What is Enterprise and Service Provider Friendly Licensing?
This type of licensing (a.k.a. pool licensing) lets you centrally manage all Barracuda NextGen Firewall F licensing through the Barracuda NextGen Control Center in a flexible, independent manner. You can make best use of pool licensing for NextGen Firewall F-Series deployments when you have a large number of firewalls running across a wide geographic area.
This whitepaper is about pool licensing only. All content is related to the handling and behavior of NextGen Firewalls running with pool licenses.
For in-depth configuration and administration of pool licensing, please visit Barracuda Campus
Single Licensing vs. Pool Licensing
Barracuda NextGen Firewall F appliances are usually single licensed. This means that the licenses needed to run the firewall are related to the serial number of the box. This guarantees legal usage of the hardware, the acquired software subscriptions, and all services running on the firewall. Following activation, this also guarantees regular updates of the licenses, software, and patterns, thereby ensuring frictionless operation.
Single licensing is well-established. However, for every required hardware or licensing change, you must configure each box separately. Fortunately, such changes do not happen very often when you only have a dozen boxes running.
If, however, your company’s security infrastructure contains hundreds or thousands of firewalls for all of your branches/locations around the globe, deploying new firewalls and replacing or upgrading hardware becomes a daily job. You therefore need a quick and easy way to manage the licensing of these firewalls. Pool licensing for the Barracuda NextGen Firewall F is ideal tool for centrally managing and maintaining your firewalls via the Barracuda NextGen Control Center. Instead of having hundreds of single licenses for your network, you have just ONE pool license that is assigned to all your firewalls.
How Does Pool Licensing Work?
Pool licensing is issued to a Barracuda NextGen Control Center for a specific model and a specific quantity of appliances (pool size, capacity). This makes the Barracuda NextGen Control Center the master of the pool license, enabling the administrator to assign instances (copies) of the pool license to the appliances. Since a pool license is not issued for a specific box’s serial number, it does not matter which box you assign the license to as long as the gateway complies with the model type and the pool size (capacity) is not exceeded. This is also known as a floating license because it can be used for numerous gateways.
In addition to the Barracuda NextGen Control Center, which is required to operate the pool licenses, the licensing scheme consists of three main components:
|Hardware only||The appliance||BNGF280p-hwo|
|Pool Base License||To run the hardware in basic mode||BNGF280p|
|Pool Energize Updates License||To run software services on the box and to receive updates for a one-year period||BNGF280p-e1|
Benefits of Pool Licensing
When operating multiple Barracuda NextGen Firewall F in your network, you do not need to manage the license of every single box. You can run all boxes with one central license.
Solution Advantage 1 – Easy installation and setupAll gateways are set up and configured centrally via the Barracuda NextGen Control Center. Assigning the pool license to multiple firewalls for a fast and easy rollout of all boxes requires no manual activation of box serial numbers. After the initial set-up, the Barracuda NextGen Control Center automatically manages all boxes assigned the pool license number.
Solution Advantage 2 – Fast hardware replacementIf a box fails, you can easily replace it without cumbersome administration. Hardware replacement is accomplished by a Barracuda NextGen Control Center by removing and re-applying licenses. Informing Barracuda Customer Service about the new box serial and license switch is not required.
Solution Advantage 3 – RMA or repair handlingIn case of RMA or repair, and after the license swap in the Barracuda NextGen Control Center, the new or refurbished box can be returned to the customer to be re-used as required. That is a major advantage over single licensing. For example, after a single box RMA and license switch, the former box’s serial number is irrevocably terminated.
Solution Advantage 4 – Consolidated run timeAll Barracuda NextGen Firewall F deployments run with instances of the pool license and therefore have the same activation and expiration dates of the software subscriptions. Compared to single licensing, in which each box has its individual license and activation date, it is much easier to manage updates and renewals of your full Barracuda NextGen Firewall F deployment by utilizing a pool license.
Solution Advantage 5 – Automatic license renewals and updatesAll renewals and updates for pool licenses are managed automatically via the Barracuda NextGen Control Center. Administrators need only to renew the pool license on the NextGen Control Center and deploy it to all pool-licensed boxes by means of automatic configuration updates.
Subscriptions entitle the use of specific features and services and can be divided into software, hardware, and support subscriptions.
For a single-licensed deployment, all subscriptions are based on the appliance's serial numbers and MAC addresses
For a pool-licensed deployment, all subscriptions are based on the Barracuda NextGen Control Center's Master ID. However, hardware subscriptions are still related to the box serial number. The Pool Base license and Pool Energize Updates license are mandatory.
All software subscriptions are assigned to the Barracuda NextGen Control Center:
- Pool Base (mandatory
- Pool Energize Updates (mandatory
- Pool Web Filter
- Pool Malware Protection
- Pool Bundle Web Security (Web Filter + Malware Protection)
- Pool Advanced Threat Protection (requires Malware Protection)
- Pool Bundle Malware and Advanced Threat Protection (Malware Protection + Advanced Threat Protection)
- Pool Advanced Remote Access
The Premium Support subscription requires an active Energize Updates subscription.
Hardware subscriptions are assigned to the serial number of the NextGen Firewall F appliance:
- Instant Replacement (including Enhanced Support)
- Warranty Extension (including Basic Support)
Please note: For a hardware subscription transfer to another serial number, please contact Barracuda Customer Services.
