| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
Overview
To use the Clavister NetShield Firewall in a live environment, a license file must be deployed to the Clavister NetShield Firewall and associated with the configuration. The purpose of the license file is to define the capabilities and limitations that an installation has.Demo Mode
Without a valid license, cOS Stream operates in Demo Mode. In this mode, cOS Stream has full functionality but will only operate for a limited amount of time before going into lockdown mode. The amount of time that demo mode lasts can vary, depending on the type of software distribution. The total time period allowed can be seen in the output from the CLI license command (with no options) as the value for the Demo parameter (this parameter has a value of <empty> with a valid license).While cOS Stream operates in demo mode, the following will be true:
On initial startup, the console will indicate that demo mode is active and how much time is remaining before lockdown occurs.
A message will then appear in the CLI console after approximately 50%, 75% and 87.5% of the demo period has passed and this will indicate how much time remains.
A log event message called Remaining demo period will be periodically generated indicating that demo mode is active. The time remaining is shown in the explanation field of the log message.
The amount of time remaining before lockdown can be displayed at any time using the CLI command about.
When the demo period expires, the following message will be printed on the console:
Demo license timed out. System entering lockdown.
If the about command is now entered, it will show the following message:
No license installed – DEMO mode expired
After the demo mode time period has expired, cOS Stream goes into lockdown mode so normal operation ends and only the following becomes possible:
The only access permitted to cOS Stream is management access by an administrator.
In addition to management access using the CLI, access is also possible using SCP and SNMP.
cOS Stream can be configured, including uploading and activating a license.
Log event and console messages indicate when lockdown mode goes into effect and when it ends.
License Files
A license file is a plain text file that defines all the capabilities allowed by the license plus a digital signature to ensure the file cannot be altered. The file can be opened and read in a normal text editor. It is generated and supplied by Clavister.Associating Licenses
Associating a license file with cOS Stream is a two step process:Step 1: Upload a License File
First, upload a license file to cOS Stream using SCP. More than one license can be uploaded but they must have different names. Files with the same name will overwrite each other. All license files will be lost after a system reboot except the currently activated license.
For example, the SCP command under Linux to upload a file called my_license.lic to a firewall called fw_name might be:
> scp license.lic user@fw_name:my_license.licUnder windows the SCP upload would be done using an appropriate utility with SCP support.
Step 2: Activate the License File
Assuming that a license file called my_license.lic has already been uploaded using SCP, the CLI command to activate this license is:
System:/> license activate my_license.licThis command causes a reconfigure to take place. If the reconfigure is successful then the capabilities of the new license will come into effect. If the reconfigure is not successful, cOS Stream will revert to its previous state which will either be to using the previously activated license or to lockdown mode.
Managing License Files
As stated above, a number of license files can be present in local temporary storage, however, only one can be active at any time. The CLI provides the license command to manage the active license. The options for this command are:Activate
As discussed above, the activate option causes a previously uploaded license to become the current license associated with cOS Stream. A copy of the license selected is made by cOS Stream and saved in non-volatile storage. It is this copy that is used during system operation and it is not lost after a system reboot.
Remove
This option deactivates the currently activated license file:
System:/> license removeAfter deactivation, cOS Stream enters lockdown mode. Previously uploaded license files are unaffected by this command and remain available for activation (although they will be lost after a system reboot).
No options
If the license command is used without any options, it provides a summary of the currently activated license's properties. Some typical output from this command is shown below:
System:/> license
Property Value
------------------- -------------------
IsValid: Yes
OS: 1
RegisteredTo: Clavister
RegistrationKey: 0324-5761-7527-1384
OEMId: 0
DisplayModel: Generic
RegistrationDate: 2018-04-27 00:00:00
LastModified: 2019-05-24 10:24:46
IssuedDate: 2019-05-24 00:00:00
UpgradesValidUntil: 2025-11-22 00:00:00
MACAddress: 01-91-FB-1A-A0-30
IKETunnels: 2000
GTP: Yes
BGP: Yes
OSPF: Yes
CGNAT64: Yes
DetNAT: No
IPSUntil: 2021-04-27 00:00:00
Demo: <empty>
SiteLicense: <empty>The MAC address in a valid license must match one of cOS Stream's Ethernet interfaces.
License Validity Expiration Behavior
There is no true expiration date for licenses where the firewall stops working. Instead, there is a Upgrades Valid Until date. When this date has passed, cOS Stream will continue to function but software upgrades will not be available.However, note that after the upgrade validity date has passed, the IPS and Application control subsystems will no longer function. If enabled, they will no longer scan traffic and they will also not block any traffic.
When a license file is created it is bound to the MAC address specified in the license. This means that the license is only valid if cOS Stream can detect that the MAC address of one of the hardware's Ethernet addresses is the same as the MAC address of the license.For this reason, a license is not portable between different hardware units. If hardware is replaced so that the license Ethernet MAC address is no longer present then a new license will need to be generated.
The Current License is a Configuration Object
The current license for a configuration is also a configuration object called License and this can be accesses through the CLI. The following command will give the same output as the license command:System:/> show License