Understand Smart Licensing Overview and Best Practices for Email and Web Security

Introduction

This document describes the activation process, definitions, and how to troubleshoot the Smart Licensing Service on ESA/SMA/WSA.

Prerequisites

Components Used

The information in this document is based on these software and hardware versions:

• Email Security Appliance (ESA) AsyncOS Version 12.0 and newer.
• Security Management Appliance (SMA) AsyncOS Version 12.0 and newer.
• Web Security Appliance (WSA) AsyncOS Version 11.7 and newer.

Note: Enablement of the Smart License Feature on the ESA/SMA/WSA is permanent and does not permit the option to revert an appliance back to Classic License Mode.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

Smart Licensing provides the ability to:

• Manage all of your product licenses from a central location
• Normalizes the process between Physical and Virtual ESA/SMA/WSA, with the use of one method to apply and manage licenses
• Easily apply a license to your ESA/SMA/WSA
• Receive Alerts related to license expiration
• Hardware model ESA/SMA/WSA, out of the box, have a 90-day Evaluation Period for all services

Summary of the Smart License Global Topic from Cisco

Even though the core purpose of this article is to configure the Smart Licensing Services on the ESA/SMA/WSA, links are included to provide general direction to educate on the topic.

To register the ESA/SMA/WSA host with smart licensing first requires the owner of the appliance to possess a Smart Account.

• Smart Accounts are issued one per domain.
• The administrator of the Smart Account can create sub-level Virtual Accounts that allow segregation of resources.
• Virtual Accounts can be used to restrict access to different Cisco Product Licenses, based on your needs.
• Your access the Cisco Smart Software Manager (CSSM) to manage licenses and download tokens.

The links provided by Cisco, include videos, guides, and explanations related to Smart Licensing:

• Create New Smart Account or Request to add a user to an existing account
• Smart Software Licensing Overview Cisco WebPage
• Smart Licensing Deployment Guide

• Cisco Smart Accounts Cisco Page

• Smart Software Manager Cisco Page

• Cisco Smart Software Manager (CSSM)

Out of the Box

• All hardware model ESA/SMA/WSA purchased include 90-day Evaluation Licenses for all features.
• All hardware models that migrate with current Classic Licenses (CL) receive 90-day Evaluation Licenses.
• All Virtual ESA/SMA/WSA models require a basic Virtual License (VLN) (.xml) file loaded to the appliance to link to the upgrade/update server.
• All Virtual ESA/SMA/WSA models, when created, do NOT include 90-day licenses and require registration by the Classic License VLN (.xml).
• All Virtual ESA/SMA/WSA models that migrate with current Classic Licenses (CL) include 90-day Evaluation Licenses.

Communication Requirements

• Network or Proxy communication smartreceiver.cisco.com on TCP port 443.

Description of the CSSM Tool and the Tabs

A basic illustration of the CSSM tabs:

• General Tab
  
  • The location to generate the token (the token is time-based and can be used to register multiple ESA/SMA/WSA.
  • Ensure the proper Virtual Account has been selected because a user can have multiple virtual accounts.
  • New Token, opens a template to complete and results in a Token line entry in the table.
  • Actions can be executed repeatedly, as needed, and displays options to; Copy, Download, and Revoke the token.

CSSM General Tab

• Licenses Tab
  • The location to review and confirm the presence and availability of licenses.
  • The License column lists the names of the services or bundles purchased.
  • The Purchased column lists the presence of usable keys.
  • The Alerts column displays important messages with regard to a specific license.

CSSM License Tab

•  Product Instances Tab
  
  • Displays the individual appliance names, models, last communication, and Alerts.

CSSM Product Instances Tab

Generate a Token from CSSM

• Launch the CSSM webpage.
  • Cisco Smart Software Manager (CSSM)
•  Top of page, select Inventory.
  • Once loaded, select the appropriate Virtual Account from the top left part of the page
  • A large organization can have multiple virtual accounts assigned to a single smart account, which require a selection of the appropriate virtual account related to the ESA/SMA/WSA licenses
  • Tabs: General, Licenses, Product Instances, and Event Log
• Generate a Token from the CSSM.
  • Select the General tab
  • Under the header Product Instance Registration Tokens, select the New Token button
  • A window appears to complete the Description and Expire After values
  • Create a token
  • Return to the General tab, select the Actions drop-down tab to copy or download the token

SAMPLE TOKEN FILE
Token:           M2UyYmIxYTktNzJmMy00ZxxxxxxxxxxxxxxxxxxxxZjVhMDMwLTE1NDE3Mzcx%0ANDU2ODR8RlluSVI5NmxCUS92SnVzUjUvcVViV0ZyVVFrcHBxNVh2TVdNa1My%0AeGJYMD0%3D%0A
Virtual Account:   ESA
Smart Account:      InternalTestDemoAccount.MY_DOMAIN.com
Token Description: SMA_token
Export-Controlled Functionality:  Allowed
Created by User:   my_CCOID
Contact Email:       ADMIN@MY_DOMAIN.com
Expiry Date:       2018-Nov-09 04:19:05 (in 18 days)

* Note: this token file was downloaded on October 22nd 2018
* Note: copy entire token string to use for product instance registration

Enable the Smart License Feature on the ESA/SMA/WSA

• Web UI activation:
  
  • Browse to System Administration > Smart Software Licensing.
  • Select Enable Smart Software Licensing.
  • Options are listed that provide the choices to request feature keys:
    • Option 1: Use a token to register and request needed features
    • Option 2: Register without a token and have a 90-day Evaluation Period
  • Select OK.
  • Commit changes.
• CLI activation:
  
  • Execute the command: license_smart > Enable > Y.
  • Option 1 and Option 2 are listed the same as the previous UI description.
  • Select OK.
  • Commit.

Register the ESA/SMA/WSA to a Smart Account with the Token

• Navigate to System Administration > Smart Software Licensing.
• Select the Register button to open the pop-up registration page.
• Paste the copied token in the space provided under step 4.
• Select Register to complete the steps (The pop-up window closes).
• Refresh the Smart Software Licensing page after 30 seconds to view the new status.
• Once completed, the Registration Status field shows the word Registered, along with the registration expiration dates.

Smart Software Licensing "Register"Registration Pop-up page.Registration confirmation.

Actions

Additional tasks can be performed from the Smart Licensing Actions drop-down menu.

• Renew Authorization
  • Complete this task to manually renew the License Authorization Status for all licenses listed under the License Type.

Note: The license authorization is renewed automatically every 30 days. The license authorization status expires after 90 days if the ESA/SMA/WSA does not communicate with the CSSM.

• Renew Registration
  • Complete this action to manually renew the registration.

Note: The initial registration is valid for one year. Renewal of registration is performed automatically every six months, if the appliance has connectivity to the CSSM.

• De-register
  • Disconnects the ESA/SMA/WSA from the CSSM.
  • The system transitions to Evaluation Mode.
  • The licenses consumed by the ESA/SMA/WSA are released and credited to the smart account for re-use.

• Re-register
  • Re-register the ESA/SMA/WSA with the CSSM.

Note: Re-register can be used to migrate between an organizations multiple Virtual Accounts.

Definitions Related to Smart License

License types:

• Classic License (CL): CL refers to the legacy methods used for both hardware and virtual licenses.
• Smart License (SL): SL refers to Smart Licensing.
• License Authorization Status - Is the status of a given license within the appliance.
• The ESA/WSA/SMA does not display the actual expiration date with the Smart Licenses page.
• Location: Web UI > System Administration > Licenses.
• Location: CLI > license_smart > summary.

The status of a specific feature appears with one of these values:

• Eval:
  • SL Service has been enabled on a new (Hardware) ESA/SMA without token registration
  • SL Service has been enabled on an appliance with current CL installed
• Eval Expired: 90-Day Evaluation SL has expired and the appliance has transitioned to the additional 30-day grace period
• In Compliance: The appliance has been registered with a token and currently the feature consumes a valid license
• Out of Compliance (Grace Period) can be observed in 2 scenarios:
  
  • One-click request for a temporary 30-day feature license is in use
  • A license has expired on the appliance and the 30-day grace period has initiated
• Out of Compliance (Expired): LIcense fully expired and the associated service ceases to function

System Administration > Licenses

Note: The Web UI Smart Licensing pages contain numerous informational buttons in the form of a ? to assist to define values.

How to View License Expiration

How do I see the actual expiration date?

The License Expiration Dates can be viewed within the CSSM Smart Software Management Site.

• Navigate to: Inventory > Virtual Account > Licenses >. Click a license name to open the pop-up window.
• The Overview tab shows the current license count, purchase and expiration dates.
• The Transaction History tab shows each purchase/expiration per transaction.

CSSM: View license expiration.

Log Services for Smart Licensing

The ESA/SMA/WSA log activities related to Smart Licensing to the smartlicense logs. The logs are viewable from the CLI. The logs can also be downloaded to a local computer for review.

