Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Smart Licensing Overview and Best Practices for Cisco Email and Web Security (ESA, WSA, SMA)

Available Languages

Download Options

  • PDF     (532.4 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (624.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (472.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 16, 2021
Document ID:214614

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the activation process, definitions, and troubleshooting of the Smart Licensing Service on ESA/SMA/WSA.

    Prerequisites

    Components Used

    The information in this document is based on these software and hardware versions:

    • Email Security Appliance (ESA) AsyncOS Version 12.0 and newer.
    • Security Management Appliance (SMA) AsyncOS Version 12.0 and newer.
    • Web Security Appliance (WSA) AsyncOS Version 11.7 and newer

    Note: Enabling the Smart License Feature on the ESA/SMA/WSA is Permanent and does not permit the option to revert an appliance back to Classic License Mode.

    Background Information

    Smart Licensing Provides the ability to:

    • Manage all of your product licensing from a central location
    • Normalizes the process between Physical a Virtual ESA/SMA/WSA, using 1 method to apply and manage licenses
    • Easily apply a license to your ESA/SMA/WSA
    • Receive Alerts related to license expiration
    • Hardware model ESA/SMA/WSA, out of the box, have a 90 day Evaluation Period for all services

    Summary of the Smart License Global Topic from Cisco

    Even though the core purpose of this article is to configure the Smart Licensing Services on the ESA/SMA/WSA, we have included links below to provide general direction to educate on the topic.

    Registering the ESA/SMA/WSA host with smart licensing first requires the owner of the appliance to possess a Smart Account.

    • Smart Accounts are issued one per domain.
    • The administrator of the Smart Account can create sub-level Virtual Accounts allowing segregation of resources.
    • Virtual Accounts may be used to restrict access to different Cisco Product Licenses based on customer needs.
    • Customers access the Cisco Smart Software Manager (CSSM) to manage licenses and download TOKENS

    The following links provided by Cisco, include videos, guides, and explanations related to Smart Licensing:

    Out of the Box

    • All hardware model ESA/SMA/WSA purchased include 90-day Evaluation Licenses for all features
    • All hardware models migrating with existing Classic Licenses(CL) will receive 90-day Evaluation Licenses
    • All Virtual ESA/SMA/WSA models require a basic VLN (.xml) file loaded to the appliance to link it/them to the upgrade/update server
    • All Virtual ESA/SMA/WSA models when created, do NOT include 90-day licenses and require registration via the Classic License VLN (.xml)
    • All Virtual ESA/SMA/WSA models migrating with existing Classic Licenses (CL) include 90-day Evaluation Licenses

    Communication Requirements

    • Network or Proxy communication smartreceiver.cisco.com on TCP port 443

    Description of the CSSM tool and the tabs.

    A basic illustration of the CSSM Tabs

    • General Tab
      • The location to generate the token (the token is time-based and may be used to register multiple ESA/SMA/WSA
      • Ensure the proper "Virtual Account:" has been selected as a customer may have multiple virtual accounts
      • New Token, will open a template to complete and results in a "Token," line entry in the table
      • Actions can be executed repeatedly as needed and will display options to; Copy, Download, Revoke the token

    CSSM General Tab

    • Licenses Tab
      • The location to review and confirm the presence and availability of licenses
      • The License column lists the names of the services or bundles purchased
      • The Purchased column lists the presence of usable keys
      • The Alerts column displays important messages regarding a specific license

    CSSM License Tab

    •  Product Instances Tab
      • Displays the individual appliance names, models, last communication, and Alerts

    CSSM Product Instances Tab

    Generate a Token from CSSM

    • Launch the CSSM webpage
    •  Top of page, select Inventory
      • Once loaded, select the appropriate “Virtual Account:” from the top left portion of the page
      • A large organization may have multiple virtual accounts assigned to a single smart account, requiring a selection of the appropriate virtual account related to the ESA/SMA/WSA licenses
      • Tabs: General, Licenses, Product Instances, Event Log
    • Generate a Token from CSSM
      • Select the “General,” tab
      • Just below the heading, “Product Instance Registration Tokens,” select the button, “New Token”
      • A window will appear to complete the “Description,” and “Expire After,” values
      • Create a Token
      • Returning to the General Tab, select the “Actions,” drop-down tab to copy or download the token
    SAMPLE TOKEN FILE
    Token:           M2UyYmIxYTktNzJmMy00ZxxxxxxxxxxxxxxxxxxxxZjVhMDMwLTE1NDE3Mzcx%0ANDU2ODR8RlluSVI5NmxCUS92SnVzUjUvcVViV0ZyVVFrcHBxNVh2TVdNa1My%0AeGJYMD0%3D%0A
    Virtual Account:   ESA
    Smart Account:      InternalTestDemoAccount.MY_DOMAIN.com
    Token Description: SMA_token
    Export-Controlled Functionality:  Allowed
    Created by User:   my_CCOID
    Contact Email:       ADMIN@MY_DOMAIN.com
    Expiry Date:       2018-Nov-09 04:19:05 (in 18 days)

    * Note: this token file was downloaded on October 22nd 2018
    * Note: copy entire token string to use for product instance registration

    Enable the Smart License feature on the ESA/SMA/WSA

    • Web UI activation:
      • Browse to System Administration > Smart Software Licensing
      • Select Enable Smart Software Licensing
      • Options are listed providing the choices to request feature keys:
        • Option 1: Use a token to register and request needed features
        • Option 2: Register without a token and have a 90 day Evaluation Period
      • Select OK
      • Commit Changes
    • CLI activation:
      • Execute command license_smart > Enable > Y
      • Option 1 and Option 2 will be listed the same as the above UI description
      • Select OK
      • Commit

    Register the ESA/SMA/WSA to a Smart Account using the Token.

