Home  Prev  cOS Core 15.00.02 Administration Guide  Next

2.8. Licenses

2.8.1. Introduction

To use cOS Core in a live environment, a cOS Core license file must be installed on the firewall. Every Clavister firewall requires its own unique license file which is linked to properties of the underlying computing platform.

The purpose of a license file is to define what the capabilities and limitations a cOS Core installation has. Such capabilities include parameters such as the number of VPN tunnels allowed and the maximum number of routing tables.

For full details about license pricing, contact a Clavister sales office

SECaaS and Non-SECaaS Licenses

There are two types of cOS Core licenses:

  • Non-SECaaS Licenses

    This is the older form of license which is still used on older Clavister hardware products.

    The installation of non-SECaaS licenses is described in Section 2.8.2, License Installation on Clavister Hardware.

  • SECaaS Licenses

    A Security as a Service (SECaaS) license is a subscription based license which does not have a given expiry date. Rather, validity is based on the ongoing maintenance of a subscription. From the 4th quarter of 2021, some Clavister products require a SECaaS license. This includes a new license for cOS Core in all virtual environments and for newer hardware models such as the 100, 300, 500 and 6000 series. This includes a license for the RSG-400.

    SECaaS license management is the same as for non-SECaaS licenses on Clavister hardware products such as the RSG-400 and this is described in Section 2.8.2, License Installation on Clavister Hardware.

    However, the installation and management of SECaaS licenses for virtual firewalls (under VMware, KVM or Hyper-V) is different and this is described in Section 2.8.3, License Installation on Virtual Firewalls.

    Note that a common requirement for all SECaaS licenses is that cOS Core has both Internet access and a public DNS server configured. SECaaS licenses require periodic contact with Clavister license servers and throughput will become limited if this is not available.

    The SECaaS license is also used by a Managed Service Provider (MSP) and is sometimes referred to as an MSP license.

Demo Mode

Without a valid license installed, cOS Core will operate for 2 hours from startup in demo mode (demonstration mode). In this mode a firewall will have full capabilities, just as though a full license were installed. However, note that any subscription based features such as anti-virus scanning and IDP will not function in demo mode.

After 2 hours in demo mode, cOS Core will cease to function normally and it will enter lockdown mode, meaning that all network traffic will be dropped except for management traffic. cOS Core will also output a demo mode expiry message on the local console.

cOS Core must be restarted to enable it for a further 2 hour period and there is no limit on how many times this can be done. To remove the 2 hour limit or disable lockdown mode, a valid license must be installed. This is discussed further in Section 2.8.5, Lockdown Mode.

License Files

A cOS Core license consists of a single license file with filetype .lic. This is a text file that defines all the cOS Core capabilities allowed by the license which includes a digital signature to ensure the file cannot be altered.

License files can be opened and viewed in a normal text editor. Alternatively, the license -show command could be used in the cOS Core CLI. Below is an example of an older non-SECaaS license: 

Device:/> license -show
		 
Contents of the License file
----------------------------
  Registration key:            1234-5678-9123-4567
  Bound to MAC address:        41-84-93-13-CD-76
  Company:                     My-Company
  Subscription Based License:  NO
  Registration date:           2021-04-09
  Issued date:                 2021-05-05
  Last modified:               2021-05-05 09:22:15
  New upgrades until:          2028-04-09
  Centralized Management:      2028-04-09
  Premium technical support:   2028-04-09
  Hardware replacement:        Yes
  IP Reputation until:         2028-04-09
  Web Content Filtering until: 2028-04-09
  Antivirus service until:     2028-04-09
  IDP Signature service until: 2028-04-09
  Application Control until:   2028-04-09
  DCC until:                   2028-04-09
  Ethernet Interfaces:         6
  Max Connections:             4384000
  Max PBR Tables:              5
  Max Routes:                  512
  Max Rules:                   2000
  Max Throughput:              6200
  Max VPN Tunnels:             1000
  Max VPN Throughput:          4100
  Max GRE Tunnels:             (unlimited)
  Max SSLVPN Tunnels:          1000
  Max VLANs:                   64
  Max HA cluster size:         2
  RADIUS relay:                YES
  User authentication:         YES
  Max PPP Tunnels:             1000
  PPP Clients Available:       YES
  PPP Servers Available:       YES
  IKE Responders Available:    YES
  OSPF Router Processes:       YES
  Multicast:                   YES
  Traffic Shaping:             YES
  Rate Limiting:               YES
  Route Load balancing:        YES
  Route Failover:              YES
  Virtual Hardware:            NO
  Poll Offloading:             YES

The following should be noted about the license contents:

  • The license indicates both the type of the license and its various features, as well as any numerical limitations on different functions.

