This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Phil_Leinster
Participant
‎2018-12-06 05:45 AM

Finding Mobile Access concurrent user license level

I need to know what the maximum number of MAB VPN users are able to connect simultaneously for planning purposes.

I know the command 'fw tab -t userc_users -s' can tell me the high watermark of connected users under the #PEAK field, but I cannot seem to find a way to show the maximum number of users that can connect.

I am also aware that within the SmartUpdate I can see the licenses attached to each machine and if I manually look through the non-user friendly descriptions of each I can tally up the number of users, however this seems very prone to error and non-authoritative.

How can I reliably find the current licensed maximum number of Mobile VPN users?

TIA

8 Replies
JozkoMrkvicka
Authority
Authority
‎2018-12-06 01:03 PM

Every kernel table has limit set.

Try to check limit for this table without -s at the end.

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-06 04:25 PM

cplic print -p will expand all the various macros in your license.

That will be the definite answer.

0 Kudos
Phil_Leinster
Participant
‎2018-12-07 02:29 AM

Thank you for your replies.

I'm not sure how to interpret the output of 'fw tab -t userc_users' without the '-s', but it doesn't seem to show maximum VPN count, but the output looks to be truncated as it ends with '...(19 More)'.

From the output of ''cplic print -p' it looks to be similar to what can be seen in SmartUpdate. The output from this command is not particularly easy to parse and seems rather cryptic. For this is it a matter of adding up all the numbers following SSLVPN or should I be counting the cvpn50users that are listed against different hostnames? What happens if there are SSLVPN licenses listed that have an expiration date in the past? 

For example on another vendor's firewall I can get the following output that is not ambiguous in any way and gives me a maximum number:

Other VPN Peers : 2500 perpetual
Total VPN Peers : 2500 perpetual

Follow-up question: How can I authoritatively know what the cryptic license names mean and what features are licensed? Is it possible to tell which features are licensed but not used? Is there is licensing guide that contains a comprehensive list of license names and their function, not just for VPN? I am aware of this official guide, but it isn't very useful. For example there is no mention in the CPSB-SSLVPN licenses that we're talking about here.

Thank you!

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-07 06:43 AM
In response to Phil_Leinster

Expired licenses or licenses for other hosts won't count, but if you see a feature string that says cvpnXusers, then that's what you're licensed for.

Some of the crypticness of cplic print -p relates to the fact that there are features that have been there for quite some time, some of which we used to sell separately (but don't anymore).

$CPDIR/conf/cp.macro can help you decipher some of those features.

Account Services can also tell you (in plain english) as well.

0 Kudos
Phil_Leinster
Participant
‎2018-12-10 06:10 AM
In response to PhoneBoy

Thanks Dameon,

Just to make sure I understand should I tally all the cvpnXusers entries, or is the highest numbered instance of X the maximum number of users?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-10 08:18 AM
In response to Phil_Leinster

As far as I know, the licenses are NOT additive, so use the largest one.

0 Kudos
John_Fenoughty
Collaborator
‎2018-12-11 12:11 PM
In response to PhoneBoy

I have always found this a bit clunky and inaccurate, I too have wondered about whether these were additive or not.

I'm currently having a problem with licensing on a Mobile VPN that may be a newly created problem since R80.10 Jumbo 154. While investigating I observed this in the GUI:

If you go to Gateways & Servers, Ensure it is on 'general', then the little 'OK' by licence status is a clickable link, this leads to this window displaying exactly what Phil was asking for. Not a number that includes supposition, addition (or not) and deciphering SKUs but an actual count of used and available licences on the gateway.

I bet this is accessible through the 'licensing' dropdown somehow too. What is the CLI to show this? Who knows.

What this clearly shows though, is that our previous (mine included) supposition that the licences are not additive is not correct - they are. This licence is for a 50 and a 5 (the five being the as shipped one.)

What is also new (as far as I can tell) is the fact that the license count hits the secondary at the same time as the primary, I can see why but in this case (and any other where an old SNX licence was upgraded and only one gateway in a cluster has the licence - because it used to reside on the management server and now resides on the gateway will have a problem like this (this is the secondary in this cluster)

This was demonstrably NOT a problem until very recently! The secondary only got involved during a fail-over scenario. I know we need to buy a licence for the HA member, that's not really the point.

Phil_Leinster
Participant
‎2018-12-12 12:22 AM
In response to John_Fenoughty

Wow!

One more reason to push that upgrade forward!

Thank you!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events