This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM is counting Hosts not using the Firewall and so eating up Licenses - License Usage exceeding 110%

Can someone tell me, why the license policy is changing from upgrade to upgrade?

My problem is, I receive now again the message, that my license usage is exceeding 110%. There was a time, the firewall only counted hosts really using the firewall. I have 4 UPS, 10 IP Phones and a lot of other devices like printers, Geiger X-Ray Counter, Serial to LAN converter, 3 internal NTP Server which definitely stay in my LAN and are not using the WAN connection. These devices are all counted by UTM and so eating up licenses. What can I do that these LAN devices, which are not using WAN services,  are ignored by licese counting?
Many thanks, Jochen



This thread was automatically locked due to age.
Parents
  • Hi Martin

    Thanks for your answer, but these device have static IP's or receive the IP address from my W2008 Server. It depends on the Sophos Releases. Sometimes only WAN Users where counted, then a few releases later they count what they see in the LAN, then it went back HOST counting again.

    Thanks to Sophos they give us a free Home User License, but in my eyes 50 Host are to less. If you have a standard 4 person family, each has 2-3 device, Voip Phones, Printer, NAS, WLAN AP, TV, STB, SAT Receiver and so on, they are quickly eaten up.

    I aslo asked they sales, if it is possible to pay a "Home price" for an upgrade to 100 Hosts, but negativ. I could only buy the Full version, but this is definitely to expensive for Home usage.

    So let's wait for an answer of the guys who should know it, what exactly the problem is.

    Best wishes

    Joe

  • You need to make sure that the devices you don't want counted don't have a default gateway set in their IP-settings. As soon as a default gateway is set (either manually or by DHCP) there will be communication to the default gateway and thus the device is counted.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • That's what I thought and that would be a solution, as long as I have one VLAN. If I have a VLAN for VoIP, a VLAN for WLAN, this trick is no longer working.

    And I also don't understand why this is counted as a license usage, because this is LAN2LAN communication and should not be scanned or whatever.

    Why was it working in older versions, why is the counting rule changed in this version?


    Many thanks

    Joe

    BTW, I just tested it, by removing the standard Gateway from my APC UPS Management Card. Now, the UPS is no longer accessable and I have to reconfigure it via the serial port. Great...

  • In my own situation (also using VLAN's) I have always had my devices counted that had a default gateway configured. As long as traffic is flowing through the UTM (LAN to LAN or LAN to WAN doesn't make a difference in my situation) it will be counted as an active IP.

    A possible solution could be if you have a switch capable of routing between VLAN's to use this switch as the Default gateway (and make sure the switch itself doesn't use the UTM as a gateway since then the IP's will also still be counted).

    Another possible solution would be to use a NAT-router in-between your LAN and your UTM. I'm not sure this is really a situation that is legal since you're actually then fooling the UTM that there is only one device (the NATTING router) and everything behind this router is then "unknown" to the UTM


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Reply
  • In my own situation (also using VLAN's) I have always had my devices counted that had a default gateway configured. As long as traffic is flowing through the UTM (LAN to LAN or LAN to WAN doesn't make a difference in my situation) it will be counted as an active IP.

    A possible solution could be if you have a switch capable of routing between VLAN's to use this switch as the Default gateway (and make sure the switch itself doesn't use the UTM as a gateway since then the IP's will also still be counted).

    Another possible solution would be to use a NAT-router in-between your LAN and your UTM. I'm not sure this is really a situation that is legal since you're actually then fooling the UTM that there is only one device (the NATTING router) and everything behind this router is then "unknown" to the UTM


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

Children
  • So, online again. Due to removing the default Gateway out of my APC NM card, I had no longer access to it. So I had to use a serial cabl, but grabed the wrong one. This generated an Emergency Shutoff on my UPS. All went OFF. Router, Firewall, Switch, VM Host, NAS and this all because of 3 overshot licences :-( Grrrr.

    Thanks for more ideas, but I think, the easiest solution would be, that Sophos would allow 100 hosts :-) I won't fidle more around with these kind of Problems. Sophos should just count like they've done it a few Releases ago and all would be fine.

    Thanks

    Joe