    • Navigate to System Administration > Smart Software Licensing
    • Select the "Register" button to open the pop-up registration page
    • Paste the copied token in the space provided below step 4
    • Select "Register" to complete the steps (The pop-up window will close)
    • Refresh the "Smart Software Licensing" page after 30 seconds to view the new status
    • Once completed the "Registration Status" field will present the word "Registered" along with the registration expiration dates

    Smart Software Licensing "Register"Registration Pop-up page.Registration confirmation.

    Actions

    Additional tasks can be performed from the Smart Licensing "Actions" drop-down menu.

    • Renew Authorization
      • Complete this task to manually renew the License Authorization Status for all licenses listed under the License Type

    Note: The license authorization is renewed automatically every 30 days. The license authorization status will expire after 90 days if the ESA/SMA/WSA does not communicate with CSSM.

    • Renew Registration
      • Complete this action to manually renew the registration

    Note: The initial registration is valid for one year. Renewal of registration is performed automatically every six months if the appliance has connectivity to CSSM.

    • De-register
      • Disconnects the ESA/SMA/WSA from CSSM
      • The system will transition to Evaluation Mode
      • The licenses consumed by the ESA/SMA/WSA get released and credited to the smart account for re-use
    • Re-register
      • Reregister the ESA/SMA/WSA with CSSM

    Note: Re-register could be used to migrate between organizations multiple virtual Accounts

    Definitions related to Smart License

    License types:

    • Classic License (CL): CL refers to the legacy methods used for both hardware and virtual licenses
    • Smart License (SL): SL refers to Smart Licensing

    License Authorization Status - Is the status of a given license within the Appliance.

    • The ESA/WSA/SMA does not display the actual expiration date with the Smart Licenses page.
    • Location: WebUI > System Administration > Licenses.
    • Location: CLI > license_smart > summary.

    The status of a specific feature will appear with one of the below values:

    • Eval:
      • SL Service has been enabled on a new (Hardware) ESA/SMA without token registration
      • SL Service has been enabled on an appliance with existing CL installed
    • Eval Expired: 90 Day Evaluation SL has expired and the appliance has transitioned to the additional 30-day grace period
    • In Compliance: The appliance has been registered with a token and currently feature is consuming a valid license
    • Out of Compliance (Grace Period) may be observed in 2 scenarios
      • One-click request for a temporary 30-day feature license is being used
      • A license has expired on the appliance and the 30 day grace period has initiated
    • Out of Compliance (Expired): LIcense fully expired and the associated service stops functioning

    System Administration > Licenses

    Note: The WebUI Smart Licensing pages contain numerous informational buttons in the form of a ? to assist to define values.

    How to View License Expiration

    How do I see the actual expiration date?

    The License Expiration Dates can be viewed within the CSSM Smart Software Management Site.

    • Navigate to: Inventory > Virtual Account > LIcenses > Click a license name to open the popup window.
    • The Overview tab will show the current license count, purchase and expiration date.
    • The Transaction History tab shows each purchase/expiration per transaction.

    CSSM: View license expiration.

    Logging Services for Smart Licensing

    The ESA/SMA/WSA log activities related to Smart Licensing to the "smartlicense" logs.  The logs are viewable from the CLI. The logs can also be downloaded to a local computer for parsing.

           

    The following output is a sample of the registration action from the "smartlicense" logs:

