13.3. Firewall Licensing

With or without InControl, a Clavister firewall requires a cOS Core or cOS Stream License in order to function correctly. The license determines the operational capabilities of the firewall as well as protecting against the unauthorized use of Clavister products.

As explained in the previous section, this license can also specify that InControl usage is allowed through the CENTRALIZED_MANAGEMENT parameter. If it is not, a separate InControl license must be used and associated with the InControl server.

Device License Information in the Licenses Tab

When a license for a firewall is retrieved from the MyClavister server, it will appear in the list under the Licenses tab. Below is a screenshot showing an example of how a single cOS Core license might be displayed.

The following should be noted about the information displayed for cOS Core licenses:

New Devices Without an Existing License

When a new firewall is added to InControl and it does not have a valid cOS Core license associated with it, the firewall functions in demo mode.

Demo mode means that cOS Core will cease to function after two hours of operation except for allowing management access. A restart is then required to continue running the product for another two hours. InControl always has full functionality when managing a firewall operating in demo mode.

If the process does not start automatically, retrieval of a valid license from MyClavister for a newly added firewall can be initiated manually by pressing the License button in the Firewalls tab and choosing Register from the drop down menu.

Manually initiating the process can also be done by right-clicking the firewall and selecting Register from the context menu.

If it has not been done before, InControl will ask for the MyClavister login credentials so it can gain access to the MyClavister server across the Internet.

At this point, the Registration Key for the new firewall must be entered. This tells the MyClavister server which firewall the license is needed for. The key is usually found on a label attached to Clavister hardware or will have been supplied by email for other types of cOS Core installations.

InControl now downloads the relevant license to the InControl server, uploads it to the firewall and following successful installation, the license remains stored in the InControl server database.

All the licenses stored by InControl appear in the Licenses tab list. There can only be one license stored for each device under InControl control. When a new license is downloaded from the MyClavister server, it overwrites any existing license stored by InControl for a device. The administrator can upload any license to its associated device by selecting the Upload License option. This will overwrite any currently installed license on the device.

Instead of selecting the firewall first, it is also possible to open the Licenses tab, select a specific license to upload from the stored licenses and then press the Upload License button.

When the correct license is selected, uploaded and the firewall is correctly licensed, the status becomes blank in the Firewalls tab.

A New Firewall with an Existing License

The above steps apply to a new firewall without a license. It may be that a firewall that is added to InControl already has a license associated with it. If this is the case, InControl automatically downloads a copy of the license from the new firewall and stores it in its database. This downloaded license will then appear as an entry in the Licenses tab list.

When a license update is requested, InControl will query the MyClavister server over the Internet to find the latest license for the firewall.

[Important] Important: License fetching requires access to MyClavister

When InControl communicates with the MyClavister server, it first performs a DNS lookup and then opens a TCP connection to the returned IPv4 address using port 443. Any network equipment that is located between the InControl server and the public Internet must permit this traffic.

Importing a License File from the Local Disk

License files can be downloaded to local disk from the MyClavister website as a .lic file. It may be necessary to import license files into InControl and then upload them to a firewall that has no license.

To do this, first select the relevant license line in the list under the Licenses tab. Then press the Upload License button.

It is also possible to initiate the upload process by right-clicking the firewall and selecting the option in the context menu.

The following dialog is displayed and the license file can be selected from the local disk.

InControl now asks for a confirmation that the license will be uploaded.

InControl will then ask if the device should be restarted after the new license is uploaded and installed. A restart may be necessary because a new license requires a different allocation of cOS Core memory. For example, if the parameter specifying the maximum number of VPN tunnels has changed or the maximum number of connections allowed has changed. A restart is therefore recommended, although this will cause all current traffic connections to be lost.

After confirming this dialog, the license is now uploaded to the firewall and installed, followed by a device restart if that has been chosen. A copy of the license is also stored in the InControl server.

Note that for cOS Core versions prior to 10.11, the device will always restart following a license upload.

Downloading License Updates from MyClavister

By default, an automatic check of the MyClavister server is regularly made by InControl and this is configured through the InControl server interface. The default interval is every 24 hours.

Using these settings, InControl can automatically download any new licenses for any added firewalls to its database, overwriting any existing license. InControl alarms are created for these downloads so that the administrator is made aware of newer licenses and can then decide when to upload them to the relevant devices.

It is possible to request a check for new licenses at any time by pressing the Check for Updates button in the Licenses tab. This checks for updates only for the currently selected license.

If there are no license updates found, the client will display the following message.

Similarly, it is possible to check for updates for a particular firewall in the Firewalls tab.

Dealing with Unusual License Mismatches

In some unusual circumstances a persistent license mismatch might occur between the license held by the InControl server and either the license on a device or the license available in the MyClavister system. These scenarios can be resolved by selecting one of the Force Download options in the License submenu, which is shown below.

The two download options are the following: