- Clavister cOS Core 9.00.00 or newer
What happens with a firewall with expired license? How to replace an expired license?
When a license expires the firewall will continue to function, but any subscription based functionality (such as InControl management, Anti-Virus, IP reputation, Application Control and Web Content Filtering) will stop working (see note 1 below). Functionalities such as IP Reputation, Anti-Virus or IDP will stop to function and no database update can be performed. Based on the "fail mode" setting, traffic may either be blocked or allowed if/when the license has expired.
The overall license expiry date is indicated by the field New_upgrades_until or Upgrades_valid_Until date in the license file. Firmware updates released after this date cannot be installed, otherwise it will put the unit in lockdown mode (note 2).
A manual installation must be done to replace an expired license either through the Web Interface or SCP, and the new license simply overwrites the old. (Automatic license installation is not possible in this case)
- In a web browser, go to the Clavister website https://www.clavister.com, log in and go to Licenses > Register License.
- Select the option Register by Service Tag and Hardware Serial Number.
- Enter the Serial Number and Service Tag codes. For Clavister hardware products, these codes are found on a label on the unit. This will cause a new license to be generated and stored on the website. This license will appear in the user's license list on the site.
- Download the license to the management computer's local disk by clicking on it in the license list.
- The license file can now be uploaded to the security gateway through the cOS Core Web Interface by going to Status > Maintenance > License and pressing the Upload button to select the license file. Following upload, cOS Core will install the file.
Alternatively, the license file can be uploaded using SCP. For example, when using Putty SCP software the command will be:
pscp -scp -pw <password> <license-file.lic> admin@<IP-address>:cOS Core automatically recognizes an uploaded license file but it is still necessary to manually to perform a reconfigure or restart operation to complete installation.
1) If WCF is activated in http ALG it will block all web traffic when the license expired. You can disable the WCF in the HTTP ALG until you get a new license.
2) cOS Core will enter a state known as Lockdown Mode if certain license violations occur, such as uploading a new firmware version of cOS Core dated after the license expiration. While in lockdown mode, only remote management traffic is allowed by the Clavister Security Gateway and all other traffic will be dropped. Unlike the two hour time limit of Demo Mode, there is no time limit with lockdown mode. You can end the Lockdown Mode by installing a valid license or removing the current license.
3) If Application Control is activated when the license expires the applications engine will no longer identify the applications.
As Scenario: Let's say that we have activated AC with the default action Deny to deny all but only a few applications, then the allowed applications will not be identified because of the expired license. This will have the effect that everything will be blocked.