Introduction
This document describes the activation process, definitions, and how to troubleshoot the Smart Licensing Service on ESA/SMA/WSA.
Prerequisites
Components Used
The information in this document is based on these software and hardware versions:
- Email Security Appliance (ESA) AsyncOS Version 12.0 and newer.
- Security Management Appliance (SMA) AsyncOS Version 12.0 and newer.
- Web Security Appliance (WSA) AsyncOS Version 11.7 and newer.
Note: Enablement of the Smart License Feature on the ESA/SMA/WSA is permanent and does not permit the option to revert an appliance back to Classic License Mode.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
Smart Licensing provides the ability to:
- Manage all of your product licenses from a central location
- Normalizes the process between Physical and Virtual ESA/SMA/WSA, with the use of one method to apply and manage licenses
- Easily apply a license to your ESA/SMA/WSA
- Receive Alerts related to license expiration
- Hardware model ESA/SMA/WSA, out of the box, have a 90-day Evaluation Period for all services
Summary of the Smart License Global Topic from Cisco
Even though the core purpose of this article is to configure the Smart Licensing Services on the ESA/SMA/WSA, links are included to provide general direction to educate on the topic.
To register the ESA/SMA/WSA host with smart licensing first requires the owner of the appliance to possess a Smart Account.
- Smart Accounts are issued one per domain.
- The administrator of the Smart Account can create sub-level Virtual Accounts that allow segregation of resources.
- Virtual Accounts can be used to restrict access to different Cisco Product Licenses, based on your needs.
- Your access the Cisco Smart Software Manager (CSSM) to manage licenses and download tokens.
The links provided by Cisco, include videos, guides, and explanations related to Smart Licensing:
Out of the Box
- All hardware model ESA/SMA/WSA purchased include 90-day Evaluation Licenses for all features.
- All hardware models that migrate with current Classic Licenses (CL) receive 90-day Evaluation Licenses.
- All Virtual ESA/SMA/WSA models require a basic Virtual License (VLN) (.xml) file loaded to the appliance to link to the upgrade/update server.
- All Virtual ESA/SMA/WSA models, when created, do NOT include 90-day licenses and require registration by the Classic License VLN (.xml).
- All Virtual ESA/SMA/WSA models that migrate with current Classic Licenses (CL) include 90-day Evaluation Licenses.
Communication Requirements
- Network or Proxy communication smartreceiver.cisco.com on TCP port 443.
Description of the CSSM Tool and the Tabs
A basic illustration of the CSSM tabs:
- General Tab
- The location to generate the token (the token is time-based and can be used to register multiple ESA/SMA/WSA.
- Ensure the proper
Virtual Account
has been selected because a user can have multiple virtual accounts.
- New Token, opens a template to complete and results in a
Token
line entry in the table.
- Actions can be executed repeatedly, as needed, and displays options to;
Copy
, Download
, and Revoke
the token.
CSSM General Tab
- Licenses Tab
- The location to review and confirm the presence and availability of licenses.
- The
License
column lists the names of the services or bundles purchased.
- The
Purchased
column lists the presence of usable keys.
- The
Alerts
column displays important messages with regard to a specific license.
CSSM License Tab
- Product Instances Tab
- Displays the individual appliance names, models, last communication, and Alerts.
CSSM Product Instances Tab
Generate a Token from CSSM
- Launch the CSSM webpage.
- Top of page, select
Inventory.
- Once loaded, select the appropriate
Virtual Account
from the top left part of the page
- A large organization can have multiple virtual accounts assigned to a single smart account, which require a selection of the appropriate virtual account related to the ESA/SMA/WSA licenses
- Tabs:
General
, Licenses
, Product Instances,
and Event Log
- Generate a Token from the CSSM.
- Select the
General
tab
- Under the header
Product Instance Registration Tokens
, select the New Token
button
- A window appears to complete the
Description
and Expire After
values
- Create a token
- Return to the
General
tab, select the Actions
drop-down tab to copy or download the token
SAMPLE TOKEN FILE
Token: M2UyYmIxYTktNzJmMy00ZxxxxxxxxxxxxxxxxxxxxZjVhMDMwLTE1NDE3Mzcx%0ANDU2ODR8RlluSVI5NmxCUS92SnVzUjUvcVViV0ZyVVFrcHBxNVh2TVdNa1My%0AeGJYMD0%3D%0A
Virtual Account: ESA
Smart Account: InternalTestDemoAccount.MY_DOMAIN.com
Token Description: SMA_token
Export-Controlled Functionality: Allowed
Created by User: my_CCOID
Contact Email: ADMIN@MY_DOMAIN.com
Expiry Date: 2018-Nov-09 04:19:05 (in 18 days)
* Note: this token file was downloaded on October 22nd 2018
* Note: copy entire token string to use for product instance registration
Enable the Smart License Feature on the ESA/SMA/WSA
- Web UI activation:
- Browse to
System Administration > Smart Software Licensing.
