Monday, March 21, 2016

Central licensing and contracts on 61/41K with VSX

If you are using 61/41 chassis with VSX, make sure you understand caveats and pitfalls when applying central licensing.

Before I explain the issue in hands, let me remind you a couple of facts about the environment.

  1. Central license can only be applied from a Management Server, usually with SmartUpdate. You will fail to put it locally on the machine with "cplic..." command
  2. 61/41 appliances have multiple SGMs (Security Gateway Modules) running as a single logical GW from MGMT perspective. To do so, you have to configure so-called Security Group and populate it with SGMs.

Now, here is the catch. You can only apply central license successfully from SmartUpdate if there is a single SGM in the security group.

With multiple SGMs in the Security Group SmartCenter will only apply a new license to SMO (Single Management Object) i.e. the first SGM in the Security Group. All other SGMs will fail to get a license.

This does not make any issue if you never change your license. But if you do, prepare to inconsistencies.

The only workaround I have found is to use a local license and apply it on the chassis with CLI commands. Just in case you have a different way, please let me know.

One more thing is to apply contract file. It has to be applied on the GW locally with "cplic contract..." command. The pitfall is you need to distribute the contract file onto all SGMs in the Security Group before running CLI command. To copy files to all SGMs, use asg_cp2blades... command, as described in the admin manual.

To support Check Point Video Nuggets project send your donations to

To support this blog simply subscribe to Indeni tech news via this link.

1 comment:

  1. Policy push to the vsx object after attaching of the central license is distributing the license to all blades in the security group at least in my case.