I have mixed the versions mentioned. It is actually the opposite:

Check Point Security Management - R81.20

CloudGuard Network Security for Gateway Load Balancer -  R80.40

Sorry for the confusion caused.

K, fair enough. If its telling you no valid licences, you can, just temporarily, put on local eval licenses good for 30 days. Also, if its complaining about port 8117, maybe check below.

Andy

https://community.checkpoint.com/t5/Cloud-Network-Security/Azure-cloudguard-VMSS-health-probes-on-81...

Hello,

It appeared that - it is not so simple to subscribe in market place on AWS and to expect everything to work. Despite the fact - that I had free trial and I use the exact AMI in question, it is still complaining about valid licenses. After several conversations with the support and case opened with them - it seems that I need to contact my local sales representative. 

What we just wanted is to deploy and test the product - which happens to be not so intuitive...

Show "cplic print" output from both management and GW, please

Management:

[Expert@mgmt-aws:0]# cplic print
Host Expiration Features
1.1.1.1 never CPSM-C-25 CPSM-NGSM CPSB-WKFL-25 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-25 CPSB-SME-25 CPSB-RPRT-N-C2500 CK-D4-9A-20-EF-C5-04

Contract Coverage:

# ID Expiration SKU
===+===========+============+====================
1 | S2R3W9Q | 1Sep2034 | CPSB-EVNT-25-1Y
+-----------+------------+--------------------
|Covers: CPSM-C-25 CPSM-NGSM CPSB-WKFL-25 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-25 CPSB-SME-25 CPSB-RPRT-N-C2500 CK-D4-9A-20-EF-C5-04
===+===========+============+====================
2 | D16DWGE | 1Sep2034 | CPSB-COMP-25-1Y
+-----------+------------+--------------------
|Covers: CPSM-C-25 CPSM-NGSM CPSB-WKFL-25 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-25 CPSB-SME-25 CPSB-RPRT-N-C2500 CK-D4-9A-20-EF-C5-04
===+===========+============+====================
3 | 1336IG2 | 1Sep2034 | CPSB-RPRT-25-1Y
+-----------+------------+--------------------
|Covers: CPSM-C-25 CPSM-NGSM CPSB-WKFL-25 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-25 CPSB-SME-25 CPSB-RPRT-N-C2500 CK-D4-9A-20-EF-C5-04
===+===========+============+====================
4 | F0Y2F25 | 1Sep2034 | CPES-SS-STANDARD-ADD
+-----------+------------+--------------------
|Covers: CPSM-C-25 CPSM-NGSM CPSB-WKFL-25 CPSB-NPM CPSB-EPM CPSB-LOGS CPSB-MNTR CPSB-MPTL CPSB-UDIR CPSB-PRVS CPSB-COMP-25 CPSB-SME-25 CPSB-RPRT-N-C2500 CK-D4-9A-20-EF-C5-04
===+===========+============+====================

On the gateway itself says it is a deprecated command.

PAYG . This was looking the only viable option, because it seems to provide free trial.

Strange PAYG should have the license baked in, that's the whole idea of it 

Of course - that's was initially my expectations. And this was a little bit disappointing 🙂

Have you tested with LOCAL eval license?

Andy

I am not really sure what this means...  From where should I get this license? I know for sure that I got some licenses while checking them via SmartConsole - and they appeeared to be on the device itself. Please note, that I am installing with PAYG from AWS Marketplace. I don't have any other licenses, nor do I know from where to get them.

We tried several things with support guys, including manually installing contract files and licenses. None of them worked so far.  In addition it is still not clear for me how this instances are getting licensed, having in mind that in AWS they are running in autoscalling group which dynamically resize itself.  For me - it is logical the instances itself to have embedded trial licenses or the management server is used as a dynamic distributor for the licenses.

Message me directly with IP addresses and I will get them for you.

Thank you for you help, I have a meeting with local sales representative and I expect a possitive result. 

I will let you know for sure.

Hi @Neuromancer,

The CME checks the licence on the management server. In the case of a PAYG, you must transfer the licence from Gateway to the Management Server.

Try the following steps:
1) Start Smart Console and open SmartUpgrade
2) Now get the license from Gateway
    

Once the licence has been imported to the management server, everything should work.

Is Management R81.20 JHF T26 and is CME up to date?

