vSRX Feature Licenses Overview

 

Some Junos OS software features require a license to activate the feature.

To enable a licensed feature, you need to purchase, install, manage, and verify a license key that corresponds to each licensed feature. To conform to software feature licensing requirements, you must purchase one license per feature per instance. The presence of the appropriate software unlocking key on your virtual instance allows you to configure and use the licensed feature.

Note

If applicable for your vSRX deployment, vSRX pay-as-you-go images do not require any separate licenses.

vSRX License Procurement and Renewal

Licenses are usually ordered when the software application is purchased, and this information is bound to a customer ID. If you did not order the licenses when you purchased your software application, contact your account team or Juniper Networks Customer Care for assistance.

Licenses can be procured from the Juniper Networks License Management System (LMS).

For license renewal, use the show system license command to find the Juniper vSRX software serial number that you use to renew a license.

vsrx> show system license
Note

Do not use the show chassis hardware command to get the serial number on vSRX, because that command is only appropriate for the physical SRX Series devices. Also, the license for advanced security features available on the physical SRX Series devices cannot be used with vSRX deployments.

Note

If you are performing a software downgrade with licenses installed, you will see an error message in the CLI when you try to configure the licensed features or run the show system license status command.

We recommend deleting existing licenses before performing a software downgrade.

vSRX Evaluation License

To speed deployment of licensed features, the vSRX software image provides you with a 60-day product evaluation license and a 30-day advanced security features license, both of which allow you to use vSRX and licensed features for a specified period without having to install a license key.

Table 1 lists vSRX evaluation license types.

Table 1: vSRX Evaluation License Type

License Package

Type

Period

License Model Number

Trial license (temporary for evaluation only)

Product evaluation–Basic

60 days

-

Product evaluation–Advanced features

30 days

-

Product Evaluation License

The vSRX software image includes a 60-day trial license. When you download and install the vSRX image, you are entitled to use this trial license for 60 days. It is intended as an evaluation license for using vSRX. This product-unlocking license is required to use the basic functions of the vSRX, such as networking, routing, and basic security features (such as stateful firewall).

Note

The use of the 60-day trial license does not include vSRX support unless you already have a pre-existing vSRX support contract. If you require support during this 60-day evaluation period, please work with your Juniper Account team or go to the J-Net Community forum (https://forums.juniper.net/) and view the Support topics under the vSRX category.

Within 30 days of the license expiration date, a license expiration warning appears each time you log in to the vSRX instance. After the product evaluation license expires, you will not be able to use the vSRX; it will be disabled and flow configuration options will not work (the vSRX will stop forwarding traffic). At this point, only management interfaces and CLI configurations are preserved.

Advanced Security Features Evaluation License

The advanced security features license is a 30-day trial license for vSRX that is required for advanced security features such as UTM, IDP, and AppSecure. You can download the trial license for advanced security features from the vSRX Free Trial License Page.

The 30-day trial license period begins on the day you enable the enhanced security features after you install the 60-day product evaluation license for vSRX. To continue using vSRX features after the 30-day license period expires, you must purchase and install the license; otherwise, the features are disabled. If the license for advanced security features expires while the evaluation license (product unlocking license) is still valid, only the advanced security features that require a license are disabled.

Note

The UTM advanced features have a slightly different trial license strategy. UTM does not requires 30-day trial license but only a 30-day grace period. Once the 30-day advanced security features trial license expires, Juniper Networks supports a 30-day grace period for you to continue using UTM features. The 30-day grace period goes into effect after the 30-trial license expires.

There is also a 30-day trial license available for Juniper Sky Advanced Threat Prevention (ATP). This is a second license that you can apply for a 30-day period in addition to the advanced security features license for vSRX to enable the Sky ATP features. You can download the Sky ATP trial license from the vSRX Free Trial License Page.

License Types

Juniper Networks provides a variety of licenses for both basic firewall features and advanced security features for different throughputs and durations.

If you want to use vSRX to provide basic firewall features, you can use standard (basic) licenses. However, to use some of the more advanced security features, such as AppSecure, IDP, and UTM, you might need to purchase advanced features licenses.

The high-level categories for licenses are:

  • Throughput–All licenses have an associated throughput. Throughput rates include 1 Gbps, 2 Gbps, and 4 Gbps on most platforms.

  • Features–Licenses are available for different combinations of feature sets, from standard (STD) through Content Security Bundle (CS-B).

  • Individual or bundled–Licenses can be individual (á la carte) licenses for a set of features, or can be bundled together to provide a broad range of features in one easy license to maintain.

  • Duration–All licenses have an associated time duration. You can purchase basic licenses as perpetual (never expire) or subscription based (1-year or 3-year duration). All vSRX licenses are subscription based.

  • New or renewal–All subscription licenses are either new (first-time purchase) or renewals (extending the license duration when the initial new subscription license is about to expire).

Figure 1 shows a sample license SKU and identifies how each field maps to these categories.

Figure 1: Sample vSRX License SKU
Sample vSRX License SKU

These categories of licenses can also be combined, or stacked, to provide more flexibility for your vSRX use cases.