- Select
Enable Smart Software Licensing
.
- Options are listed that provide the choices to request feature keys:
- Option 1: Use a token to register and request needed features
- Option 2: Register without a token and have a 90-day Evaluation Period
- Select
OK.
- Commit changes.
- CLI activation:
- Execute the command:
license_smart > Enable > Y
.
- Option 1 and Option 2 are listed the same as the previous UI description.
- Select
OK
.
- Commit.
Register the ESA/SMA/WSA to a Smart Account with the Token
- Navigate to
System Administration > Smart Software Licensing
.
- Select the
Register
button to open the pop-up registration page.
- Paste the copied token in the space provided under step 4.
- Select
Register
to complete the steps (The pop-up window closes).
- Refresh the
Smart Software Licensing
page after 30 seconds to view the new status.
- Once completed, the
Registration Status
field shows the word Registered
, along with the registration expiration dates.
Smart Software Licensing "Register"Registration Pop-up page.Registration confirmation.
Actions
Additional tasks can be performed from the Smart Licensing Actions
drop-down menu.
- Renew Authorization
- Complete this task to manually renew the License Authorization Status for all licenses listed under the License Type.
Note: The license authorization is renewed automatically every 30 days. The license authorization status expires after 90 days if the ESA/SMA/WSA does not communicate with the CSSM.
- Renew Registration
- Complete this action to manually renew the registration.
Note: The initial registration is valid for one year. Renewal of registration is performed automatically every six months, if the appliance has connectivity to the CSSM.
- De-register
- Disconnects the ESA/SMA/WSA from the CSSM.
- The system transitions to Evaluation Mode.
- The licenses consumed by the ESA/SMA/WSA are released and credited to the smart account for re-use.
- Re-register
- Re-register the ESA/SMA/WSA with the CSSM.
Note: Re-register can be used to migrate between an organizations multiple Virtual Accounts.
Definitions Related to Smart License
License types:
- Classic License (CL): CL refers to the legacy methods used for both hardware and virtual licenses.
- Smart License (SL): SL refers to Smart Licensing.
- License Authorization Status - Is the status of a given license within the appliance.
- The ESA/WSA/SMA does not display the actual expiration date with the Smart Licenses page.
- Location:
Web UI > System Administration > Licenses
.
- Location:
CLI > license_smart > summary
.
The status of a specific feature appears with one of these values:
- Eval:
- SL Service has been enabled on a new (Hardware) ESA/SMA without token registration
- SL Service has been enabled on an appliance with current CL installed
- Eval Expired: 90-Day Evaluation SL has expired and the appliance has transitioned to the additional 30-day grace period
- In Compliance: The appliance has been registered with a token and currently the feature consumes a valid license
- Out of Compliance (Grace Period) can be observed in 2 scenarios:
- One-click request for a temporary 30-day feature license is in use
- A license has expired on the appliance and the 30-day grace period has initiated
- Out of Compliance (Expired): LIcense fully expired and the associated service ceases to function
System Administration > Licenses
Note: The Web UI Smart Licensing pages contain numerous informational buttons in the form of a ?
to assist to define values.
How to View License Expiration
How do I see the actual expiration date?
The License Expiration Dates can be viewed within the CSSM Smart Software Management Site.
- Navigate to:
Inventory > Virtual Account > Licenses >
. Click a license name to open the pop-up window.
- The
Overview
tab shows the current license count, purchase and expiration dates.
- The
Transaction History
tab shows each purchase/expiration per transaction.
CSSM: View license expiration.
Log Services for Smart Licensing
The ESA/SMA/WSA log activities related to Smart Licensing to the smartlicense
logs. The logs are viewable from the CLI. The logs can also be downloaded to a local computer for review.
The output shown is a sample of the registration action from the smartlicense
logs:
Mon Jan 28 08:40:57 2019 Info: The administrator has requested to register the product with Smart Software Manager.
Mon Jan 28 08:41:07 2019 Info: Smart License: NotifyExportControlled notification has been ignored
Mon Jan 28 08:41:12 2019 Info: The product is registered successfully with Smart Software Manager.
Mon Jan 28 08:41:17 2019 Info: Smart License: Moved out of evaluation mode
Mon Jan 28 08:41:17 2019 Info: Renew authorization of the product with Smart Software Manager is successful.
Mon Jan 28 08:42:18 2019 Info: Email Security Appliance Anti-Spam License license has been moved to In Compliance successfully.
Mon Jan 28 08:42:23 2019 Info: Email Security Appliance Outbreak Filters license has been moved to In Compliance successfully.
Mon Jan 28 08:42:28 2019 Warning: Email Security Appliance Graymail Safe-unsubscribe license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:33 2019 Warning: Email Security Appliance Cloudmark Anti-Spam license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:44 2019 Warning: The Mail Handling is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:42:48 2019 Info: Email Security Appliance Sophos Anti-Malware license has been moved to In Compliance successfully.
Mon Jan 28 08:42:53 2019 Warning: Email Security Appliance PXE Encryption license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:59 2019 Warning: Email Security Appliance Data Loss Prevention license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:04 2019 Warning: Email Security Appliance Advanced Malware Protection license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:09 2019 Warning: Email Security Appliance McAfee Anti-Malware license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:14 2019 Warning: Email Security Appliance Intelligent Multi-Scan license has been moved to Out of Complaince successfully.
Mon Jan 28 08:43:15 2019 Warning: The Email Security Appliance Intelligent Multi-Scan is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
Mon Jan 28 08:43:19 2019 Info: Email Security Appliance External Threat Feeds license has been moved to In Compliance successfully.
Mon Jan 28 08:43:24 2019 Info: Email Security Appliance Bounce Verification license has been moved to In Compliance successfully.
Mon Jan 28 08:43:29 2019 Info: Email Security Appliance Image Analyzer license has been moved to In Compliance successfully.
Mon Jan 28 10:18:56 2019 Info: Renew authorization of the product with Smart Software Manager is successful.
Sample with an interpretation of the values:
This sample shows:
- The Evaluation Period has stopped its count because the host has been registered.
- The host has been registered with a smart account:
InternalTestDemo111.cisco.com
.
- The ESA is associated with the Virtual Account:
ESA_EMEA
.
- Keys in the state
Out of Compliance 18 days
.
- The keys have expired and increments the 30-day grace period.
- Keys in the state
Out of Compliance Expired
.
- The keys have expired and depleted the 30-day grace period. The feature is disabled.
Smart Licensing is : Enabled
Evaluation Period: Not In Use
Evaluation Period Remaining: 81 days 7 hours 32 minutes
Registration Status: Registered ( 30 Oct 2018 07:57 ) Registration Expires on: ( 04 Dec 2019 16:11 )
Smart Account : InternalTestDemo111.cisco.com
Virtual Account : ESA_EMEA
Last Registration Renewal Attempt Status : SUCCEEDED on 04 Dec 2018 16:16
License Authorization Status: Out Of Compliance ( 30 Oct 2018 07:57 ) Authorization Expires on: ( 05 Mar 2019 03:29 )
Last Authorization Renewal Attempt Status: SUCCEEDED on 05 Dec 2018 03:34
Product Instance Name: beta.ironport.com
Transport Settings: Direct (https://smartreceiver.cisco.com/licservice/license)
beta.ironport.com (SERVICE)> license_smart
Choose the operation you want to perform:
- URL - Set the Smart Transport URL.
- REQUESTSMART_LICENSE - Request licenses for the product.
- RELEASESMART_LICENSE - Release licenses of the product.
- DEREGISTER - Deregister the product from Smart Licensing.
- REREGISTER - Reregister the product for Smart Licensing.
- RENEW_AUTH - Renew authorization of Smart Licenses in use.
- RENEW_ID - Renew registration with Smart Licensing.
- STATUS - Show overall Smart Licensing status.
- SUMMARY - Show Smart Licensing status summary.
[]> summary
Feature Name License Authorization Status Grace Period
-----------------------------------------------------------------------------------------------------------------------------
Email Security Appliance Anti-Spam License In Compliance N/A
Email Security Appliance Outbreak Filters Out Of Compliance 18 days
Email Security Appliance Graymail Safe-unsubscribe Out Of Compliance Expired
Email Security Appliance Cloudmark Anti-Spam Out Of Compliance Expired
Email Security Appliance Advanced Malware Protection Reputation Out Of Compliance Expired
Mail Handling In Compliance N/A
Email Security Appliance Sophos Anti-Malware In Compliance N/A
Email Security Appliance PXE Encryption Out Of Compliance Expired
Email Security Appliance Data Loss Prevention Out Of Compliance Expired
Email Security Appliance Advanced Malware Protection Out Of Compliance Expired
Email Security Appliance McAfee Anti-Malware Out Of Compliance Expired
Email Security Appliance Intelligent Multi-Scan Out Of Compliance 17 days
Email Security Appliance External Threat Feeds Out Of Compliance 17 days
Email Security Appliance Bounce Verification Out Of Compliance 17 days
Email Security Appliance Image Analyzer Out Of Compliance 21 days
Related Information