How Licensing Works

Document created by RSA Information Design and Development on Sep 13, 2017Last modified by RSA Information Design and Development on Mar 27, 2018
Version 10Show Document
  • View in full screen mode

RSA NetWitness Suite version 11.0 entitlement uses a trust-based licensing model. Appliances continue to function even if they are out-of-compliance with current licensing.

Configuration StepDescription

Step 1. Register the NetWitness Server

Before you begin the licensing process, you must ensure that your license server is installed and running.

Step 2. Synchronize NetWitness Server

Your NetWitness Server must be registered to Download Central and entitlements must be mapped. There are two methods of synchronizing NetWitness Suite with Download Central: online and offline.

Step 3: Install Product Licenses from Download Central (DLC)

Your DLC Welcome e-mail message contains system log in instructions to Download Central. Instructions for downloading your product licenses can be found in this document, as well as the Download Central (DLC) website.


Choosing a License Type

The type of license you choose is based on your network requirements. If you want a license that is based on a throughput per day of logs (SIEM) or network packets (Network Monitoring and Network Malware), Metered licensing is your best bet.

The following types of licenses are available in RSA NetWitness Suite 11.0:

  • Metered Licensing
  • Service-based Licensing
  • Out-of-the-box Trial Licensing

Note: You should purchase or install a license within 90 days, although the functionality will continue after the 90-day out-of-the-box trial period ends.

Metered Licensing

Metered licensing is based on a throughput per day of logs (SIEM) or network packets (Network Monitoring and Network Malware), combined with the separate purchase of the hardware needed to deploy the system and meet customers' retention requirements.

The throughput per day for logs is measured in Gigabytes per day and in Terabytes per day for packets. Customers can then acquire the amount of Gigabytes per day of logs, or Terabytes per day of packets that they require in order to meet their needs. The total amount of throughput per day is selected from one of five volume tiers of license levels, based on the total amount of throughput per day that is being licensed across the customer's entire enterprise deployment of NetWitness.

With this licensing system, organizations can scope their throughput per day capacity independently from their hardware infrastructure components, optimizing specifically for their network environment. A customer effectively licenses NetWitness software from RSA based on their network or log throughput and then purchases the infrastructure components (servers to deploy the Decoders, Concentrators, Brokers, and so on) that are required for their particular deployment.

Note: If you want to change the default allotment of licenses by moving between metered and service-based, you can do this by selecting under the actions of each license entry, provided there is support for both license types.

Service-based Licensing

RSA NetWitness Suite version 11.0 supports service-based licensing. Support for service-based licensing is applicable for all appliances that require a license. This is a per-service permanent license that has no expiration date. You do not need to activate any version 11.0 services manually.

The following list includes services that can have service-based licenses:

  • Decoder
  • Log Decoder
  • Concentrator
  • Broker
  • Archiver
  • Event Stream Analysis
  • Malware Analysis

Note: The one exception is a co-located instance of Malware Analysis, which is licensed by default.

Out-of-the-Box Trial Licensing

Out-of-the-Box Licensing for RSA NetWitness Suite version 11.0 ships with a default Trial out-of-the-box license that enables customers to use the product with full functionality for 90 days. The 90-day time period begins when the NetWitness Suite user interface is configured and used for the first time.

You are given a choice to include appliances under an Out-of-the-Box (OOTB) Trial Metered License, or a Service- based License. Metered licenses are only supported for Decoder, Log Decoder, and Malware Analysis.

Version 11.0 provides the flexibility to move your license to an Out-of-the-Box Trial service-based License. An Out-of-Compliance banner notifies you when you need to take action on your license.

Licensing at a Glance

Note: You are entitled to the latest software version based on your maintenance contract. If your maintenance contract expires, you can still use the product, but you are not covered for maintenance or Technical Support.


Service-based licenses are applicable to the following services:

  • Decoder
  • Log Decoder
  • Concentrator
  • Broker
  • Archiver
  • ESA
  • Malware Analysis


  • License usage is based on the amount of data throughput per day.
  • Only applies to Log Decoder, Packet Decoder, and Malware Analysis (standalone) services.
  • Throughput per day is measured in Gigabytes per day for Log Decoders and Packet Decoders, and is measured in Terabytes per day for Malware Analysis.
  • Metered license usage statistics are captured hourly and made available in CSV or PDF formats for export.


License is based on aggregate usage, as opposed to a per-appliance service. There is no specified end date; the Metered license works indefinitely


License is purchased for a specific period of time, such as 12 months, 24 months, or 36 months. Use of the software is discontinued at the end of your subscription period.

Licensing Measurement

  • Usage stats reflect daily average usage.
  • Perpetual and service-based licenses, such as Netmon or Network, or Decoder are offered in 1 TB increments
  • SIEM or Log Decoder offered in 50 GB increments
  • Malware Analysis offered in 1 TB increments on a per-day average usage.
  • Contracted daily usage can be exceeded three times in a calendar month. Fourth spike puts the customer in an out-of- compliance state. If you are able to keep your usage within compliance for seven consecutive days until the end of the calendar month, the Out-of-Compliance banner disappears.

    For example, if the fourth spike occurs on November 23, 2017, the Grace Period ends on December 31, 2017 and the Out-of-Compliance banner disappears.

  • Breach period starts immediately after Grace Period ends.

  • Red banner cannot be dismissed.

    Note: Even when the Red banner is displayed, there is no loss of functionality, all NetWitness appliances continue to work with full functionality. All other functionality is included in the license (ESA, storage, and so on).

  • Customer pays for hardware.
  • Usage is measured as an aggregate of all metered appliances.

    For example, a Decoder can be licensed for 10 GB per day. Customers are allowed to use multiple Decoders under the same license.

  • Services are licensed automatically under the following conditions:

    • When services are resolved.
    • When a scheduled task runs every hour.
    • License Refresh is triggered by the user.
  • Subscription-based licenses are billed yearly.

Out-of-Compliance Banner

The Out-of-Compliance banner is displayed when one of the following conditions occurs:

  • License is tampered with during the out-of-the-box trial period.
  • A service is not licensed.
  • A license has expired, or is due to expire within the next two weeks.
  • Usage exceeds entitled limit.
  • Usage is approaching entitled limit.

To resolve an out-of-compliance state:

  • Reduce usage, or
  • Adjust contracted usage amount
Next Topic:Initial Set Up
You are here
Table of Contents > How Licensing Works