Managing License Allocation

If you have a legacy license, all devices need to be attached to a license component (SKU). When you import a license file into SecureTrack SKUs (perpetual and subscription) and activate it, the SKUs you purchased from Tufin become available for use, and can be attached to enabled devices.

If a device appears in the License page or in the Status page as Unlicensed, Evaluation, Expired, About to be Expired, or Plug-and-Play, then it either is not or soon will not be licensed. You can resolve this issue by attaching an available SKU to the device.

There are three options for attaching SKUs to devices:

  • Automatically attach all unused SKUs

  • Manually attach a device to a specific SKU

  • Detach a device that does not need monitoring, and then attach its SKU to a different device.

After attaching the licenses, you will need to apply the change in the Licenses page for the changes to take effect

Attach All Unused SKUs to Devices Automatically

  1. Go to Admin > Licenses.

  2. In the Status table, in the Unused column, click on the number of unused licenses to automatically attach them to devices.

Auto-attach

When clicking on the link, SecureTrack attaches devices to the unused SKUs in the following order:

  1. Expired devices

  2. Unlicensed devices

  3. Plug and Play devices

  4. All other statuses

Expired devices are attached only to subscription licenses. For all other statuses, SecureTrack uses available perpetual licenses first, and then subscription licenses. When attaching a device to a subscription license, SecureTrack chooses the license with the latest expiration date, which will result in the device remaining monitored for the longest possible time period.

For physical firewall licenses, the licenses are first attached to the appropriate physical firewalls. If there are any remaining unused licenses, while there are not enough virtual licenses to cover all virtual devices, the unused licenses for physical firewalls will be automatically attached to virtual firewalls that require a license.

Attach A Device to An SKU Manually

  1. Go to Admin > Licenses.

  2. In the Devices license tree, click on the icon of a device that needs to be attached to an SKU.

    3. attach license

    If there is only one relevant SKU, it is automatically attached to the device. If there are multiple types of available SKUs, a dialog box appears.

  3. Select the SKU to attach, and click Confirm.

    You can attach virtual firewalls to licenses for physical firewalls.

Detach A Device From an SKU

  1. Go to Admin > Licenses.

  2. In the Devices license tree, click on the license status icon of the device you want to detach.

    3. Detach license

Apply Changes Made to SKU Allocations

  1. In the Licenses page, click Apply.

    A list of changes appears, with the net effects on license component availability:

    license confirmation

    Changes that were made from the license table are marked as Auto-Attach; changes made from the device tree are marked as Manual Change.

  2. Click Confirm.

  3. If you still need additional licensing, purchase a Tufin license or license extension.

Additional Notes

  • For Decommission Network Object and Clone Network Object Policy workflows, SecureChange license enforcement is based on a list of targets calculated by the ticket’s tools. For these workflows a ticket handler cannot manage the target list or remove specific devices from a ticket, therefore the whole ticket is put on hold if an unlicensed device exists. After the appropriate SecureChange license is assigned to the device, the ticket will continue.

  • The license status of management devices for most vendors (such as, Palo Alto Device Groups, and Fortinet ADOMs) is determined according to the accumulated license statuses of their managed firewalls. As a result, if there is at least one managed firewall with the license status Expired or Unlicensed, the management device will also have the license status Expired or Unlicensed.

    • To resolve this, you can:

    • Ensure that a valid license is attached to all managed firewalls.

    • Disable the unlicensed firewalls (not supported for Check Point devices).

    • Remove the unlicensed firewalls from SecureTrack monitoring.

  • The license status of Check Point management devices is determined according to the individual license status of the managed firewalls. In other words, if there is at least one managed firewall with a perpetual valid subscription license, the status of the Check Point management device is Licensed Subscription (or Licensed Perpetual if there is also a perpetual license).