.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
RSA NetWitness Platform Mixed Mode License Operation
Issue
In some instances, it may be necessary to have both throughput and appliance-based licenses.RSA NetWitness handles each of these types of licenses differently and this can affect the normal operation of your NetWitness environment.
In an appliance-based license environment, licenses are required for each host except for the NetWitness Server and any other services that normally operate on that appliance. A check is performed when each external host starts up and, if available, a license for that host type is granted to that host. Assuming that there are enough available licenses in your environment, your environment operates normally.
When there are not enough host licenses present to address every request, the UI will display a red warning banner to let you know that one or more hosts are not properly licensed. To address this, you will need to validate that you have the correct number of licenses available for each service type host you are attempting to use in your environment.
If you decide, instead, to go with a throughput based model, throughput licenses are applied to Log, Network Decoders, and Malware Analysis hosts, with the two most common types of throughput licenses being for Log and Network Decoders:
- A Log Decoder throughput license is measured based on a capture rate of 50/MBs per day per unit purchased.
- A NetWitness Decoder throughput license is based on a capture rate of 1 TB per day per unit purchased.
When throughput license allotments are exceeded, a yellow banner is displayed to let you know that has occurred.
In instances where both types of licenses have been purchased and applied to a given environment, NetWitness assigns the throughput license first each time a license refresh occurs. What this means is that in a mixed-mode environment, each time a license refresh occurs, your Network and Log Decoders are going to be assigned throughput licenses instead of their normal appliance-based (assuming you have purchased ones already for those hosts).
To have them co-exist and use the right license requires a manual intervention on the License page to change the entry for each Network and Log Decoder to "Service Based" from "Metered"
Note: Each time you add a new license to your environment (which triggers a license refresh) or manually refresh the license page in the UI, any Network or Log Decoders will get reset to a throughput-based license. You will need to repeat the steps listed for each Log Decoder, Network Decoder, or Malware Analysis Host that should normally be appliance-based licensing.
Tasks
You will need to manually change the license type for each Log and/or Network Decoder, and Malware Analysis that would normally use an appliance-based license rather than a throughput license.
Resolution
To change the license type for a given host:- In the UI, under Admin > System, select Licensing from the left-hand pane.
- On the Licensing Details window, in the section titled Throughput Licenses, locate the host for which you want to change the license type.
- Under the Actions column to the right of that host, select the wheel drop-down and choose "Reassign to Another License".
Product Details
RSA Product Set: NetWitness PlatformRSA Product/Service Type: Security Analytics Server
RSA Version/Condition: 11.x
Platform: CentOS
O/S Version: 7
Summary
This article discusses the limitations of having mixed-mode (throughput & appliance-based) licenses in your RSA NetWitness environment.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue