What happens when a NetWall license expires?

Last modified on 16 Sep, 2021. Revision 8
What are the consequences of a NetWall firewall license expiring?
Up to date for
cOS Core
Status OK

This FAQ applies to:
Clavister cOS Core 9.00.00 or newer


What happens when a cOS Core license expires on a NetWall firewall? How do you replace an expired license?


When a cOS Core license expires, the firewall will continue to function but any subscription based functionality (such as InControl management, Anti-Virus, IP reputation, Application Control and Web Content Filtering) will stop working (see note 1 below). Functionality such as IP Reputation, Anti-Virus or IDP will cease to function and no database updates will be performed. Based on the “fail mode” setting, traffic may either be blocked or allowed if/when a license expires.

The overall license expiry date is indicated by the field “New_upgrades_until” or “Upgrades_valid_Until” in the license file. cOS Core updates released after this date should not be installed, otherwise it will put the unit in lockdown mode (note 2).

Replacing Licenses
A manual license installation must be done to replace an expired license either through the Web Interface or SCP, where the new license simply overwrites the old (automatic license installation is not possible).


  1. In a web browser, go to the Clavister website https://www.clavister.com, log in to the relevant MyClavister account.
  2. Go to Licenses > Register License.
  3. Select the option "Register by Service Tag and Hardware Serial Number".
  4. Enter the "Serial Number" and "Service Tag" codes. For Clavister hardware products, these codes are found on a label on the unit.
  5. A new license will be generated and will appear in the MyClavister license list.
  6. Download the license to the management computer's local disk by clicking on it in the license list.
  7. The license file can now be uploaded to the security gateway through the cOS Core Web Interface by going to Status > Maintenance > License and pressing the Upload button to select the license file. Following upload, cOS Core will automatically install the file.

Alternatively, the license file can be uploaded using SCP. For example, when using Putty SCP software the command will be:

pscp -scp -pw <password> <license-file.lic> admin@<IP-address>:

cOS Core automatically recognizes an uploaded license file but it is still necessary to manually to perform a reconfigure or restart operation to complete installation.

1) If WCF is activated in http ALG, it will block all web traffic when the license expires. You can disable the WCF until a new license is installed.

2) cOS Core will enter a state known as Lockdown Mode if certain license violations occur, such as uploading a new cOSCore version dated after the license expiration. While in lockdown mode, only remote management traffic is allowed by the firewall and all other traffic will be dropped. Unlike the two hour time limit of Demo Mode, there is no time limit with lockdown mode. You can end Lockdown Mode by installing a valid license or removing the current license.

3) If Application Control (AC) is activated when the license expires, the application control engine will no longer identify applications.
Example Scenario: Let’s say that we have activated AC with the default action Deny in order to block all but only a few applications. Then the allowed applications will not be identified because of the expired license. This will have the effect that everything will be blocked.

Related articles

No related articles found.