The output shown is a sample of the registration action from the smartlicense logs:

Mon Jan 28 08:40:57 2019 Info: The administrator has requested to register the product with Smart Software Manager.
Mon Jan 28 08:41:07 2019 Info: Smart License: NotifyExportControlled notification has been ignored
Mon Jan 28 08:41:12 2019 Info: The product is registered successfully with Smart Software Manager.
Mon Jan 28 08:41:17 2019 Info: Smart License: Moved out of evaluation mode
Mon Jan 28 08:41:17 2019 Info: Renew authorization of the product with Smart Software Manager is successful.
Mon Jan 28 08:42:18 2019 Info: Email Security Appliance Anti-Spam License license has been moved to In Compliance successfully.
Mon Jan 28 08:42:23 2019 Info: Email Security Appliance Outbreak Filters license has been moved to In Compliance successfully.
Mon Jan 28 08:42:28 2019 Warning: Email Security Appliance Graymail Safe-unsubscribe license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:33 2019 Warning: Email Security Appliance Cloudmark Anti-Spam license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:44 2019 Warning: The Mail Handling is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:42:48 2019 Info: Email Security Appliance Sophos Anti-Malware license has been moved to In Compliance successfully.
Mon Jan 28 08:42:53 2019 Warning: Email Security Appliance PXE Encryption license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:59 2019 Warning: Email Security Appliance Data Loss Prevention license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:04 2019 Warning: Email Security Appliance Advanced Malware Protection license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:09 2019 Warning: Email Security Appliance McAfee Anti-Malware license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:14 2019 Warning: Email Security Appliance Intelligent Multi-Scan license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:15 2019 Warning: The Email Security Appliance Intelligent Multi-Scan is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:43:19 2019 Info: Email Security Appliance External Threat Feeds license has been moved to In Compliance successfully.
Mon Jan 28 08:43:24 2019 Info: Email Security Appliance Bounce Verification license has been moved to In Compliance successfully.
Mon Jan 28 08:43:29 2019 Info: Email Security Appliance Image Analyzer license has been moved to In Compliance successfully.
Mon Jan 28 10:18:56 2019 Info: Renew authorization of the product with Smart Software Manager is successful.

Sample with an interpretation of the values:

This sample shows:

• The Evaluation Period has stopped its count because the host has been registered.
• The host has been registered with a smart account: InternalTestDemo111.cisco.com.
• The ESA is associated with the Virtual Account: ESA_EMEA.
• Keys in the state Out of Compliance 18 days.
  • The keys have expired and increments the 30-day grace period.
  • Keys in the state Out of Compliance Expired.
    • The keys have expired and depleted the 30-day grace period. The feature is disabled.

Smart Licensing is : Enabled

Evaluation Period: Not In Use
Evaluation Period Remaining: 81 days 7 hours 32 minutes
Registration Status: Registered ( 30 Oct 2018 07:57 ) Registration Expires on:  ( 04 Dec 2019 16:11 )
Smart Account : InternalTestDemo111.cisco.com
Virtual Account : ESA_EMEA
Last Registration Renewal Attempt Status : SUCCEEDED on 04 Dec 2018 16:16
License Authorization Status: Out Of Compliance ( 30 Oct 2018 07:57 ) Authorization Expires on:  ( 05 Mar 2019 03:29 )
Last Authorization Renewal Attempt Status: SUCCEEDED on 05 Dec 2018 03:34
Product Instance Name: beta.ironport.com
Transport Settings: Direct (https://smartreceiver.cisco.com/licservice/license)


beta.ironport.com (SERVICE)> license_smart


Choose the operation you want to perform:
- URL - Set the Smart Transport URL.
- REQUESTSMART_LICENSE - Request licenses for the product.
- RELEASESMART_LICENSE - Release licenses of the product.
- DEREGISTER - Deregister the product from Smart Licensing.
- REREGISTER - Reregister the product for Smart Licensing.
- RENEW_AUTH - Renew authorization of Smart Licenses in use.
- RENEW_ID - Renew registration with Smart Licensing.
- STATUS - Show overall Smart Licensing status.
- SUMMARY - Show Smart Licensing status summary.
[]> summary

Feature Name                                                        License Authorization Status      Grace Period
-----------------------------------------------------------------------------------------------------------------------------
Email Security Appliance Anti-Spam License                             In Compliance                     N/A
Email Security Appliance Outbreak Filters                              Out Of Compliance                 18 days
Email Security Appliance Graymail Safe-unsubscribe                     Out Of Compliance                 Expired
Email Security Appliance Cloudmark Anti-Spam                           Out Of Compliance                 Expired
Email Security Appliance Advanced Malware Protection Reputation        Out Of Compliance                 Expired
Mail Handling                                                          In Compliance                     N/A
Email Security Appliance Sophos Anti-Malware                           In Compliance                     N/A
Email Security Appliance PXE Encryption                                Out Of Compliance                 Expired
Email Security Appliance Data Loss Prevention                          Out Of Compliance                 Expired
Email Security Appliance Advanced Malware Protection                   Out Of Compliance                 Expired
Email Security Appliance McAfee Anti-Malware                           Out Of Compliance                 Expired
Email Security Appliance Intelligent Multi-Scan                        Out Of Compliance                 17 days
Email Security Appliance External Threat Feeds                         Out Of Compliance                 17 days
Email Security Appliance Bounce Verification                           Out Of Compliance                 17 days
Email Security Appliance Image Analyzer                                Out Of Compliance                 21 days

Related Information

• ESA User Guides
• ESA Release Notes
• ESA CLI Reference Guides