NP-View is licensed on an annual basis. The cost of the license depends on the number of configuration files imported from primary network devices (firewalls, routers, and switches).
How Licensing Works
When importing devices (manual or automated), a reminder notice is provided stating: “Importing new devices requires available licenses. Devices are activated in the order they are imported. If the total license count is exceeded, importing of additional unlicensed devices will be prohibited.
To determine the available number of devices licenses, see the summary at the bottom of Licenses and Terms.
When Device Licenses are Activated
Device licenses are activated when a device is first imported. When the device limit is reached, import of additional devices (manual or automated) will be prohibited and a message will be issued in the help center and system logs.
Device licensing is permanent. Once a license is allocated to a device it cannot be re-assigned to another device.
Palo Alto NGFW and Virtual Systems (VSYS)
Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple physical firewalls, IT departments can use a single firewall and enable virtual systems on them to independently separate traffic.
When using virtual systems, if a configured VSYS has an interface with access rules, NP-View will represent the VSYS as a separate firewall and a device license is allocated. If a VSYS has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.
Likewise, the physical firewall can be configured with access rules and object groups. If the physical device is configured in this manner, it will be allocated a device license. Otherwise, it will not.
FortiGate and Virtual Domains (VDOM)
Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network. If a VDOM has no interfaces or access rules and is used only for object management then NP-View does not display the firewall and it requires no license.
If a device is no longer required in any workspace, the Administrator can hide the device from all workspaces by unchecking the “Visible in Workspace” check box and selecting the “Submit” button.
The licensed device will remain in “license and Terms” and displayed as follows:
The data is not deleted from the workspaces. If the Administrator wishes to restore the device to all workspaces, they can by importing new data for the device or by rechecking the checkbox and clicking “Submit”.
Note that NP provided demo devices in the demo workspace are excluded from display in the license manager and device counts.
User Deleted Devices
If the user deletes a device from all workspaces, the device still remains licensed but as it has no system association will not be displayed in License and Terms. The device can be restored in the future by importing new data for the device into any workspace.
When the license expires, workspaces for all users will be disabled along with manual data imports. A message will be displayed stating that the license has expired and to contact sales to renew. Connectors will continue to collect data and deliver the updates to workspaces and demo workspaces will continue to function.
If a customer downgrades their device count, the Administrator will need to select the devices to remain active after inputting the new license key. If the Administrator does not select the devices to remain, the system will allocate the devices in the order they are used. All remaining unlicensed devices will be removed from all workspaces.
Compliance Module Downgrade
If a customer downgrades their compliance module license, all workspaces associated with that module will be disabled. The user can manually delete these workspaces.
Existing Customer Upgrades
For existing customers upgrading from a previous version of software to version 3.1.0 or later, devices that are imported and active in the license manager (check box marked) will remain licensed. Devices that are unlicensed (check box unmarked) will be removed from all existing workspaces. If a customer needs to replace one or more devices, please contact support.
Auditors and NP Certification
Auditors and NP Certification members working project style engagements using NP-View Desktop are provided with a special feature to reset the system to its original state after an engagement so that no customer data is retained.
Adding a license to NP-View and NP-Live
- Step 1: Create an account on the Portal website
- Step 2: If you don’t see an active license in the Portal home page, select “Request License” or contact email@example.com
- Step 3: Once a license key has been generated for you, make sure the format is correct. It should be a JSON structure similar to:
"email": "email address",
"type": "License type",
"max_rulesets": "purchased device",
"max_users": "purchased user",
"module_np": if purchased,
"module_nerccip": if purchased,
"key": "secret key"
- Step 4a: For New Installations, upon system installation, the Administrator will input the NP license key into the setup screen which will set the maximum limit on the number of devices that can be imported (manually or automated) into the system.
- Step 4b: For existing customers, launch NP-View and select “License & terms” from the user menu (top right corner). Then select “Upgrade or renew your license” followed by “Input license manually”. You can then copy/paste the license JSON structure (including opening and closing curly brackets) into the text field area. Note: the licensing function is available only to the Administrator role in NP-View Server and the must logout and re-login for the license to take affect.
NP-View Enterprise supports the licensing of active / passive high availability (HA) groups for firewalls. HA Group definitions are only required if the device name of the primary and secondary devices are different. Once the active firewalls are loaded into NP-View, the HA definition file can be exported using postman or a tool of your choice using:
GET /license/ha-groups?file-export=true and a file will be downloaded.
The file export will be a text file. Column 1 will be the HA Group name and will be initially empty. Column 2 will be the firewall name.
HA Group Name, Device Name
The administrator will then update the text file to add unique group names as well as the name of the passive firewall. The updated file can look as follows. Devices without group names will remain as individual firewalls.
HA Group Name, Device Name
Once the file is updated, the file can be posted using postman or the tool of your choice:
When new firewalls are added or groups need to be redefined, the above GET / POST process can be repeated.
HA Groups will share one device license. If firewalls are ungrouped and there are not enough free device licenses, the user will be asked to remove firewalls from NP-View that are to be unlicensed and deleted from the system.