- Checkpoint 1 1 – Verify Without Copying License Plate
- Checkpoint 1 1 – Verify Without Copying License Verification
- Checkpoint 1 1 – Verify Without Copying Licensed
- Checkpoint 1 1 – Verify Without Copying License Requirements
Perhaps one of the more challenging aspects of FireWall-1 is licensing the product. Even those who have been selling and supporting FireWall-1 for a number of years tend to get tripped up by Check Point's licensing. Throughout the book, I will mention where specific licenses are needed to perform certain functions. In this section, I specifically discuss where license considerations come into play during the initial planning and installation.
Due to the print book page limit, we cannot inlcude all good CheckPoint questions in the physical book. The CheckPoint on this Website may contain extra questions not printed in the book. The questions in some sections may have been reordered as a result. Nevertheless, it is easy to find the CheckPoint questions in the book on this Website. Product Trials Explore our network, cloud and mobile security products in a variety of trial formats. Install the software in your lab, try afree cloud.
The major components that require licensing are listed below:
- Firewall module
- Management console
- Management GUI applications, that is, SMART Clients
A firewall module enforces your security policy and sends log information to a management console. This is typically referred to as the firewall. The management console is responsible for storing, compiling, and pushing the security policies out to the firewall modules. It also receives logging information from the firewall modules and processes alerts. The Management GUI applications allow you to view, edit, and install security policies; view logs; and see the status of all installed firewall modules. The Management GUIs communicate with the management console, which does all of the actual work.
With some exceptions, which I will note in the following sections, each of these components may exist on separate systems. You can even mix and match the platforms on which each of these components exist.[1] For example, you can have the firewall on a Nokia platform, the management console on Solaris, and the Management GUIs on Windows.
[1] In a High Availability configuration, each firewall in the cluster must be on the same platform.
Types of Licenses
In the following subsections, I describe the types of licenses you can get for FireWall-1.
Node-Limited Firewalls
Node-limited firewall licenses are restricted in terms of the number of IP addresses that can be behind the firewall. FireWall-1 listens for any IP-based traffic on all interfaces except for external one(s). When you define the gateway object within FireWall-1 that represents the gateway, you specify which interface(s) is/are external. Anytime it hears hosts talking to each other with an address on a nonexternal interface, it notes the IP addresses. Once FireWall-1 has heard n IPs (plus a 10% fudge factor), connections from the n+1 hosts generate e-mails to root and messages to syslog or the event viewer. When the license is exceeded by a large number of hosts on a busy network, FireWall-1 consumes itself with logging and mailing out messages about exceeding your license. In many cases, this causes the firewall to process traffic very slowly, if at all.
So what are the implications of how FireWall-1 enforces a node-limited license? Anything behind your firewall with an IP address will eventually be found out. This includes noncomputer components like printers, coffee makers,[2] and so on. Anything with an IP address that talks on your LAN will be heard, eventually. Also, machines with multiple IP addresses will most likely be counted more than once. Peripherals that do not use TCP/IP should not be counted. Machines that only use AppleTalk, IPX, NetBEUI, and so on should also not be counted. Because FireWall-1 only looks for IP traffic, it should safely ignore these machines.
[2] There's even an official Request for Comment (RFC) related to coffeepots connected to the Internet. See RFC2328 at http://www.faqs.org or another source for Internet RFCs.
Node-limited licenses are appropriate for use only where you can guarantee the number of hosts behind a single gateway. While it is trivial to fool the firewall into believing there are fewer hosts behind it than there are, Check Point's End User License Agreement forbids using any means to circumvent its licensing mechanisms. As stated in section 2.5 of the End User License Agreement that comes with FireWall-1 NG Feature Pack 3 (FP3):
The License permits the use of the Product in accordance with the designated number of IP addresses [..]. It is a violation of this End User License Agreement to create, set-up or design any hardware, software or system which alters the number of readable IP addresses presented to the Product with the intent, or resulting effect, of circumventing the Licensed Configuration.
In FireWall-1 4.1 and earlier, node-limited licensed gateways were permitted to have only a single external interface. In FireWall-1 NG, you can have more than one external interface defined. However, routing between external interfaces is not permitted.
