What happens when a NetWall license expires?

Last modified on 17 Oct, 2022. Revision 18


Question

What happens when a cOS Core license expires on a NetWall firewall? How do you replace an expired license?

Answer

There are two answers to this question as it depends on what type of license is installed. We have the legacy perpetual license and the new subscription based licenses. Subscription based licenses are also referred to as MSSP (Managed-Security-Service-Provider) or SECaaS (Security-as-a-service).

Subscription-based licenses

When a subscription based license (MSSP / SECaaS) license expires the firewall will go into lockdown mode and only allow management access. Meaning all normal firewall processing / handing / tunnels etc. will cease to function.

cOS Core will check every 4 hours that the license is valid and also check for any license updates (changes of license parameters). This is done by contacting the Clavister Service Provider Network (CSPN) across the Internet.
If a newer license is found, cOS Core will download and install it immediately. If verification fails the firewall will enter lockdown mode. A verification failure might be caused by license expiry, a faulty license file or a blacklisted license.

Question: What happens if my firewall is unable to reach the CSPN servers due to an outage at the ISP that lasts longer than 4 hours?

This would not be a problem, not until cOS Core has continued failed to contact the CSPN servers for a period of 2 weeks would the firewall enter reduced mode. Make sure to keep an eye on the license status and any logs related to failure to reach the CSPN servers in case there are notifications about failure to check/verify the license, two weeks may seem like a long time but it could also be an easy thing to miss if the firewall status is not checked from time to time.

Question: What is reduced mode?

If a firewall enters reduced mode due to failure to contact CSPN or for other reasons, the firewall would implement the following restrictions.

  • The maximum total throughput of the firewall becomes 1 Mbps.
  • All log message generation is disabled except for log messages related to licenses.

Needless to say that reduced mode would have a severe impact in the network. So make sure that your license is up to date with a valid subscription and that it has been able to contact the CSPN network.

Note: If the firewall is normally processing a lot of traffic, this could have the effect that it also goes up high in it’s CPU load as it severely starts to restrict bandwidth.

Question: What is lockdown mode?

cOS Core will enter a state known as Lockdown Mode if certain conditions occur. While in lockdown mode, only management traffic is allowed by the firewall and all other traffic will be dropped (local console access is still possible).

Causes of Lockdown Mode (for subscription-based licenses)

  • License has expired.
  • The two hour demo mode has expired when no license is present.
  • Using the license on the wrong hardware.
    • The MAC address in the license does not match the target hardware.
  • An invalid license file signature.
  • A shared IPv4 address in an HA cluster has been set to the value 0.0.0.0.
  • The license is in some other way invalid.

Question: I have an environment / setup where i do not have any internet access at all, how can i solve this?

Please contact your Clavister sales representative in order to discuss possible ways to solve this particular scenario.

Perpetual (legacy) licenses

When a perpetual license expires, the firewall will continue to function but any subscription based functionality (such as InControl management, Anti-Virus, IP reputation, Application Control and Web Content Filtering) will stop working (see note 1 below). Functionality such as IP Reputation, Anti-Virus or IDP will cease to function and no database updates will be performed. Based on the “fail mode” setting, traffic may either be blocked or allowed if/when a license expires. Base functionality such as IP policy lookups, IPsec tunnels, traffic shaping and much more will continue to work, there will be no bandwidth restriction other than what is defined in the license.

The overall license expiry date is indicated by the field “New_upgrades_until” or “Upgrades_valid_Until” in the license file. cOS Core updates released after this date should not be installed, otherwise it will put the unit in lockdown mode (note 2).

Causes of Lockdown Mode (for perpetual / legacy licenses)

  • The two hour demo mode has expired when no license is present.
  • Using the license on the wrong hardware.
    • The MAC address in the license does not match the target hardware.
  • An invalid license file signature.
  • Upgrading to a new revision of cOS Core when the New upgrades until parameter in the license file has passed.
  • A shared IPv4 address in an HA cluster has been set to the value 0.0.0.0.
  • The license is in some other way invalid.

Replacing Licenses

A manual license installation must be done to replace an expired license either through the Web Interface or SCP, where the new license simply overwrites the old (automatic license installation is not possible).

Using the webUI:

  1. In a web browser, go to the Clavister website https://www.clavister.com, log in to the relevant MyClavister account.
  2. Go to Licenses > Register License.
  3. Select the option "Register by Service Tag and Hardware Serial Number".
  4. Enter the "Serial Number" and "Service Tag" codes. For Clavister hardware products, these codes are found on a label on the unit.
  5. A new license will be generated and will appear in the MyClavister license list.
  6. Download the license to the management computer's local disk by clicking on it in the license list.
  7. The license file can now be uploaded to the security gateway through the cOS Core Web Interface by going to Status > Maintenance > License and pressing the Upload button to select the license file. Following upload, cOS Core will automatically install the file.

Using SCP:

Alternatively, the license file can be uploaded using SCP. For example, when using Putty SCP software the command will be:

pscp -scp -pw <password> <license-file.lic> admin@<IP-address>:

cOS Core automatically recognizes an uploaded license file but it is still necessary to manually to perform a reconfigure or restart operation to complete installation.

Notes:

1) If WCF is activated in http ALG, it will block all web traffic when the license expires. You can disable the WCF until a new license is installed.

2) cOS Core will enter a state known as Lockdown Mode if certain license violations occur, such as uploading a new cOS Core version dated after the license expiration. While in lockdown mode, only remote management traffic is allowed by the firewall and all other traffic will be dropped. Unlike the two hour time limit of Demo Mode, there is no time limit with lockdown mode. You can end Lockdown Mode by installing a valid license or removing the current license.

3) If Application Control (AC) is activated when the license expires, the application control engine will no longer identify applications.

Example Scenario:

Let’s say that we have activated AC with the default action Deny in order to block all but only a few applications. Then the allowed applications will not be identified because of the expired license. This will have the effect that everything will be blocked.


Related articles

CSPN (Clavister Service Provisioning Network) details for license & database updates
17 Nov, 2022 core license updates idp antivirus wcf ipreputation applicationcontrol
IPsec license usage calculation
14 Apr, 2021 core license ipsec