  • The Centralized Management parameter allows InControl to be used for management of the firewall up until the specified date. After that date, management using InControl will no longer be possible.

  • It will not be possible to deploy configurations that exceed the license limits for a function. For example, the Max Routes parameter controls the maximum number of routes that can be configured.

  • New connections that exceed the value specified for the Max connections parameter will be dropped.

  • IPsec tunnels are subject to restrictions in the license. This affects both the total number of tunnels that can be established (the Max VPN Tunnels parameter) as well as the total throughput for all tunnels (the Max VPN Throughput parameter).

    IPsec tunnel licensing restrictions are discussed further in Section 11.3.25.6, IPsec License Limitations.

  • The Max PPP Tunnels parameter will limit the aggregate total of L2TP and PPTP tunnels.

License Expiry Behavior

The behavior of the firewall when a non-SECaaS license expires is covered by an article in the Clavister Knowledge Base at the following link:

https://kb.clavister.com/324735788

More details on how individual subsystems behave (for example, anti-virus) can be found in Appendix A, Subscription Based Features.

2.8.2. License Installation on Clavister Hardware

Overview

Licenses used on Clavister hardware fall into two categories:

  • Older non-SECaaS licenses on older Clavister products such as the E10, E80B, W20B, W30, W40 and W50.

  • Subscription based SECaaS licenses for newer products like the 100, 300, 500 and 6000 series.

    Subscription based SECaaS licenses for newer products like the RSG-400.

Regardless of the license type, license management is the same on hardware products. However, SECaaS licenses require the following to be configured in cOS Core:

  • Internet access must be configured in cOS Core.

  • At least one public DNS server must also be configured in cOS Core.

Any of the methods for license installation described in this section can be used with Clavister hardware. After installation of the initial license, the option also exists for automatic license updates where licenses can be automatically downloaded by cOS Core from the Clavister server.

License Installation with Zero Touch

A special case for license installation exists for certain hardware models when using the zero touch feature with the InControl management product. Zero touch allows certain hardware models to automatically come under InControl control as soon as they are connected to the Internet. This also means that their cOS Core license is automatically installed.

The zero touch feature is not discussed further in this guide. It is described in detail in a dedicated chapter of the separate InControl Administration Guide.

MyClavister Registration is Required

For both hardware and virtual firewalls, the administrator must first register as a user on the Clavister website by going to https://my.clavister.com.

After MyClavister registration, the appropriate cOS Core license will become available for download from the MyClavister server when the identifying codes on the casing of a Clavister hardware model are registered on MyClavister. This can be done either manually by a user logged into MyClavister, or automatically by cOS Core.

Installing a cOS Core License for Clavister Hardware Products

For a Clavister hardware product, the following license installation options are available. Note that none of the methods below that begin with "Automatic" in the heading, require manual registration of the hardware product on the Clavister website.

  • Automatic installation through the Web Interface Setup Wizard

    When cOS Core is started on a Clavister hardware product for the first time, a Setup Wizard runs that leads the administrator through a number of steps to simplify such tasks as enabling Internet access.

    The last few optional steps in the setup wizard allow the automatic retrieval across the Internet of a license for the hardware. This requires only that the username and password of the relevant MyClavister customer account is entered. If these last setup wizard steps are skipped, a license can be installed later in a separate operation, which is described next.

    Note that the setup wizard steps are described in detail in the separate Getting Starting Guide for each hardware product.