Being a GWLB deployment what was the rationale for the gateway being R80.40 vs R81.20?

Believe it or not - NO ONE so far has told me that the licenses are based on IP addresses on the management interfaces.

And in case I want to try the product - I just need an account in user center and generate license myself.

We followed the link provided along with sales support and I actually manage to generate licenses and then assign them to the appropriate instances.

However, it is still confusing how the gateways being part of the ASG will get licensed in a prod environment , having in mind that autoscalling group will terminate and start instances based on the load.

Here is an email from License folks to me last month about right way to do this.

Hope its a good reference.

Andy

Actual email:

Dear Andy,

Thank you for contacting Check Point Account Services.

--------------------------------------------------
If you are a Licenser or Admin on the machine's account, please follow the below steps in order to license your product:
 
Please note that this is broken down into 3 stages:
 
A. Generate the license
B. Install the license
C. Update contracts file 
-------------------------------------------------------------------------------------------
A. Generate the license:

1. Login to your UC user > Click "Assets/Info" / "My Check Point" > Click "Product Center" > Select your account(s) from the "Selected Accounts" menu and click Done.
2. Check the box to the left of the line item(s) that require a license generation.
3. Click "License" button that has the key icon.
4. Choose 'Central' license and input the MGMT IP that manages the vSec gateway(s)
5. Complete the rest of the required fields (marked with an asterisk)
6. Click "Activate" button (if re-licensing a product, option will be "Change")
7. Click "Get License Information" and copy the two commands that begin with 'cplic put ...' aside
 ------------------------------------------------------------------------------------------
B. Install the license:

1. Open SSH to the MGMT in expert mode
2. Paste the command which is labeled "For the Security Management Server"
3. Run the command "vsec_lic_cli on"
4. Run the command "vsec_lic_cli"
5. Choose option 1 (Add license)
6. Paste the command labeled "For the Security Gateway:" without the parts "cplic put" and "[module name]".
Example:
1.2.3.4 never dUy6trBX8-jmVyWKQSX-xzdTkVFVT-76nMEXDks cpsg-ve+8 cpsb-base cpsb-fw cpsm-c-2 cpsb-vpn cpsb-adnc cpsb-npm cpsb-logs cpsb-ips cpsb-av cpsb-urlf cpsb-apcl cpsb-aspm cpsb-abot-s cpsb-ctnt CK-ABCDEF1234567
7. The license should be distributed to the GW's - if not manage the distribution through the other commands in "vsec_lic_cli", for more information see:
sk109713

The admin guide:
https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CloudGuard_Central_License_Tool_Admin...
-------------------------------------------------------------------------------------------
C. Update Contracts File:

1. Login to your UC user
2. Click "Assets/Info"/"My Check Point" > Click "Download Contract File".
3. In the section titled "Service Contract File Download", select the Account(s) you need your Service Contract File for.
4. Select "Email File" or "Download Now".
5. Login to SmartUpdate
6. From the menu:  select "Licenses & Contracts" > "Update Contracts > "Import File"
7. Browse to the directory where the file is located and click "Open"
8. The file will be added to the respective certificate key(s) 
 
​​​​​​​Finally, to verify the file was successfully installed, run 'cplic print -x' on the command line.

It is important to distinguish whether it is a BYOL or PAYG licence.

@the_rock what you have copied from the administration / license guide's is completely correct for BYOL. In this case, I use central licences and distribute them via vsec_lic_cli tool.

For PAYG, the licence may have to be synchronised with the management server. Unfortunately, this does not work automatically. The easiest way in this case is to synchronise the licence via SmartUpgrade via "get licences".
PS: However, I already had problems with assigning the conntracts to the user account. I would therefore recommend BYOL to everyone.

Ah, thats good to know @HeikoAnkenbrand , thank you for the explanation mate! I always chuckle when I talk to Account services people when I say CP licensing has been complicated for who knows how long, they always agree with that, cause its hard to deny it lol

Though personally, I used local eval license even in Azure, worked like a charm 👍

Kind regards,

Andy

It is in the license guide 🙂

I know for a fact that recommended way of deploying licenses in the cloud when it comes to CP is central method, BUT, local works as well, as I tested it. Now, as Val asked, if we could see output of cplic print, it will give us a better idea.

Andy