Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
T_L
Contributor
Jump to solution

SMB Licensing - Manual vs. Automatic

Greetings!

I have an SMB licensing question I am hoping someone may be able to shed some light on! 

We have a large-ish group of SMB gateways (1400s and 1500s) that have been deployed for a few years - fully licensed -- running R77.20 - centrally managed with management station on R81.10.

The SMB GWs are configured to talk to the management station and the Mgmt station is globally configured to automatically connect to the CP User Center for licenses/ contracts/ etc.  No issues there.

We recently renewed our support/ licensing with CP -- they updated our account info - and the GW objects in our management station are showing that our GW licenses are good through 4/24.

But the GWs themselves are showing that the licenses are expired.  Pushing policy to the GWs does not fix this. We can allow the GW to go out to the UC and MANUALLY re-activate the license -- takes about 3 seconds - good to go. BUT, these GWs are not configured to reach out externally - we need them to get the licensing from the Mgmt station.

We verified that the licensing and contracts file on the Mgmt station is up to date - but the GWs don't seem to pull it and the Mgmt station does not seem to push it.

We have been working with TAC and they are telling us the ONLY way to do this is by manually logging into each GW and manually re-activating each one?! All the docs indicate that this should be an automatic process -- Smart Update even prompts us that it is supposed to be automatic or can be done from the Gateways/ Servers -- licenses tab.

What are we missing?

*Our SMB platform does not support pushing this via script from the Mgmt station.

0 Kudos
(1)
1 Solution

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend

SMB / Embedded GAiA licenses differ from CP GAiA GW / SMS licenses - you can see they are named ActivationFile.xml and not CPlicenseFile.lic. Why is no scripting available ? Most simple way to activate a license is from SMS using:

# cprid_util -server $gw -verbose rexec -rcmd clish -c "fetch license usercenter"

If there is no internet connection, you have to manually download the ActivationFile.xml from UserCenter and install it (after transfering it to the SMB over SCP) using the above with

fetch license local file <path>

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend

SMB / Embedded GAiA licenses differ from CP GAiA GW / SMS licenses - you can see they are named ActivationFile.xml and not CPlicenseFile.lic. Why is no scripting available ? Most simple way to activate a license is from SMS using:

# cprid_util -server $gw -verbose rexec -rcmd clish -c "fetch license usercenter"

If there is no internet connection, you have to manually download the ActivationFile.xml from UserCenter and install it (after transfering it to the SMB over SCP) using the above with

fetch license local file <path>

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Unsupported: Copy the license string from ActivationFile.xml  and install using cplic put 😎

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
T_L
Contributor

Thank you!

In our testing when we HAVE allowed a direct Internet connection, we still seem to have to manually click the re-activate button for anything to happen?  We allowed a group of one dozen to connect to the Internet for a 24 hr period -  they all received their automatic Threat Prevention updates and successfully fetched policy automatically - but there was no change in License status. When we manually  clicked the re-activate tab on half of them they update within seconds.

We have no issues getting the licenses installed manually - we have over 250+ SMB GWs and were just hoping there was a more efficient way then doing each one individually.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You are using SmartLSM ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
T_L
Contributor

We are not currently using SmartLSM.  We originally worked with our sales engineer and TAC and they recommended not using it - Just straight up individual, manual  configuration. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I do not have to understand that 😎 I am with the admin guide:

  1. There are two types of centrally managed deployments:

    • Small-scale deployment - Where you configure between 1 and 25 Check Point Appliance gateways using SmartDashboard. Then you can manage device settings from SmartProvisioning.

    • Large-scale deployment - Where you configure over 25 Check Point Appliance gateways using a SmartLSM profile and SmartProvisioning or a configuration file that is stored on a USB drive.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
T_L
Contributor

We are not using Smart Provisioning or SmartLSM.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events