  • Automatic installation through the Web Interface

    If linking with MyClavister and downloading of a license was not done using the Setup Wizard (described above), then this linking can be done later using the following steps:

    1. In the cOS Core Web Interface, go to Status > Maintenance > MyClavister.

    2. Enter the MyClavister username and password credentials for the relevant user account.

    3. Press the Login button followed by the Activate button to establish the link with the Clavister server.

    4. Go to Status > Maintenance > License in the Web Interface and press the Download button. The correct license will be fetched automatically across the Internet and installed.

      Note that the Upload button on the same web page is only used to upload a license file that was already on the local disk of the management computer.

  • Automatic installation through the CLI

    Use the following command in the cOS Core CLI: 

    Device:/> license -activate -request -username=myname -password=mypass

    The customer username and password is included in the command so the license can be fetched automatically across the Internet. It is then necessary to manually enter the reconf or shutdown command to complete installation. The shutdown command is recommended as this restarts the firewall.

  • Manual installation through the Web Interface or using SCP

    Installing a license manually consists of the following steps:

    1. In a web browser, go to https://my.clavister.com and log into relevant MyClavister account.

    2. In MyClavister, go to Licenses > Register License.

    3. Select the option Register by Service Tag and Hardware Serial Number.

    4. Enter the Serial Number and Service Tag codes. For Clavister hardware products, these codes are found on a label on the unit. This will cause a new license to be generated and stored on the website. This license will appear in the user's license list on the site.

    5. Download the license to the management computer's local disk by clicking on it in the license list.

    6. In the cOS Core Web Interface, go to Status > Maintenance > License and press the Upload button to select the license file from the local disk. Following upload, cOS Core will ask if a reconfigure or restart should be performed to activate the new license. A restart is recommended.

      Alternatively, upload the license file using SCP. cOS Core will automatically recognize an uploaded license file but it is still necessary to manually to perform a reconfigure or restart operation to complete installation. A restart is recommended.

[Note] Note: Fetching licenses requires Clavister website access

When cOS Core communicates with the Clavister server, it first performs a DNS lookup of www.clavister.com and then opens a connection to the returned IPv4 address using port 80. Any network equipment that is located between the Clavister firewall and the Internet must permit this connection.

[Important] Important: A restart is recommended after installing a license

Some license changes, such as increasing the number of allowed VPN tunnels, change memory requirements and will not take effect until after cOS Core is restarted. Restarting will disrupt traffic flows but is recommended in order that all license parameters become active. If only a reconfiguration operation is performed, not all license parameters may come into effect although this does not disrupt traffic.

When installing a license through the Web Interface or when using the startup wizard, the options to restart or reconfigure are presented to the administrator. With the CLI and SCP, these options are not presented and restart must be initiated by the administrator.

For restarting via the Web Interface, go to Status > Maintenance > Reset & Restart. With the CLI, use the command: 

Device:/> shutdown -reboot

How to Perform SCP License Uploading

When a license file needs to be uploaded to the firewall, SCP can be used.

Only one license file can exist on the Clavister firewall. The name of the file is not mandatory, and neither is the location since cOS Core will detect the file by examining its contents. By convention, the license file should be called license.lic and it should be uploaded to the top level of the cOS Core directory structure.

Under Linux the SCP upload command to a firewall called fw_name might be: 

> scp license.lic user@fw_name:

Under Microsoft Windows, the SCP upload would be performed using an appropriate SCP utility. For example, when using the PuTTY tool under Windows, the command line would be of the following form: 

> pscp -scp -pw <pswd> <file-name.lic> admin@<IP-address>:

2.8.3. License Installation on Virtual Firewalls

For cOS Core running in a virtual environment (such as VMware, KVM or Hyper-V) a subscription based Security as a Service (SECaaS) license must be installed and the installation procedure differs from installation on Clavister hardware.

The following should be noted for SECaaS license installation on a virtual platform:

  • The first time the SECaaS license is installed, it must be done manually.

  • SECaaS licenses require Internet access by cOS Core.

    Internet access is required for SECaaS license installation, as well as for continuously verifying and updating licenses. cOS Core must also have a public DNS server configured for the resolution of FQDNs.

  • Updates to the original license are installed automatically across the Internet and this is enabled by default.

