|
This knowledge base article lists the exact meanings of the different
license fields, along with what happens if a limit is exceeded.
Below, "Demo mode" means the 2-hour time limited mode that a
firewall runs in when it has no license file. "Lockdown mode" means
that there is no time limit, but that the firewall only allows remote
management
traffic.
If the firewall enters Lockdown mode due to licensing problems, you
can, if you wish, return to demo mode
by deleting the license. As of v8.00.02, there is a "license -remove"
command in the firewall console. As of
v8.00.04, the license file is also automatically deleted on the firewall
if unbound in the manager.
Many situations result in Lockdown mode rather than Demo mode. This
decision was made with remote firewalls in mind. A firewall suddenly running
in demo mode may be overlooked, and when the demo mode timer expires,
the firewall requires a power cycle to come up again. Lockdown mode is
not time-limited, and is
much less likely to be overlooked.
The "license" console command will always show the reason
for license problems.
- Missing or syntactically broken license file
Problem result:
For standalone firewalls and HA masters: Demo mode.
For firewalls configured as HA slaves: Lockdown mode.
- Invalid license file signature
Problem result: Lockdown mode
- NIC hardware address binding (MAC_ADDRESS)
The license file is only valid on a firewall having a network card with
the given MAC address.
Problem result: Lockdown mode
- End of upgrade agreement term (UPGRADES_VALID_UNTIL)
Each core comes with a "major build date". For example, all 8.0x.xx
cores have the same major build date: 2002-11-10. This
way, if your upgrade agreement covers the release of a new major version,
all bug fix and minor improvement releases for that version are also
included.
Problem result: Lockdown mode
Resolution: Downgrade, or extend your upgrade agreement term
and upload the new license file
received to the firewall.
- Maximum number of statefully tracked connections (PROP_CONN)
Problem result: Warning emitted, and setting automatically lowered.
Resolution: Lower the MaxConnection settings.
- Maximum number of VPN tunnels (PROP_TUNNELS)
This parameter controls two things:
- The number of configurable VPN tunnels.
Problem result: Lockdown mode.
Resolution: Remove or disable VPN tunnels in the configuration.
- The number of simultaneous tunnels open, run-time. This is defined
as "the number of
remote gateway and VPN client IPs spoken to". It does not
count the number of unique SAS.
- Maximum number of ethernet interfaces (PROP_ETHERNET)
This parameters controls the number of configured ethernet
interfaces. It does not limit the number
of interfaces physically present, only those in actual use.
Problem result: Lockdown mode.
Resolution: Remove or disable interfaces in the configuration.
- Maximum number of VLAN interfaces (PROP_VLAN)
This parameter controls the number of configured VLAN interfaces. The
"untagged" (physical)
interfaces are not included in the count.
Problem result: Lockdown mode.
Resolution: Remove or disable VLAN interfaces in the configuration.
- High Availability capability (PROP_MAXCLUSTER)
Most appliance models and software licenses allow High-Availability
set-ups. Only a few do not.
Problem result: Lockdown mode.
|