Single-Gateway Products
A single-gateway product (also referred to as a firewall Internet gateway) is a node-limited firewall module bundled with a management console. This management console is only capable of managing a single-firewall module, and the firewall module must be installed on the same host as the management console. Because a single-gateway product includes a node-limited firewall license, it has the same restrictions as those stated in the previous section.
Secure Server (FireWall-1 Host)
One license type is designed to protect a single host. It has all the functionality of a standard firewall module except that it is not allowed to forward packets.
SMART Console and SMART Center (Management Console)
SMART Console in FireWall-1 NG with Application Intelligence[3] (NG AI) is the same thing as SMART Center in FireWall-1 NG FP3, which is Check Point's marketing name for the management console. If your single-gateway product does not include a management console, you need to obtain a separate license for the management console. You can install the management console on the same platform as the firewall. If you plan to manage multiple firewalls or use High Availability, having your management console on a different platform is recommended. For more information on remote management, see Chapter 7.
[3] NG AI is Feature Pack 4. Check Point decided to give it a spiffy new marketing name.
Motif GUI
A separate license is needed if you want to use the Management GUIs on any platform other than a Windows platform.[4] This is because Check Point must pay a licensing fee to the company that provides Check Point with the tool kit used to make the GUI for these platforms. These licenses were free for FireWall-1 4.0, but they require additional payment for FireWall-1 4.1 and later. The license is tied to the IP address or hostid of your management console and will be installed on your management console.
[4] If you use a copy of Crossover Office v2.1 or above, you can install and use the SmartConsole applications on Linux, albeit with a few minor glitches. For more information on Crossover Office, see http://www.codeweavers.com.
Check Point Express (Small-Office Products)
After the release of NG AI, Check Point decided to change how it sells products geared toward small-office environments. Check Point Express is targeted for companies with sites of 50 to 500 users, and it supports multiple sites. Essentially, anything you can get in an enterprise edition (which typically supports unlimited users) can be obtained in a Check Point Express version. Check Point Express runs on the same type of hardware that 'normal' Check Point licenses run on, but Check Point Express supports a limited number of users and costs less. Check Point Express licenses require the use of NG AI with a special patch that enables the Check Point Express licensing (available at http://www.checkpoint.com/techsupport/express.html). NG AI R55 and later will support Check Point Express directly.
VPN-1 Embedded NG (Safe@ Products)
SofaWare is a wholly owned subsidiary of Check Point that makes security devices aimed more at the consumer market and priced accordingly. These are referred to as Safe@ appliances. The hardware devices are similar to a Linksys or D-Link home router in form factor and features, though the number of users supported is limited by license?five users at the low end, unlimited users on the higher-end hardware. These devices support most cable/DSL providers, using DHCP with dynamic addressing and PPP over Ethernet (PPPoE) support. They do not run Check Point FireWall-1 but rather what Check Point calls VPN-1 Embedded NG under a Linux operating system. The devices can be locally managed or can be integrated into an existing Check Point environment, supporting content security and VPN access (both client-to-site and site-to-site). NG FP3 and later include a management plug-in that allows limited management of these devices.
A number of companies sell platforms that run VPN-1 Embedded NG: VPN Dynamics (V4), Nokia (IP30 and IP40), Intrusion (PDS500), and Celestix (Orion series). Check Point sells its own version of these products under the VPN-1 Edge and SofaWare S-box labels.
SmartDirectory (LDAP Account Management)
If you plan to integrate FireWall-1 with a Lightweight Directory Access Protocol (LDAP) server (see Chapter 8 for details), you need to purchase an additional license for this feature.
VPN, SecuRemote, and SecureClient
All VPN functionality in FireWall-1, whether for site-to-site or client-to-site, requires additional licenses to be installed on the management and firewall modules. The software to support this functionality is included in the installation?the license activates that functionality. The SecureClient endpoints do not require licenses to be installed on them.
Getting Licenses
Each product you purchase will be given a certificate key. This certificate key, once registered at http://usercenter.checkpoint.com, can be used to obtain your permanent license key for your product. The actual process, if everything goes well, is very straightforward. Not only will you be given the license information on a Web page, you will also be sent e-mail with the same information. Save this e-mail and print the license page. You will need this information when installing the product. You will also need the certificate key when you upgrade at a later date because the same certificate key will be used for the updated product (provided you purchase a software subscription, which should be activated at the same time the product is licensed).