Registering the SECaaS License on MyClavister

Before the SECaaS license becomes active, it must first be registered in the relevant MyClavister account. This requires the following steps:

  1. Go to the Clavister website and log into MyClavister.

  2. Select Register new license.

  3. Select the License Number and SECaaS ID option.

  4. Enter the license number and SECaaS ID for the license (these codes are supplied by Clavister).

  5. Press Register License.

An Older Non-SECaaS License Must First Be Deleted

If an older, non-SECaaS license is already installed, it must be deleted using the command: 
Device:/> license -remove
This should be followed by the reconfiguration command: 
Device:/> reconf

Installing the SECaaS License

Following registration and the deletion of any non-SECaaS license, the SECaaS license can be installed by automatically downloading it from the license server to cOS Core. This can be done with either the Web Interface or the CLI:

  • Installation with the CLI

    Enter the following CLI console command either remotely via SSH or locally using the firewall console: 

    Device:/> license -secaas_add <secaas-system-id> <secaas-reg-key>

  • Installation with the Web Interface

    Open the Web Interface for the firewall and go to: Status > Maintenance > License. Enter the SECaaS system identifier and registration key, then press Register.

Note that installation steps for a SECaaS license in a virtual firewall, along with an example console session, are included in an article in the Clavister Knowledge Base at the following link:

https://kb.clavister.com/336145229

Deleting a SECaaS License

If the SECaaS license is to be deleted on a virtual firewall, the steps are the following:

  1. Disconnect cOS Core from the Internet, otherwise cOS Core may automatically reinstall the license.

  2. Enter the CLI console command: 

    Device:/> license -remove

  3. Perform a reconfiguration operation with the command: 

    Device:/> reconf

  4. After the reconfiguration operation completes, enter the command: 

    Device:/> license -secaas_remove

  5. cOS Core will now automatically restart without the SECaaS license and SECaaS functions present.

SECaaS License Verification and Updating

Once a SECaaS license is installed, cOS Core will check every 4 hours that the license is valid and also check for any license updates. It does this by contacting the Clavister Service Provider Network (SPN) across the Internet.

If a newer license is found, cOS Core will download it and install it immediately. If verification fails the firewall will enter lockdown mode and only management access will be possible. A verification failure might be caused by license expiry, a faulty license file or a blacklisted license.

SECaaS Licenses with High Availability

When SECaaS licenses are used in a high availability (HA) cluster, both firewalls in the cluster must have an appropriate SECaaS license installed and both will independently try, like a standalone firewall, to contact the Clavister license server to verify the installed license.

However, a difference with HA is that if one of the cluster peers fails to make contact with the license server, it will query the license status of the other peer in the cluster. If the other peer has has had its SECaaS license verified then it too will become verified.

Reduced Functionality Mode

If cOS Core with a SECaaS license cannot contact the Clavister SPN for a grace period of 2 weeks, it will enter reduced functionality mode. This mode means that cOS Core operates as before but with the following restrictions:

  • The maximum total throughput of the firewall becomes 1 Mbps.

  • All log message generation is disabled except for log messages related to licenses.

Note that reduced functionality will also be entered if the license validity date expires during the 2 week grace period.

2.8.4. License Updating on Clavister Hardware

Updating an installed non-SECaaS license with a new one may be required because of license expiry or a change in the capabilities allowed by a license such as, for example, increasing the throughput limit or the total number of allowed connections.

There are two methods for updating installed licenses:

  • Manual Updating

    The existing license can be replaced with a new license by first downloading the license file from the Clavister website and then uploading it to the firewall using the Web Interface or SCP. Uploading the new license will automatically overwrite the old license.

    The steps for a manual update are the same as the steps used for the manual license installation described above in Section 2.8.2, License Installation on Clavister Hardware.

  • Automatic Updates

    Provided that it has Internet access, cOS Core will periodically check if a new license is available for download from the Clavister license server. If a new license becomes available, cOS Core will generate an alert for this in the Web Interface. After opening the alert, the administrator must then confirm that the new license should be automatically downloaded and installed.

    The automatic update feature is available with all Clavister hardware models as well as with virtual firewalls running in any of the supported virtual environments. Enabling the feature is described next.