    Mon Jan 28 08:40:57 2019 Info: The administrator has requested to register the product with Smart Software Manager.
    Mon Jan 28 08:41:07 2019 Info: Smart License: NotifyExportControlled notification has been ignored
    Mon Jan 28 08:41:12 2019 Info: The product is registered successfully with Smart Software Manager.
    Mon Jan 28 08:41:17 2019 Info: Smart License: Moved out of evaluation mode
    Mon Jan 28 08:41:17 2019 Info: Renew authorization of the product with Smart Software Manager is successful.
    Mon Jan 28 08:42:18 2019 Info: Email Security Appliance Anti-Spam License license has been moved to In Compliance successfully.
    Mon Jan 28 08:42:23 2019 Info: Email Security Appliance Outbreak Filters license has been moved to In Compliance successfully.
    Mon Jan 28 08:42:28 2019 Warning: Email Security Appliance Graymail Safe-unsubscribe license has been moved to Out of Complaince successfully.
    Mon Jan 28 08:42:33 2019 Warning: Email Security Appliance Cloudmark Anti-Spam license has been moved to Out of Complaince successfully.
Mon Jan 28 08:42:44 2019 Warning: The Mail Handling is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
    Mon Jan 28 08:42:48 2019 Info: Email Security Appliance Sophos Anti-Malware license has been moved to In Compliance successfully.
    Mon Jan 28 08:42:53 2019 Warning: Email Security Appliance PXE Encryption license has been moved to Out of Complaince successfully.
    Mon Jan 28 08:42:59 2019 Warning: Email Security Appliance Data Loss Prevention license has been moved to Out of Complaince successfully.
    Mon Jan 28 08:43:04 2019 Warning: Email Security Appliance Advanced Malware Protection license has been moved to Out of Complaince successfully.
    Mon Jan 28 08:43:09 2019 Warning: Email Security Appliance McAfee Anti-Malware license has been moved to Out of Complaince successfully.
    Mon Jan 28 08:43:14 2019 Warning: Email Security Appliance Intelligent Multi-Scan license has been moved to Out of Complaince successfully.
    Mon Jan 28 08:43:15 2019 Warning: The Email Security Appliance Intelligent Multi-Scan is in Out of Compliance (OOC) state. You have 4 days remaining in your grace period.
    Mon Jan 28 08:43:19 2019 Info: Email Security Appliance External Threat Feeds license has been moved to In Compliance successfully.
    Mon Jan 28 08:43:24 2019 Info: Email Security Appliance Bounce Verification license has been moved to In Compliance successfully.
    Mon Jan 28 08:43:29 2019 Info: Email Security Appliance Image Analyzer license has been moved to In Compliance successfully.
    Mon Jan 28 10:18:56 2019 Info: Renew authorization of the product with Smart Software Manager is successful.

         

    Sample with an interpretation of the values:

    This sample shows:

    • The Evaluation Period has stopped counting since the host has been registered.
    • The host has been registered using smart account: InternalTestDemo111.cisco.com.
    • The ESA is associated with the Virtual Account: ESA_EMEA.
    • Keys in the state "Out of Compliance 18 days."
      • The keys have expired and are incrementing the 30 day grace period.
      • Keys in the state "Out of Compliance Expired."
        • The keys have expired and depleted the 30 day grace period. The feature is disabled.
    Smart Licensing is : Enabled

    Evaluation Period: Not In Use
    Evaluation Period Remaining: 81 days 7 hours 32 minutes
    Registration Status: Registered ( 30 Oct 2018 07:57 ) Registration Expires on:  ( 04 Dec 2019 16:11 )
    Smart Account : InternalTestDemo111.cisco.com
    Virtual Account : ESA_EMEA
    Last Registration Renewal Attempt Status : SUCCEEDED on 04 Dec 2018 16:16
    License Authorization Status: Out Of Compliance ( 30 Oct 2018 07:57 ) Authorization Expires on:  ( 05 Mar 2019 03:29 )
    Last Authorization Renewal Attempt Status: SUCCEEDED on 05 Dec 2018 03:34
    Product Instance Name: beta.ironport.com
    Transport Settings: Direct (https://smartreceiver.cisco.com/licservice/license)


    beta.ironport.com (SERVICE)> license_smart


    Choose the operation you want to perform:
    - URL - Set the Smart Transport URL.
    - REQUESTSMART_LICENSE - Request licenses for the product.
    - RELEASESMART_LICENSE - Release licenses of the product.
    - DEREGISTER - Deregister the product from Smart Licensing.
    - REREGISTER - Reregister the product for Smart Licensing.
    - RENEW_AUTH - Renew authorization of Smart Licenses in use.
    - RENEW_ID - Renew registration with Smart Licensing.
    - STATUS - Show overall Smart Licensing status.
    - SUMMARY - Show Smart Licensing status summary.
    []> summary

    Feature Name                                                        License Authorization Status      Grace Period
    -----------------------------------------------------------------------------------------------------------------------------
    Email Security Appliance Anti-Spam License                             In Compliance                     N/A
    Email Security Appliance Outbreak Filters                              Out Of Compliance                 18 days
    Email Security Appliance Graymail Safe-unsubscribe                     Out Of Compliance                 Expired
    Email Security Appliance Cloudmark Anti-Spam                           Out Of Compliance                 Expired
    Email Security Appliance Advanced Malware Protection Reputation        Out Of Compliance                 Expired
    Mail Handling                                                          In Compliance                     N/A
    Email Security Appliance Sophos Anti-Malware                           In Compliance                     N/A
    Email Security Appliance PXE Encryption                                Out Of Compliance                 Expired
    Email Security Appliance Data Loss Prevention                          Out Of Compliance                 Expired
    Email Security Appliance Advanced Malware Protection                   Out Of Compliance                 Expired
    Email Security Appliance McAfee Anti-Malware                           Out Of Compliance                 Expired
    Email Security Appliance Intelligent Multi-Scan                        Out Of Compliance                 17 days
    Email Security Appliance External Threat Feeds                         Out Of Compliance                 17 days
    Email Security Appliance Bounce Verification                           Out Of Compliance                 17 days
    Email Security Appliance Image Analyzer                                Out Of Compliance                 21 days

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    10-Jul-2019
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Chris Arellano
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products