Hi Dameon,

Will the last policy not work either?
I'm interested in Anti-Virus, Anti-Bot, URL Filtering and Anti-Spam.

No, enforcement on those blades will cease once the contract expires.

Hello PhoneBoy,

I have a question, If my unit expired license (Application Controll and URL Filltering), Can I used object Custom Applications/Sites?. Behavior my unit expired the license (Application Controll and URL Filltering) when I use Object Custom Applications/Site? Is it possible to block the web?

Example: My unit haven't the license (Application Controll and URL Filltering), and I want block website: Facebook and youtube, can I use Custom Applications/Site ?

A valid license is required per sk56300 and there is no longer a grace period without eval licenses.

FQDN/Domain objects in the access (Firewall) policy are a different option depending on the use case.

Blade's relevant object defined on a layer while the blade's contract is expired will just not be matched (all blade's relevant rules will be filtered out).

E.G:

Rule 1: Src: Any Dst: Any App: Skype Action: Drop

Rule 2: Src: Any Dst: Any App: Any Action: Accept

In case Application contract is expired rule 2 will always be matched.

Hope that clears things out.

So, just to be clear, if you have these rules in unified policy:

1. I will lose WebUI and SSH access to the gateway

2. I will lose Internet access from Net_192.168.7.0

And if I have it in sequentially processed App Control and URLF policy, same thing will happen, unless I have duplicate rules in Firewall policy allowing this traffic, but with "Internet" object replaced with either "All-Internet", "ExternalZone" or "Any"?

HTTP and SSH do not rely on Application Control signatures, so will not be impacted by an expired App Control license.

The inline layer in your example does not contain any application. So you will not lose internet access.

The only thing you will lose in this example is the application logs for connections matching rule 10.1.

Oh ok.

They'll be treated as firewall rules.

It's entirely possible you'll also get an error on pushing policy in this situation as well. 

Hi Dameon.

After going through the discussion, I can understand that after the license & contract expire App Control and URL filtering blade will be disabled and as you say there will be no enforcement of that blade's security policy.

I have small query like do we able to push the policy package or we get the error and policy installation fails ?

We can only able to push the policy after disabling the rules related to specific blade ?

Regards,

Jaspal Singh

You will definitely get an error message when you push policy in this case.

However, it should allow the policy push, but the relevant rules won't work. 

Dear Fellow Gentaleman's,

My MDS License & Contract will expired in this month but the VSX attached to this MDS is having license upto Dec-2019. So I have some queries regarding this issue::

1. If my MDS Contract will pass the grace period so can I able to open Smart Domain Manager  or Smart Dashboard of any of my CMA after expiring the contract or not?

2. if it will open thereafter too so can I able to push the policy to the security gateways or not?

3. I think the Relevant Blades like IPS, Anti Bot, Antuvirus will not work so I will disable those blades earlier too, am i right?

4. Is there any way to take backup of the topology like details of Groups, Network Objects, Host Objects & in all whole topology before passing the grace period too., Please suggest me.

Thanks & Regards,

Saurabh/Gaurav

Our contracts expired a few days ago, we are awaiting for the renewal PO to get pushed through now. 

Thought it important to note that we are unable to install policy at all. It says the URL filtering blade has been deactivated and the policy push fails immediately.  We're on the latest take of R80.30.

Unfortunately, we had a similar situation with R77.30 a few years back and were able to install policy without issue then.

Seems like it. Our VAR recommended that as well, but also said they should have our renewal through today, so we decided to wait. Thanks for the quick response!

Can an evaluation licensed be applied over top of an expired license though or does the OS have to be reloaded first?

Yes you can apply an Eval license over an expired license without reinstalling.

Only consideration is if you are running the software on open server. When you unlock the number of cores available by applying an eval licence, a reboot is required. 

Good catch!
Hopefully this will also be in R80.40/R81 for those customers that need it.

Look like the change is in Take 82 for R81 as well.