Enabling Automatic Updates

For the automatic update feature to function, the administrator must have created a link between the firewall and the Clavister website at some point in time. This can be done in one of the following two ways:

  • In the Setup Wizard

    As one of the last steps in the cOS Core setup wizard. The wizard runs automatically as a pop-up window when the Web Interface is opened for the first time for a Clavister hardware device. In the step after the wizard's configuration activation step, the administrator can optionally enter their login credentials for the Clavister website. This establishes the link between the hardware and the website and does not need to be repeated later.

    Note that this option does not exist for cOS Core running in a virtual environment. The link can only be established after the initial license has been installed manually.

  • After cOS Core Has Initialized

    If the link with the Clavister website was not established with the setup wizard (and this will be the case with cOS Core running in a virtual environment) then it can be established later in the Web Interface by going to Status > Maintenance > My Clavister and entering the login credentials for the Clavister website.

    Alternatively, the following CLI can be used instead of the Web Interface: 

    Device:/> license -myclavister -username=myuser -password=mypass

License Update Alerts

Even if automatic license updates have not been enabled, cOS Core will check for if a license update is available at the following times:

  • When the login credentials are entered in the MyClavister page in the Web Interface.

  • Automatically, every time the administrator logs in to the Web Interface.

  • When the Check button is pressed on the license page of the Web Interface.

If cOS Core detects a license update is available from the Clavister servers, the following alert will appear in the Web Interface, as shown below:

License Update Alerts

Figure 2.7. License Update Alerts

As stated above, the check for new license availability can be done without establishing the link with a Clavister MyClavister account. However, actually downloading and installing the license automatically is not possible without this link.

Initiating the License Update

Clicking the link in the license update alert will open the Web Interface license page. Provided the link with the license server has been previously established by entering the Clavister website login credentials, the Download button on the license page can be pressed to initiate the installation.

Restarting the firewall following installation is not required but is recommended. It may be necessary to reconfigure cOS Core correctly for any changes in the system's capabilities (for example, if the connection limit has increased).

Disabling Automatic Updates

If it is required to disable automatic updates then the link between the firewall and the Clavister website must be disabled. This is done by going to Status > Maintenance > My Clavister in the Web Interface and selecting the Logout option.

Alternatively, the same operation can be performed in the CLI with the following command: 

Device:/> license -myclavister -disconnect

Downloading New Licenses with the CLI

There is no such alert capability in the CLI. However, providing the link between the device and the Clavister website has already been established, the following command can be entered to download and install any available license: 
Device:/> license -downloadlicense

The Choice Between Restart and Reconfigure

As with installing a license for the first time, a restart of cOS Core after installing a license update is recommended so that the system is correctly configured for any changes in the license capabilities.

However, if the disruption to traffic flow caused by a restart is not desirable, a reconfigure operation can be performed instead. This will implement any license parameter changes but will not reallocate any memory that such changes might require for optimum performance. An example of a license change where a reconfigure is well suited is a change in validity dates, since this would not affect memory allocation in the firewall.

New License Property Changes/Deletions

It is possible that when a new cOS Core license is examined after it is downloaded, some property changes and/or deletions may be noticed. The reasons for this are discussed in a Clavister Knowledge Base article at the following link:

https://kb.clavister.com/324735695

2.8.5. Lockdown Mode

cOS Core will enter a state known as Lockdown Mode if certain conditions occur. While in lockdown mode, only management traffic is allowed by the firewall and all other traffic will be dropped (local console access is still possible). Unlike the two hour time limit of Demo Mode, there is no time limit with lockdown mode.

Causes of Lockdown Mode

Conditions that trigger lockdown mode include the following:

  • The two hour demo mode has expired when no license is present.

  • Using the license on the wrong hardware.

  • An invalid license file signature.

  • Uploading a new revision of cOS Core when the New upgrades until parameter in the license file has passed.

  • A shared IPv4 address in an HA cluster has been set to the value 0.0.0.0.

  • The license is in some other way invalid.

