Exact meaning of license parameters (10.x)

Security Gateway Articles and How to's
Posts: 85
Joined: 18 Apr 2008, 10:46
Location: Clavister HQ - Örnsköldsvik

Exact meaning of license parameters (10.x)

Post by jono » 25 Apr 2008, 11:38

This article applies to:
  • Clavister Security Gateway 8.x, 9.x and 10.x
This article lists the exact meanings of the different license fields, along with what happens if a limit is exceeded.

Below, "Demo mode" means the 2-hour time limited mode that a Security Gateway runs in when it has no license file. "Lockdown mode" means that there is no time limit, but that the Security Gateway only allows remote management traffic.

If the Security Gateway enters Lockdown mode due to licensing problems, you can, if you wish, return to demo mode by deleting the license. You can use the "license -remove" command in the Security Gateway console to do so. Note that the license file is also automatically deleted on the Security Gateway if unbound in FineTune.

Many situations result in Lockdown mode rather than Demo mode. This decision was made with remote Security Gateways in mind. A Security Gateway suddenly running in demo mode may be overlooked, and when the demo mode timer expires, the Security Gateway requires a power cycle to come up again. Lockdown mode is not time-limited, and is much less likely to be overlooked.

The license console command will always show the reason for license problems.
  • Missing or syntactically broken license file
    Problem result:
    • For standalone Security Gateways and HA masters: Demo mode.
      For Security Gateways configured as HA slaves: Lockdown mode.
  • Invalid license file signature
    Problem result: Lockdown mode
  • NIC hardware address binding (MAC_ADDRESS)
    The license file is only valid on a Security Gateway having a network card with the given MAC address.
    Problem result: Lockdown mode
    Resolution: Request a MAC address change through the Clavister Client Web.
  • End of upgrade agreement term (UPGRADES_VALID_UNTIL)
    Each core comes with a "major build date". For example, all 8.0x.xx cores have the same major build date: 2002-11-10. This way, if your upgrade agreement covers the release of a new major version, all bug fix and minor improvement releases for that version are also included.
    Problem result: Lockdown mode
    Resolution: Downgrade, or extend your upgrade agreement term and upload the new license file received to the Security Gateway.
  • Maximum number of statefully tracked connections (PROP_CONN)
    Problem result: Warning emitted, and setting automatically lowered.
    Resolution: Lower the MaxConnection settings.
  • Maximum number of VPN tunnels (PROP_TUNNELS)
    This parameter controls two things:
    • 1. The number of configurable VPN tunnels.
      Problem result: Lockdown mode.
      Resolution: Remove or disable VPN tunnels in the configuration.

      2. The number of simultaneous tunnels open, run-time. This is defined as "the number of remote gateway and VPN client IPs spoken to". It does not count the number of unique SAs.
  • Maximum number of ethernet interfaces (PROP_ETHERNET)
    This parameters controls the number of configured ethernet interfaces. It does not limit the number of interfaces physically present, only those in actual use.
    Problem result: Lockdown mode.
    Resolution: Remove or disable interfaces in the configuration.
  • Maximum number of VLAN interfaces (PROP_VLAN)
    This parameter controls the number of configured VLAN interfaces. The "untagged" (physical) interfaces are not included in the count.
    Problem result: Lockdown mode.
    Resolution: Remove or disable VLAN interfaces in the configuration.
  • High Availability capability (PROP_MAXCLUSTER)
    Most appliance models and software licenses allow High-Availability set-ups. Only a few do not.
    Problem result: Lockdown mode.