![License License](https://sc1.checkpoint.com/sc/SolutionsStatics/sk105757/Contracts_Expiration1505260547.png)
![Checkpoint 1 1 – Verify Without Copying License Checkpoint 1 1 – Verify Without Copying License](https://checkpointid.com/wp-content/uploads/2019/02/Screen-Shot-2019-02-19-at-11.10.23-AM-1024x769.png)
There are two types of licenses: local licenses (i.e., tied to the specific module) and central licenses (i.e., tied to the management console). Local licenses are the more traditional type that's been in use in FireWall-1 since the beginning. Central licenses are new in NG and allow you to easily move a license between modules without having to have the license reissued. Central licenses are tied to the management station, so if that gets moved, you will need new licenses. Central licenses are required for modules with a dynamic IP address.
There are two ways to license a FireWall-1 installation: on a hostid or on an IP address. The hostid is an ID number based on information burned onto the motherboard. Hostid-based licensing can occur only on SPARC Solaris because this hardware type actually supports this type of license. On AIX, you can use a hostid-based license, but the hostid of an AIX box is actually based on an IP address, so there is no point to doing so. Windows, Linux, and Nokia do not allow hostid-based licenses and can be licensed only by IP addresses. For central licenses, the IP or hostid to which the license must be generated is the management module. For a local license, you use the module's IP or hostid.
Licenses based on an IP address require that the IP address noted in the license be associated with an interface that is active when FireWall-1's kernel-loadable module loads at boot time. On a Solaris or Linux platform, the licensed IP address must be associated with the physical interface (i.e., it cannot be an interface alias).
It is relatively easy to get evaluation licenses to do the testing and even the initial deployment of your firewall. Your Check Point reseller can obtain an evaluation license for you. Also, with each 'eval pack' (which contains a CD and some documentation), you get a certificate key that can be used to generate two 30-day evaluation licenses. Also, fresh installations of the software since NG FP2 also contain a 15-day embedded license that is activated when Secure Internal Communication (SIC) is initialized on the platform. This happens during the initial configuration.
In some cases, it has taken many months to get the correct permanent licenses, especially when upgrading from one version of FireWall-1 to the next, so do not be surprised if this happens to you. Unfortunately, there is no magic to this process. Making sure you have copies of your certificate keys and software subscription IDs helps tremendously but does not guarantee success in obtaining a permanent license quickly. Be prepared to work with both your Check Point reseller and Check Point itself to resolve licensing issues. If you find you must run a production firewall on an evaluation license, make sure that you request new evaluation licenses at least a week before you actually need them. It may take at least that long to hunt down another license you can use. The same is true with an upgrade of permanent licenses: Request the upgrade at least a week (or more) before you need them.
There are two kinds of evaluation licenses: those that are tied to an IP address or hostid and those that are not (which are sometimes called floating evals). Licenses of the latter type display the word eval where an IP address or hostid would be. Check Point does not generally distribute these licenses, though these licenses are still used within Check Point and occasionally make their way into the outside world. These licenses are good only for a limited period of time. They usually have a start date of some sort; if the system is dated before this time, the license will be invalid. As such, you cannot backdate your system to use one of these licenses indefinitely.
During the FireWall-1 3.0 time frame, Check Point changed to a system where evaluation licenses were tied to a specific IP or hostid, which is still in use today. The dirty little secret about these licenses was that they are actually permanent licenses that have an expiration date. It appeared that you can backdate the system to use these licenses. However, I am quite certain that this is against Check Point's Licensing Agreement.
In This Chapter |
This chapter includes procedures and reference information for maintaining your Gaia computer.
Licenses
Licenses can be added or deleted using the:
- Maintenance > Licenses page of the WebUI
- Command line by running:
cplic_db_add
orcplic del
.Note - While all the SecurePlatform cplic commands are available in Gaia, they are not grouped into a Gaia feature. To see a list of available commands and their parameters typecplic
and press Enter.
Configuring Licenses - WebUI
If you need to obtain a license, visit the User Center.
Adding a license:
- In the tree view, click Maintenance > Licenses.
- Click New.The Add License window opens.