Ending Lockdown Mode

When lockdown mode is entered, the condition can be terminated by installing a valid license or removing the configuration violation that triggered the condition. Removing the current license will cause cOS Core to enter the 2 hour demo mode from lockdown mode. This might be necessary to allow traffic to flow to the Internet in order to download a new license file.

If a valid license is not available then cOS Core needs to be restarted to end lockdown mode and this will begin another 2 hour demo mode period.

2.8.6. Licensing Issues

Behavior After Exceeding License Limits

When the administrator tries to change the cOS Core configuration in such a way that it exceeds the limitations of the current license, it will not be possible to deploy the configuration. This means that there is no disruption to live traffic if license parameters are exceeded.

This is similarly true when restoring a backup with a configuration that exceeds the limitations of the installed license. cOS Core will detect if the restored configuration exceeds any license limits and revert to the old configuration if it does.

The cOS Core objects that are subject to this behavior are as follows:

  • IPsecTunnel
  • L2TPClient
  • L2TPServer
  • L2TPv3Server
  • PPPoETunnel
  • SSLVPNInterface
  • RoutingTable
  • GRETunnel
  • VLAN

The behavior of IPsec is controlled by the license parameter PROP_TUNNELS. This limits the total number of IPsecTunnel objects that can be created but also how many live IPsec tunnels can be opened across the system. In a roaming clients situation, a single IPsecTunnel object could have thousands of tunnels associated with it. If an attempt is made to set up a tunnel so that the total number of IPsec tunnels across the system exceeds the PROP_TUNNELS limit, the attempt fails and a log message is generated to indicate the license limit is exceeded.

If present, the PROP_PPPTUNNELS license parameter controls the combined total number of L2TPClient, L2TPServer, L2TPv3Server and PPPoETunnel objects that can be created. If PROP_PPPTUNNELS is not specified in a license, the value defaults to the same value as PROP_TUNNELS.

The number of Route and IPRule objects are not subject to license restrictions although, for backward compatibility, these appear as license parameters.

[Warning] Warning: More restrictive licenses can cause lockdown

If a more restrictive license is loaded into cOS Core so that the existing number of an object type exceeds the limit of the new license, this will cause lockdown to occur. This situation must then be resolved by either the administrator reverting to the old license or editing the configuration to reduce the number of objects to be within the limits of the new license.

Ensure the Maximum Connections Parameter is Adequate

The cOS Core license file specifies the maximum number of concurrent traffic connections that cOS Core will allow. This is the parameter Max Connections in the file. It is important to have the appropriate value for this parameter so that it is never exceeded. If the setting DynamicMaxConnections is enabled then this license maximum will be used as the maximum allowed.

If the connection limit is exceeded then a connection_table_full log message is generated and the action specified by the advanced setting Connection Replace is followed. By default, this action is ReplaceLog which means that the oldest connection is dropped by cOS Core to allow the new connection to succeed.

Both the Max Connections and Connection Replace settings are discussed further in Section 14.4, State Settings. Note that any changes to the maximum allowed connections should be done with a minimum of live traffic. This is because a change may cause the connection table to be reinitialized so that all current connections are dropped and this will happen as soon as the configuration change is activated.

Replacing Hardware

If the hardware unit is replaced with another unit but the same license is to be used, the same procedures should be followed for installing the license in the new unit. The separate Hardware Replacement Guide covers this topic in detail.

License Swapping with the Cold Standby Service

Clavister customers can choose to make use of a facility called the Cold Standby (CSB) Service. This provides a duplicate hardware unit on customer premises to quickly replace a faulty unit. In this case, the license on the faulty hardware can be quickly transferred to the CSB unit through a special option on the Clavister website.

The CSB service and the CSB license swapping procedure is described fully in a dedicated chapter of the separate Hardware Replacement Guide.

HA Cluster Licensing

In a cOS Core High Availability Cluster, two identical licenses must be purchased, one for the master and one for the slave unit. Both licenses must include the ability to allow HA clustering.

[Important] Important: Use the correct license for hardware products

It is important to always use the correct license file for Clavister hardware product.

If licenses are not matched correctly to the product, complex administrative problems can arise later which can cause delays in rectifying problems.

Home  Prev   Next