How to use the same Eval Licensing on multiple APM's

book

Article ID: 168101

calendar_today

Updated On:

Products

XOS

Issue/Introduction

How to use the same Eval Licensing on multiple APM's, this reduces the effort for reproductions.N/A

Cause

You can generate 1 eval license and use it on multiple vap members or copy it across chassis (From C30 to X series and vice versa).

Two things to keep in mind:
(1) You cannot use Smartupdate to attach or remove the license on multiple modules. You shouldn't even fetch licensing information via smartupdate.
(2) The eval will always be tied to the same management station IP address you generate it against, so the gateways must be managed by the same management station. Testing in the lab was done by copying the original cp.license file from a C30 and applying it to 3 APMs in a VAP group on an X series chassis. The following procedure outlines how to accomplish this:


* Generate the eval license on Check Point's web site against the IP address of the managment station, not as "local", and download it.
* Import the license to the management station through the Checkpoint Configuration Utility
* Configure the module and establish sic
* Grab your topolgy information but don't push a policy
* Go into SmartUpdate --> License tab and right click on the mangement station then select "Get Checkpoint Gateway Licenses".
* This will import the license information from the managment station and you will have 2 lics. Detach the lic whose "Type" is "central".
* Right click on one of your vap members and attach the license
* Rsh to the vap member you attached the license to and change to the $CPDIR/conf/ directory
* Copy the cp.license file to the other vap members under their $CPDIR/conf directory


The original "No valid Firewall License" errors should now disappear when you do a cpstop;cpstart.

NOTE: The reason you can attach/detach the "central" license from one module and use it against another is because generating it centrally removes the dependancy on the firewall modules ip address to install the license since it is registered against the management stations ip and is distributed by giving you 2 licenses; The one that get's applied to the managment station (local lic) and the one that get's applied to the module (central lic). Due to the absence of the module lic being tied to it's ip it can be attached to any gateway.