To run a pool-licensed environment, the minimum subscription setups are Pool Base and Pool Energize Updates . The pool license concept is made for large deployments and is issued for a fixed number of a specific Barracuda NextGen Firewall F model. The total number of appliances you can run with a pool license is called capacity . The capacity of the Pool Base license and the Pool Energize Updates license is the same. Pool Energize Updates is mandatory to run firewall and VPN services on the Barracuda NextGen Firewall F. Barracuda Premium Support service is also based on the Pool Energize Updates license.
For all other subscriptions, a lower capacity can be used. This enables the Barracuda NextGen Firewall F to run with a basic Barracuda NextGen Firewall F feature set and - at the same time - have a subset of gateways running additional features, such as Malware Protection, Advanced Threat Protection, or Advanced Remote Access. Hardware replacement options like Instant Replacement or Warranty Extension are also offered as subscriptions, but only for a subset of your deployment. For example, Instant Replacement is only purchased for mission-critical locations like datacenters, headquarters, or regional main offices.
Deployment of Pool Licenses
After purchasing a Barracuda NextGen Firewall F Pool License, a token (1) is issued for its initial download and activation from the Barracuda Update Server (2) via the Barracuda NextGen Control Center. The pool license can then be assigned to the corresponding Barracuda NextGen Firewall F (3). The pool license can be assigned to multiple firewalls until capacity is reached.
The pool licenses are activated when the licenses are first downloaded using the license token. Hardware-related subscriptions, like Instant Replacement or Warranty Extension, must be activated manually via the Barracuda Activation Web form or via Barracuda Support on the first day of productivity. (https://www.barracuda.com/activate)
Starting a Barracuda NextGen Firewall F-Series without licenses activates the Demo Mode. This is a basic and very limited operation mode for setup and configuration purposes. The configuration and license assignment for each Barracuda NextGen Firewall F is set up via the Barracuda NextGen Control Center and can then be easily distributed to the deployed appliances.
If there is no permanent connection between the Barracuda NextGen Control Center and a Barracuda NextGen Firewall F, the NextGen Firewall F tries for a minimum of 30 days to connect to the Control Center for a new timestamp in order to validate the pool licenses.
The Barracuda NextGen Control Center renews the timestamp on the gateway, provided that the pool license has not expired. Without a timestamp renewal, the license instance on the box is valid for 60 days. This is referred to as the grace period.
As soon as time licenses become invalid, the Barracuda NextGen Firewall F stops the licensed services. As a simple rule, after Pool Energize Updates (EU) expires, the boxes on the field will still run for a minimum of 30 days, until Energize Updates becomes invalid.
Please note: If the Pool Energize Updates license becomes invalid, the Barracuda NextGen Firewall F will stop forwarding traffic!
To avoid this, the Barracuda NextGen Control Center’s Status page enables administrators to check the connectivity status of the Firewall F managed by the Control Center. In addition, the Barracuda NextGen Control Center will send alerts to administrators as soon as a pool license expires. Administrators can also configure events on the Barracuda NextGen Control Center and/ or the Barracuda NextGen Firewall F to get automatic notifications for license issues.
Pool licenses are issued for a specific Barracuda NextGen Firewall F model. When assigning pool licenses to the gateway, a model check is made to prove that the assigned license is valid. It is possible to run lower models with a higher pool license, but not vice versa. For example, Barracuda NextGen Firewall F400 pool licenses can run on F18, F80, F180, F280, F380, and F400 – but not on a model F600 or higher.
License Renewals and Updates
The Barracuda NextGen Control Center regularly connects to Barracuda Update Servers to check for updates or renewals. The Barracuda NextGen Control Center also obtains updates for the pool licenses.
An administrator can update existing licenses on the Barracuda NextGen Control Center and, later, push the updates to all Barracuda NextGen Firewalls. It depends on the type of license update.
Additional subscriptions for existing pool – With the update, the additional license file is downloaded and can then be assigned to the Barracuda NextGen Firewall F.
Capacity change of existing pool size – With the update, the license gets a higher capacity. The Barracuda NextGen Control Center updates the existing license and reassigns it to the Barracuda NextGen Firewalls.
Pool license exchange – The Barracuda NextGen Control Center downloads a new pool license to replace the existing one. For example, due to a model upgrade, the Barracuda NextGen Control Center downloads the new pool license files and then the administrator overwrites the former pool license on the Barracuda NextGen Firewalls.
Changing from Single to Pool Licensing
Changing from single-licensed Barracuda NextGen Firewall F-Series deployments to pool licenses is simple and can be done at anytime. All that is required is a Barracuda NextGen Control Center and the pool licenses for the subscriptions you are already running. Once you have purchased the pool licenses, you can download and activate the licenses via the Barracuda NextGen Control Center.
If you are not using a Barracuda NextGen Control Center for centrally managing your Barracuda NextGen Firewall F, you must set up your CC and import the configuration PAR files from each box to the Barracuda NextGen Control Center. Once completed, the Barracuda NextGen Firewall F is re-configured to a Barracuda NextGen Control Center-managed box.
In the Barracuda NextGen Control Center, assign the pool licenses to the boxes and remove the former single license files. Inform Barracuda Customer Service about all box serials that has been changed to a pool-licensed box. Barracuda Customer Service will then terminate the former single licenses, so that all remaining subscription periods can be credited. Afterwards, the appliances are converted to a Barracuda NextGen Firewall F hardware-only appliance.
There is no need to change of all your Barracuda NextGen Firewall F deployments at once. Depending on your rollout plan for the pool licenses, the transition can be done smoothly, box by box.