- Enter the license data manually, or click Paste License to enter the data automatically.The Paste License button only shows in Internet Explorer. For other browsers, paste the license strings into the empty text field.
- Click OK.
Deleting a license:
- In the tree view, click Maintenance > Licenses.
- Select a license in the table
- Click Delete.
Configuring Licenses - CLI (cplic)
The
cplic
command and all its derivatives relate to Check Point license management.Note - SmartUpdate GUI is the recommended way of managing licenses. |
All
cplic
commands are located in $CPDIR/bin.
License Management is divided into three types of commands:- Local licensing commands are executed on local machines.
- Remote licensing commands are commands which affect remote machines are executed on the Security Management Server.
License repository commands are executed on the Security Management Server.
Syntax
cplic check
Description Check whether the license on the local machine will allow a given feature to be used.
Syntax
> cplic check [-p <product>] [-v <version>] [-c count] [-t <date>] [-r routers] [-S SRusers] <feature>
Parameter | Description |
---|---|
-p <product> | Product for which license information is requested. For example fw1, netso |
-v <version> | Product version for which license information is requested |
-c count | Output the number of licenses connected to this feature |
-t <date> | Check license status on future date. Use the format ddmmmyyyy. A feature may be valid on a given date on one license, but invalid in another |
-r routers | Check how many routers are allowed. The feature option is not needed |
-S SRusers | Check how many SecuRemote users are allowed. |
<feature> | <feature> for which license information is requested |
cplic db_add
Description Used to add one or more licenses to the license repository on the Security Management server. When local license are added to the license repository, they are automatically attached to its intended Check Point gateway, central licenses need to undergo the attachment process.
This command is a license repository command, it can only be executed on the Security Management server.
Syntax
Checkpoint 1 1 – Verify Without Copying License Plate
> cplic db_add -l <license-file> [<host>] [<expiration-date>] [<signature>] [<SKU/features >]
Parameter | Description |
---|---|
-l <license-file> | Name of the file that contains the license |
<host> | Security Management Server hostname or IP address |
<expiration-date> | The license expiration date |
<signature> | The License signature string. For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (The string is case sensitive and the hyphens are optional) |
<SKU/features > | The SKU of the license summarizes the features included in the license. For example: CPSUITE-EVAL-3DES-vNG |
Example If the file
192.0.2.11.lic
contains one or more licenses, the command: cplic db_add -l 192.0.2.11.lic
will produce output similar to the following:Adding license to database .. Operation Done |
cplic db_print
Description Displays the details of Check Point licenses stored in the license repository on the Security Management Server.
Syntax
> cplic db_print <object name | -all> [-n noheader] [-x print signatures] [-t type] [-a attached]
Parameter | Description |
---|---|
Object name | Print only the licenses attached to Object name . Object name is the name of the Check Point Security Gateway object, as defined in SmartDashboard. |
-all | Print all the licenses in the license repository |
-noheader (or -n) | Print licenses with no header. |
-x | Print licenses with their signature |
-t (or -type) | Print licenses with their type: Central or Local. |
- a (or - attached ) | Show which object the license is attached to. Useful if the -all option is specified. |
Comments This command is a license repository command, it can only be executed on the Security Management server.
cplic db_rm
Checkpoint 1 1 – Verify Without Copying License Verification
Description The
cplic db_rm
command removes a license from the license repository on the Security Management server. It can be executed ONLY after the license was detached using the cplic del
command. Once the license has been removed from the repository, it can no longer be used.Syntax
> cplic db_rm <signature>
Parameter | Description |
---|---|
Signature | The signature string within the license. |
Example
cplic db_rm 2f540abb-d3bcb001-7e54513e-kfyigpwn
Comments This command is a license repository command, it can only be executed on the Security Management server.
cplic del
Description Delete a single Check Point license on a host, including unwanted evaluation, expired, and other licenses. Used for both local and remote machines
Syntax
> cplic del [-F <output file>] <signature> <object name>
Parameter | Description |
---|---|
-F <output file> | Send the output to < output file> instead of the screen. |
<signature> | The signature string within the license. |
cplic del <object name>
Description Detach a Central license from a Check Point Security Gateway. When this command is executed, the license repository is automatically updated. The Central license remains in the repository as an unattached license. This command can be executed only on a Security Management server.
