|Applies To||RSA Product Set: NetWitness Platform|
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
O/S Version: 7
|Issue||In some instances, it may be necessary to have both throughput and appliance-based licenses.|
RSA NetWitness handles each of these types of licenses differently and this can affect the normal operation of your NetWitness environment.
In an appliance-based license environment, licenses are required for each host except for the NetWitness Server and any other services that normally operate on that appliance. A check is performed when each external host starts up and, if available, a license for that host type is granted to that host. Assuming that there are enough available licenses in your environment, your environment operates normally.
When there are not enough host licenses present to address every request, the UI will display a red warning banner to let you know that one or more hosts are not properly licensed. To address this, you will need to validate that you have the correct number of licenses available for each service type host you are attempting to use in your environment.
If you decide, instead, to go with a throughput based model, throughput licenses are applied to Log, Network Decoders, and Malware Analysis hosts, with the two most common types of throughput licenses being for Log and Network Decoders:
When throughput license allotments are exceeded, a yellow banner is displayed to let you know that has occurred.
In instances where both types of licenses have been purchased and applied to a given environment, NetWitness assigns the throughput license first each time a license refresh occurs. What this means is that in a mixed-mode environment, each time a license refresh occurs, your Network and Log Decoders are going to be assigned throughput licenses instead of their normal appliance-based (assuming you have purchased ones already for those hosts).
To have them co-exist and use the right license requires a manual intervention on the License page to change the entry for each Network and Log Decoder to "Service Based" from "Metered"
Note: Each time you add a new license to your environment (which triggers a license refresh) or manually refresh the license page in the UI, any Network or Log Decoders will get reset to a throughput-based license. You will need to repeat the steps listed for each Log Decoder, Network Decoder, or Malware Analysis Host that should normally be appliance-based licensing.
|Tasks||You will need to manually change the license type for each Log and/or Network Decoder, and Malware Analysis that would normally use an appliance-based license rather than a throughput license.|
|Resolution||To change the license type for a given host:|