Throughput

Bandwidth or throughput license types allow you to use a single instance of the software for up to the maximum throughput specified in the license entitlement. Throughput can be combined on a single instance of the software so that the maximum throughput for that instance is the aggregate of all the throughput licenses assigned to that instance. A throughput license cannot be split across multiple instances. Throughput is identified in the license entitlement in megabits per second (Mbps), or gigabits per second (Gbps).

For example, if you want 3 Gbps of throughput for a vSRX instance using the STD features, you would purchase a 1G STD license and a 2G STD license and install both on the vSRX. If you wanted 2 Gbps of throughput on two vSRX instances acting as a chassis cluster, you could not use the same 2 Gbps license on both vSRX instances. You would need to purchase one set of licenses for each vSRX instance in the cluster.

License Duration

All licenses can be perpetual or subscription based.

  • Perpetual license–A perpetual license allows you to use the licensed software indefinitely. Perpetual licenses do not require renewals. Perpetual licenses do not include maintenance and upgrade support. You must purchase that separately, vSRX software releases such as vSRX for AWS do not support perpetual licenses.

  • Subscription license–A subscription license is an annual license that allows you to use the licensed software feature for the matching duration. Subscriptions might involve periodic downloads of content (such as for IDP threat signature files). Subscription licenses start when you retrieve the license key or 30 days after purchase if you have not retrieved the license key. At the end of the license period, you need to renew the license to continue using it.

    Note

    All subscription licenses are renewable. To renew a subscription license, purchase a new subscription of the same license. For more information, see Subscription - Register and Install.

Individual (á la carte) Feature Licenses

Every vSRX instance requires at least one standard license to support the desired throughput rate. Beyond that, you can select from a range of individual feature licenses that provide additional security feature sets. The feature license must match the standard license rate.

Note

AWS does not support individual licenses.

For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year, you could purchase the following individual licenses:

  • VSRX-STD-1G-1—Provides the standard feature set and 1 Gbps of throughput.

  • VSRX-CS-1G-1—Provides the advanced features.

Bundled Licenses

Bundled licenses simplify the license management by combining one or more individual licenses into a single bundled license. Instead of installing and managing a standard throughput license and one or more individual advanced feature licenses, you can purchase one of the bundle license options and manage one license instead.

For example, if you need AppSecure and Sophos antivirus features at 1 Gbps of throughput for a year, you could purchase the single bundled VSRX-CS-B-1G-1 license, which includes the STD throughput license. This means you only need to manage one license instead of two individual licenses.

Stacking Licenses

You can combine individual or bundled licenses to combine features or build up the overall supplied throughput for the vSRX instance.

For example, you can combine a 1-Gbps license and a 2-Gbps license to have 3 Gbps of throughput for the vSRX instance. You can also combine individual licenses, such as Sophos antivirus (SAV) and Websense Enhanced Web Filtering (EWF) to get both sets of security features.

Note

Individual licenses require a STD license with the same throughput rate.

vSRX License Keys Components

A license key consists of two parts:

  • License ID—Alphanumeric string that uniquely identifies the license key. When a license is generated, it is given a license ID.

  • License data—Block of binary data that defines and stores all license key objects.

For example, in the following typical license key, the string E413XXXX57 is the license ID, and the trailing block of data is the license data:

The license data conveys the customer ID and the software serial number (Juniper Networks support reference number) to the vSRX instance.

License Management Fields Summary

The Licenses window displays a summary of licensed features that are configured on the vSRX instance and a list of licenses that are installed on the vSRX instance.

To view the license details, select Maintain>Licenses in the J-Web user interface. The Licenses window appears as shown in Figure 2.

Figure 2: J-Web Licenses Window Showing Installed Licenses
J-Web Licenses Window
Showing Installed Licenses

You can also view the details of a license in the CLI using the show system license command. The following sample shows details of an evaluation license in the CLI:

The information on the license management page is summarized in Table 2.

Table 2: Summary of License Management Fields

Field Name

Definition

Feature Summary 

Feature

Name of the licensed feature:

  • Features—Software feature licenses.

  • All features—All-inclusive licenses.

Licenses Used

Number of licenses currently being used on the vSRX instance. Usage is determined by the configuration. If a feature license exists and that feature is configured, the license is considered used.

Licenses Installed

Number of licenses installed on the vSRX instance for the particular feature.

Licenses Needed

Number of licenses required for legal use of the feature. Usage is determined by the configuration on the vSRX instance: If a feature is configured and the license for that feature is not installed, a license is needed.

Licenses expires on

Date the license expires.

Installed Licenses 

ID

Unique alphanumeric ID of the license.

State

Valid—The installed license key is valid.

Invalid—The installed license key is not valid.

Version

Numeric version number of the license key.

Group

If the license defines a group license, this field displays the group definition.

Note: Because group licenses are currently unsupported, this field is always blank.

Enabled Features

Name of the feature that is enabled with the particular license.

Expiration

Date the license expires.

Software serial number

The serial number is a unique 14-digit number that Juniper Networks uses to identify your particular software installation. You can find the software serial number in the Software Serial Number Certificate attached to the e-mail that was sent when you ordered your Juniper Networks software or license. You can also use the show system license command to find the software serial number.

Customer ID

ID that identifies the registered user.