Syntax
> cplic del <object name> [-F <outputfile>] [-ip <dynamic ip>] <signature>
Parameter | Description |
---|---|
<object name> | The name of the Check Point Security Gateway object, as defined in SmartDashboard. |
-F <outputfile> | Divert the output to outputfile rather than to the screen. |
-ip <dynamic ip> | Delete the license on the Check Point Security Gateway with the specified IP address. This parameter is used for deleting a license on a DAIP Check Point Security Gateway. Note - If this parameter is used, then object name must be a DAIP gateway. |
<signature> | The signature string within the license. |
Comments This is a Remote Licensing command which affects remote machines that is executed on the Security Management server.
cplic get
Description The
cplic get
command retrieves all licenses from a Security Gateway (or from all Security Gateways) into the license repository on the Security Management Server. This command helps you to synchronize the repository with the Check Point Security Gateways. When the command is run, all local changes are updated.Syntax
Checkpoint 1 1 – Verify Without Copying Licensed
> cplic get {<ipaddr>|<hostname>|-all} [-v41]
Parameter | Description |
---|---|
<ipaddr> | The IP address of the Check Point Security Gateway from which licenses are to be retrieved. |
<hostname> | The name of the Check Point Security Gateway object (as defined in SmartDashboard) from which licenses are to be retrieved. |
-all | Retrieve licenses from all Check Point gateways in the managed network. |
- v41 | Retrieve version 4.1 licenses from the NF Check Point gateway. Used to upgrade version 4.1 licenses. |
Example If the Check Point Security Gateway with the object name
caruso
contains four Local licenses, and the license repository contains two other Local licenses, the command: cplic get caruso
produces output similar to the following:Get retrieved 4 licenses.
Get removed 2 licenses.
Comments This is a Remote Licensing Command which affects remote machines that is executed on the Security Management Server.
cplic put
Description Install one or more Local licenses on a local machine.
Syntax
> cplic put [-o|-overwrite] [-c|-check-only] [-s|-select] [-F <output file>] [-P|-Pre-boot] [-k|-kernel-only] -l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature>]
Parameter | Description |
---|---|
-o|-overwrite | On a Security Management server this will erase all existing licenses and replace them with the new license(s). On a Check Point Security Gateway this will erase only Local licenses but not Central licenses, that are installed remotely. |
-c|-check-only Onyx mac os catalina. | Verify the license. Checks if the IP of the license matches the machine, and if the signature is valid |
-s|-select | Select only the Local licenses whose IP address matches the IP address of the machine. |
-F <outputfile> | Outputs the result of the command to the designated file rather than to the screen. |
-P|-Pre-boot | Use this option after upgrading and before rebooting the machine. Use of this option will prevent certain error messages. |
-K|-kernel -only | Push the current valid licenses to the kernel. For Support use only. |
-l <license-file> | Name of the file that contains the license |
<host> | Security Management Server hostname or IP address |
<expiration-date> | The license expiration date |
<signature> | The License signature string. For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (The string is case sensitive and the hyphens are optional) |
<SKU/features > | The SKU of the license summarizes the features included in the license. For example: CPSUITE-EVAL-3DES-vNG |
Comments Copy and paste the following parameters from the license received from the User Center.
host -
One of the following:
All platforms - The IP address of the external interface (in dot notation); last part cannot be 0 or 255.
Solaris2 - The response to the
hostid
command (beginning with 0x).expiration date -
The license expiration date. Can benever.
signature -
The License signature string. For example:aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(Case sensitive. The hyphens are optional.)SKU/features -
A string listing the SKU and the Certificate Key of the license. The SKU of the license summarizes the features included in the license. For example:CPMP-EVAL-1-3DES-NG CK0123456789ab
Example
cplic put -l 215.153.142.130.lic
produces output similar to the following:cplic put <object name> ..
