InControl Licensing Options

This section will discuss the licensing options for InControl itself. That is , the licensing required for InControl to be able to manage firewalls. The licensing for individual firewalls is discussed later in Section 13.3, cOS Core Licensing.

Methods of InControl Licensing

InControl can be used in the following ways:

A. In demonstration mode without licensing.

B. With per device licensing.

C. With an InControl server license.

The above methods will now be discussed in detail.

A. Management in Demonstration Mode Without Licensing

InControl can be used without any licensing if it only manages unlicensed firewalls that are running in the standard 2 hour cOS Core demo mode. In this scenario, InControl will have full functionality for any number of firewalls. The purpose of this is to allow evaluation of the complete InControl product without any licensing. The connection with the license server is not required.

It is possible to add devices to InControl which have a license but the license does not allow InControl management. In this case, the only management functionality possible within InControl is use of the remote console feature for direct CLI access. For more on console access, see Chapter 21, Remote Console.

B. Per Device Licensing

Each individual NetWall firewall can have a cOS Core license that includes the ability for management by InControl and this is the usual way that InControl is licensed. In this case, no special license for the InControl server is needed and InControl can manage any correctly licensed firewall.

After purchase, a cOS Core license file is downloaded from the Clavister MyClavister server in the normal way and contains the license parameter CENTRALIZED_MANAGEMENT. The license can be purchased with or without this parameter enabled. If the license allows InControl management, the parameter is assigned a date for when the feature expires. The expiry date is usually 3 years from the purchase date.

If a firewall has a valid license but not one that allows InControl management, it can still be added to InControl. However, it will not be possible to read and edit the firewall's configuration and a line in the Alarms tab list will indicate that the required license is missing, as shown in the example screenshot below.

C. InControl Server Licensing

With larger populations of devices, administering each individual cOS Core license to allow InControl management can be time consuming. A better, alternative option is to purchase an InControl Server License (also known as an InControl Volume License) from Clavister which then allows a single InControl server to manage a specified maximum number of Clavister firewalls through a specified maximum number of InControl client sessions.

With a server license, the cOS Core licenses of the individual firewalls being managed do not then need to have the CENTRALIZED_MANAGEMENT option enabled.

An InControl server license file is structured in a similar way to a cOS Core license and contains the following two key parameters:

Downloading a Server License

A server license (.lic) file always has to be manually downloaded from the Clavister MyClavister website to the local computer disk.

Once downloaded, it can be uploaded to the server by right-clicking the license line in the Licenses tab list and selecting Upload.

A dialog then appears to allow the license to be selected from disk.

Even if automatic license updating is enabled (this is described later), server licenses will not be updated automatically. New server licenses always have to download manually as described above.

Binding Firewalls to an InControl Server License

If an InControl server license is being used for managing a firewall then it is important to remember that once the firewall is added to InControl, the final step should be binding the firewall to the license.

Binding is done by right-clicking the firewall in the navigation tree of the Firewalls tab and selecting the Bind using Server License option.

When a new firewall is added to InControl, an alarm appears in the Alarms tab list to warn that it is unbound as shown below.

Binding the firewall to the server license can alternatively be done by right-clicking this alarm in the alarm list and selecting the Bind using Server License option from the displayed context menu.

Older cOS Core Licenses and InControl

Any cOS Core licenses that were purchased before the release of cOS Core version 9.10 can automatically have the CENTRALIZED_MANAGEMENT license parameter option enabled and this is included in the cost of the original license.

Obviously, the CENTRALIZED_MANAGEMENT parameter will not already appear in an older license file downloaded before 9.10 so the licensee should download a new, replacement license file from the Clavister Customer Web and upload it to the firewall. This license file will have a standard 3 year period specified for the CENTRALIZED_MANAGEMENT parameter starting from the date of InControl's initial version 1.0 release in June, 2009. When that period expires, a new InControl license should be purchased to extend the period.

All new cOS Core users will have to purchase one of the two licensing options described in the list above if InControl is to be used without restrictions.