000038112 - RSA NetWitness Platform Mixed Mode License Operation

Document created by RSA Customer Support Employee on Nov 14, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038112
Applies ToRSA Product Set: NetWitness Platform
RSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
Platform: CentOS
O/S Version: 7
IssueIn some instances, it may be necessary to have both throughput and appliance-based licenses.

RSA NetWitness handles each of these types of licenses differently and this can affect the normal operation of your NetWitness environment.

In an appliance-based license environment, licenses are required for each host except for the NetWitness Server and any other services that normally operate on that appliance. A check is performed when each external host starts up and, if available, a license for that host type is granted to that host. Assuming that there are enough available licenses in your environment, your environment operates normally.

When there are not enough host licenses present to address every request, the UI will display a red warning banner to let you know that one or more hosts are not properly licensed. To address this, you will need to validate that you have the correct number of licenses available for each service type host you are attempting to use in your environment.

If you decide, instead, to go with a throughput based model, throughput licenses are applied to Log, Network Decoders, and Malware Analysis hosts, with the two most common types of throughput licenses being for Log and Network Decoders:
  • A Log Decoder throughput license is measured based on a capture rate of 50/MBs per day per unit purchased.
  • A NetWitness Decoder throughput license is based on a capture rate of 1 TB per day per unit purchased.
It is important to understand that the total amount of traffic written to disk for all Log or Network Decoders is measured against the appropriate throughput license and these are not applied to each host individually. 

When throughput license allotments are exceeded, a yellow banner is displayed to let you know that has occurred.

In instances where both types of licenses have been purchased and applied to a given environment, NetWitness assigns the throughput license first each time a license refresh occurs. What this means is that in a mixed-mode environment, each time a license refresh occurs, your Network and Log Decoders are going to be assigned throughput licenses instead of their normal appliance-based (assuming you have purchased ones already for those hosts).

To have them co-exist and use the right license requires a manual intervention on the License page to change the entry for each Network and Log Decoder to "Service Based" from "Metered"

Note: Each time you add a new license to your environment (which triggers a license refresh) or manually refresh the license page in the UI, any Network or Log Decoders will get reset to a throughput-based license. You will need to repeat the steps listed for each Log Decoder, Network Decoder, or Malware Analysis Host that should normally be appliance-based licensing.
TasksYou will need to manually change the license type for each Log and/or Network Decoder, and Malware Analysis that would normally use an appliance-based license rather than a throughput license.
ResolutionTo change the license type for a given host:
  1. In the UI, under Admin > System, select Licensing from the left-hand pane.
  2. On the Licensing Details window, in the section titled Throughput Licenses, locate the host for which you want to change the license type.
  3. Under the Actions column to the right of that host, select the wheel drop-down and choose "Reassign to Another License".
Note: Each time you add a new license to your environment (which triggers a license refresh) or manually refresh the license page in the UI, any Network or Log Decoders will get reset to a throughput-based license. You will need to repeat the steps listed for each Log Decoder, Network Decoder, or Malware Analysis Host that should normally be appliance-based licensing.

Attachments

    Outcomes