Checkpoint 1 1 – Verify Without Copying License Requirements
Description Use the
cplic put
command to attach one or more central or local license remotely. When this command is executed, the license repository is also updated.Syntax
> cplic put <object name> [-ip dynamic ip] [-F <output file>]
-l <license-file> [<host>] [<expiration date>] [<signature>] [<SKU/feature>
Parameter | Description |
---|---|
object name | The name of the Check Point Security Gateway object, as defined in SmartDashboard. |
-ip dynamic ip | Install the license on the Check Point Security Gateway with the specified IP address. This parameter is used for installing a license on a DAIP Check Point gateway. NOTE: If this parameter is used, then object name must be a DAIP Check Point gateway. |
-F <outputfile> | Divert the output to < outputfile> rather than to the screen. |
-l <license-file> | Installs the license(s) from < license-file> . |
-l <license-file> | Name of the file that contains the license |
<host> | Security Management Server hostname or IP address |
<expiration-date> | The license expiration date |
<signature> | The License signature string. For example: aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m (The string is case sensitive and the hyphens are optional) |
<SKU/features > | The SKU of the license summarizes the features included in the license. For example: CPSUITE-EVAL-3DES-vNG |
Comments This is a Remote Licensing Command which affects remote machines that is executed on the Security Management server.
Copy and paste the following parameters from the license received from the User Center. More than one license can be attached.
host -
the target hostname or IP address.expiration date -
The license expiration date. Can benever.
signature -
The License signature string. For example:aa6uwknDc-CE6CRtjhv-zipoVWSnm-z98N7Ck3m
(Case sensitive. The hyphens are optional)SKU/features -
A string listing the SKU and the Certificate Key of the license. The SKU of the license summarizes the features included in the license. For example:CPMP-EVAL-1-3DES-NG CK0123456789ab
cplic print
Description The
cplic print
command (located in $CPDIR/bin
) prints details of Check Point licenses on the local machine.Syntax
> cplic print [-n|-noheader][-x prints signatures][-t type][-F <outputfile>] [‑p preatures]
Parameter | Description |
---|---|
-n|-noheader | Grand total 6 0 8 x 8. Print licenses with no header. |
-x | Print licenses with their signature |
-t|-type | Prints licenses showing their type: Central or Local. |
-F <outputfile> | Divert the output to outputfile . |
-p|-preatures | Print licenses resolved to primitive features. |
Comments On a Check Point gateway, this command will print all licenses that are installed on the local machine — both Local and Central licenses.
cplic upgrade
Description Use the
cplic upgrade
command to upgrade licenses in the license repository using licenses in a license file obtained from the User Center.Usage
cplic upgrade <–l inputfile>
Syntax
Parameter | Description |
---|---|
–l inputfile | Upgrades the licenses in the license repository and Check Point gateways to match the licenses in <inputfile> |
Example The following example explains the procedure which needs to take place in order to upgrade the licenses in the license repository.
- Upgrade the Security Management Server to the latest version.Ensure that there is connectivity between the Security Management Server and the Security Gateways with the previous version products.
- Import all licenses into the license repository. This can also be done after upgrading the products on the remote gateways.
- Run the command:
cplic get –all
. For example:
- To see all the licenses in the repository, run the command
cplic db_print -all –a
- In theUser Center, view the licenses for the products that were upgraded from version NGX to a Software Blades license and create new upgraded licenses.
- Download a file containing the upgraded licenses. Only download licenses for the products that were upgraded from version NGX to Software Blades.
- If you did not import the version NGX licenses into the repository, import the version NGX licenses now using the command
cplic get -all
- Run the license upgrade command:
cplic upgrade –l <inputfile>
- The licenses in the downloaded license file and in the license repository are compared.Trine 3: the artifacts of power 1 1 1. - If the certificate keys and features match, the old licenses in the repository and in the remote Security Gateways are updated with the new licenses.- A report of the results of the license upgrade is printed. - In the example, there are two Software Blades licenses in the file. One does not match any license on a remote Security Gateway, the other matches a version NGX license on a Security Gateway that should be upgraded:
Comments This is a Remote Licensing Command which affects remote Security Gateways, that is executed on the Security Management Server.
Further Info. See the SmartUpdate chapter of the R76 Installation and Upgrade Guide.
License Activation
On a Check Point 2012 Appliance, you can get a license automatically from the User Center and activate it.
To Activate a License on a Check Point 2012 Appliance:
- Open the Maintenance > License Activation page.
- If there is a proxy server between the appliance and the Internet:
- Click Use a Proxy Server.
- Enter the proxy server IP Address and Port.
- On a Security Gateway-only appliance: Enter the Security Management Server IP address and follow the instructions.
- Click Activate License.