Licensing model & activation
The signature is verified on the appliance, offline. No phone-home, no licence server to reach, nothing to lose if your network is isolated.
Licensing should never be the thing that takes your DHCP infrastructure down. A licence is a signed file you install on the appliance; the appliance checks the signature itself, on the host, with no outbound connection. That keeps activation working in air-gapped and segmented networks, and it means we are never a single point of failure between you and your own traffic.
Principles
What our licensing does and does not do
Our licensing is designed for operational convenience first. It establishes which appliance a licence belongs to and which features are unlocked — it is not a hardware-lockdown or anti-tamper system aimed at your own administrators.
- It does: verify the licence signature locally on every startup and periodically while running; tie a production licence to one installation so a copied licence file does not unlock a second appliance; gate which features and capacity limits are active.
- It does not: require any phone-home to activate or to keep running; bind to a hardware fingerprint that breaks when you replace a disk or add RAM; stop someone who already has root on your appliance. Binding is a licensing control, not a security control against root.
Identity
The Installation ID
The first time the appliance starts, it generates a stable Installation ID — a random UUID it stores in its own configuration. It is not derived from hardware. That is a deliberate trade-off: the ID survives the hardware maintenance you actually do — replacing a failed disk, adding RAM, upgrading the CPU, moving the VM to a new hypervisor — without forcing a re-binding ritual each time.
You find the Installation ID at the top of the License page in the GUI, with a copy button. You give it to sales when requesting a bound licence. Because the ID lives in the config store, it survives reboots and software upgrades; it only resets on a factory reset or a fresh install (which is also how recovery starts — see below).
Back up the config store. The configuration store is the authoritative home of the Installation ID. If you back the appliance up, include it — restoring an old backup restores the old ID and your existing bound licence keeps matching.
Verification
How verification works
Each licence is a small signed payload. The appliance verifies the Ed25519 signature using a public key built into the binary — entirely on the host, with no network call. A licence fails verification if the signature is wrong, the payload was tampered with, the dates have passed, or the binding does not match this installation. A failed licence unlocks nothing; the appliance keeps running in a degraded unlicensed state with most features locked.
One safeguard worth knowing about for offline sites: the appliance records the time of its last licence check. If the system clock jumps backward by more than an hour, it refuses to validate the licence until the clock is corrected — so an expired licence can't be kept alive by rewinding the date. Forward clock jumps are fine. If you see a clock-tamper warning on the License page, fix NTP (or set the date back to real time) and the next check re-enables features.
Scope
Types and tiers
Two properties on the issued licence decide its behaviour and scope.
License type — subscription vs. perpetual
| Type | Behaviour |
|---|---|
| Subscription (periodic) | Valid for a fixed term, billed monthly or yearly, and includes support and all updates while active. Licensed capabilities stop accepting new work when the term lapses; renew by applying a fresh licence with a new validity range. The monthly subscription is also the low-commitment evaluation path. |
| Perpetual | Buy once, own it — no expiry on the software itself. An active maintenance SLA is required to receive software updates and support. Without an SLA the purchased version keeps running and receives security and critical fixes only, until that version reaches end of life. See /pricing. |
Tier — which features are unlocked
| Tier | Typical scope |
|---|---|
| Starter | The full inspection, enforcement, and visibility core, licensed for up to 50,000 active leases on a single node. |
| Pro | Everything in Starter plus the local analysis, MCP, OAuth/SSO, and location modules, licensed for up to 250,000 active leases on a single node. |
| Enterprise | Everything in Pro plus high availability and custom installation options (including an enforcement-only, fixed configuration), at carrier scale with custom terms. |
Tiers are values on the issued licence, not modes you flip in the GUI. To change tier you apply a new licence.
A licence may also carry capacity caps (for example concurrent users and tracked leases) and a per-protocol gate for DHCPv6; the License page's “Licensed Features” row is the authoritative list of what is enabled. The DHCPv6 gate is GUI-only — the packet processor and firewall rules are unaffected by it. For the full plan and capacity mapping, see /pricing.
Binding
Binding modes
Production licences are normally bound: the licence carries the Installation ID inside its signed payload, and the appliance refuses to honour it on any other installation. A copied licence file therefore does not unlock a second appliance. The vendor can also issue an any-bound licence that works on any Installation ID — typically for evaluation, demo, or development environments. The License page shows which mode you have.
Activation
Activation
Activation is the same hot, offline operation everywhere — connected or air-gapped, the appliance never reaches out:
- Receive the licence text or
.licfile from sales (a file, or a key string). - On the License page in the GUI, paste the key or upload the file, then apply it. (Air-gapped sites transport the file in via approved removable media first — same file, same step.)
- The appliance verifies the signature and binding and writes the licence to its store. On success, features unlock immediately — no restart, no traffic drain.
If you upload a licence bound to a different installation, you get a dedicated binding-error panel (with this appliance's Installation ID to quote back to sales) — and your existing licence is left untouched. A failed upload never drops you into the unlicensed state.
Self-serve checkout is not yet wired to licence delivery; sales issues licences for trial and PoC engagements directly today.
Renewal
Renewal
Renewal is “request, upload, done.” There is no migration step and nothing to merge. Sales issues a fresh licence with a new validity range; you apply it on the License page and it overwrites the old one in place.
The appliance starts warning you about an upcoming expiry well ahead of the date (a banner across the GUI and a licence-expiring alarm), which is your renewal cue. Renewing before expiry simply replaces the date range; renewing after expiry re-enables features the moment the new licence is applied.
Recovery
Recovery after a rebuild or migration
If the configuration store is gone — factory reset, disaster recovery, fresh build — the appliance generates a new Installation ID, and your old bound licence no longer matches. Recovery is a short exchange with the vendor:
- Open the License page on the rebuilt appliance and copy the new Installation ID.
- Contact your sales/support contact with the original customer name and licence ID, the new Installation ID, and the reason for the change.
- The vendor revokes the old binding on their side and issues a new licence bound to the new ID with the same tier, expiry, and entitlements. Apply it; features unlock immediately.
- Decommission the old appliance.
Plan migrations. A planned rebinding is a few-minute exchange with the vendor. Treat backups as cold spares — restoring a backup is fine, but running the restored VM alongside the original is the one thing to avoid: both report the same Installation ID, which the vendor can detect as a clone. Tell us before a planned move and we can issue a transitional licence to cover the cutover.
Expiry
What happens at expiry
Expiry never breaks the running network. When a licence lapses, the licensed capabilities stop accepting new work — the appliance won't run new analyses, accept new bulk actions, or extend automation — but it does not rip out what is already in place. Enforcement rules already loaded in the kernel stay active until you clear them, and live packet inspection keeps running.
There is a separate “support expires” date that ends your ability to open new support sessions without affecting the running system. Uploading a valid licence at any time restores full operation immediately.
Keep reading
Related
Activation that never takes you offline.
Verified on the appliance, no licence server to reach. Talk to us about a trial.