiration> <Signature> <Features>

To give a specific example using the first fake license from above:

cplic put 192.0.2.1 never s9fOdEmd0P70idPRmk0P1outtdw036hocgvg CPAP-SG360X CPSB-FW CPSM-C-2 CPSG-C-4-U CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-URLF CPSB-APCL CPSB-AV CPSB-ABOT-L CPSB-ASPM CPSB-CTNT CK-00-1C-7F-AB-CD-EF

Edit: I forgot to mention that this is only useful for restoring the license to exactly the same box (e.g, after wiping with ISOmorphic). This will not work for replacing a failed system. A replacement system will have its own license which you will need to use for it.

The https://support.checkpoint.com/results/sk/sk180461 suggests for R81.20 and higher to Use a Security Group Management IP for the License - All Security Group Member (SGMs) in the Security Group have the same Management IP.

Basic installation instructions can be found here: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_ScalablePlatforms_AdminGuide/Conte...

That's how I originally licensed these boxes, but apparently ElasticXL members can relicense themselves on their own.

I got the boxes secondhand for lab use, so I can't license them directly. I went to significant trouble building each member as a non-clustered firewall with the address I intended to use for the ElasticXL cluster, let them license themselves, and copied the licenses off before rebuilding them as ElasticXL members with the address. Within a day, they had removed the licenses I added and generated new ones with the sync addresses.