With or without InControl, a Clavister firewall requires a cOS Core or cOS Stream License in order to function correctly. The license determines the operational capabilities of the firewall as well as protecting against the unauthorized use of Clavister products.
As explained in the previous section, this license can also specify that InControl usage is allowed through the CENTRALIZED_MANAGEMENT parameter. If it is not, a separate InControl license must be used and associated with the InControl server.
Device License Information in the Licenses Tab
When a license for a firewall is retrieved from the MyClavister server, it will appear in the list under the Licenses tab. Below is a screenshot showing an example of how a single cOS Core license might be displayed.
The following should be noted about the information displayed for cOS Core licenses:
Licenses are only retrieved and displayed for devices that have both been added to InControl and that have a license available.
The Expiration Status column can have one of the following values:
OK - The license is within its validity period.
Expiring - The license will soon expire. This will normally start to appear 30 days from expiry. It will appear 5 days before expiry for a SECaaS (MSSP) license.
Expired - The license has expired.
The On Device column can have one of the following values:
Yes - The license is installed on the device.
No - The license is not installed on the device. This may be because the device has no license (is still in demo mode) or has a different license.
New Devices Without an Existing License
When a new firewall is added to InControl and it does not have a valid cOS Core license associated with it, the firewall functions in demo mode.
Demo mode means that cOS Core will cease to function after two hours of operation except for allowing management access. A restart is then required to continue running the product for another two hours. InControl always has full functionality when managing a firewall operating in demo mode.
If the process does not start automatically, retrieval of a valid license from MyClavister for a newly added firewall can be initiated manually by pressing the License button in the Firewalls tab and choosing Register from the drop down menu.
Manually initiating the process can also be done by right-clicking the firewall and selecting Register from the context menu.
If it has not been done before, InControl will ask for the MyClavister login credentials so it can gain access to the MyClavister server across the Internet.
At this point, the Registration Key for the new firewall must be entered. This tells the MyClavister server which firewall the license is needed for. The key is usually found on a label attached to Clavister hardware or will have been supplied by email for other types of cOS Core installations.
InControl now downloads the relevant license to the InControl server, uploads it to the firewall and following successful installation, the license remains stored in the InControl server database.
All the licenses stored by InControl appear in the Licenses tab list. There can only be one license stored for each device under InControl control. When a new license is downloaded from the MyClavister server, it overwrites any existing license stored by InControl for a device. The administrator can upload any license to its associated device by selecting the Upload License option. This will overwrite any currently installed license on the device.
Instead of selecting the firewall first, it is also possible to open the Licenses tab, select a specific license to upload from the stored licenses and then press the Upload License button.
When the correct license is selected, uploaded and the firewall is correctly licensed, the status becomes blank in the Firewalls tab.
A New Firewall with an Existing License
The above steps apply to a new firewall without a license. It may be that a firewall that is added to InControl already has a license associated with it. If this is the case, InControl automatically downloads a copy of the license from the new firewall and stores it in its database. This downloaded license will then appear as an entry in the Licenses tab list.When a license update is requested, InControl will query the MyClavister server over the Internet to find the latest license for the firewall.
Importing a License File from the Local Disk
License files can be downloaded to local disk from the MyClavister website as a .lic file. It may be necessary to import license files into InControl and then upload them to a firewall that has no license.To do this, first select the relevant license line in the list under the Licenses tab. Then press the Upload License button.
It is also possible to initiate the upload process by right-clicking the firewall and selecting the option in the context menu.
The following dialog is displayed and the license file can be selected from the local disk.
InControl now asks for a confirmation that the license will be uploaded.
InControl will then ask if the device should be restarted after the new license is uploaded and installed. A restart may be necessary because a new license requires a different allocation of cOS Core memory. For example, if the parameter specifying the maximum number of VPN tunnels has changed or the maximum number of connections allowed has changed. A restart is therefore recommended, although this will cause all current traffic connections to be lost.
After confirming this dialog, the license is now uploaded to the firewall and installed, followed by a device restart if that has been chosen. A copy of the license is also stored in the InControl server.
Note that for cOS Core versions prior to 10.11, the device will always restart following a license upload.
Downloading License Updates from MyClavister
By default, an automatic check of the MyClavister server is regularly made by InControl and this is configured through the InControl server interface. The default interval is every 24 hours.
Using these settings, InControl can automatically download any new licenses for any added firewalls to its database, overwriting any existing license. InControl alarms are created for these downloads so that the administrator is made aware of newer licenses and can then decide when to upload them to the relevant devices.
It is possible to request a check for new licenses at any time by pressing the Check for Updates button in the Licenses tab. This checks for updates only for the currently selected license.
If there are no license updates found, the client will display the following message.
Similarly, it is possible to check for updates for a particular firewall in the Firewalls tab.
Dealing with Unusual License Mismatches
In some unusual circumstances a persistent license mismatch might occur between the license held by the InControl server and either the license on a device or the license available in the MyClavister system. These scenarios can be resolved by selecting one of the Force Download options in the License submenu, which is shown below.
The two download options are the following:
Force Download from Firewall
This makes the license on the InControl server the same as the license on the device. This might be required after restoring a system backup to the device which includes an older license or any other procedure where the license on the device is changed locally.
Force Download from MyClavister
Normally, InControl periodically checks for any updated licenses and downloads them from the MyClavister system automatically. Alternatively, the Check for Update menu option in the above screenshot could be used at any time to check for new licenses. However, in rare instances there may be a temporary problem with the new license flag on MyClavister which means that InControl cannot find an updated license and the License file is up to date message is erroneously displayed.
This situation is resolved by using this force download option to override checking and force the download of all new licenses from MyClavister.