How does NG Firewall license counting work?

Overview: NG Firewall licensing is offered in a number of "bands" or "tiers", based on the number of hosts which will pass traffic through & be filtered by NG Firewall. This article aims to answer some common questions about NG Firewall licensing.

FAQ:

What is a host?
In the context of NG Firewall, host means a unique IP address which passes traffic through NG Firewall to reach the greater internet. For example, if your office has ten computers and a guest Wi-Fi network with five connected devices, you have 15 hosts.

Additional details about hosts & devices outlined here: What's the difference between a Host and a Device?

How do I know how many hosts I have?
NG Firewall tracks both Currently Active and Maximum Active hosts, which can be viewed in the Dashboard. Maximum Active is the highest number of hosts NG Firewall has seen at any one time, so it can be helpful in determining the correct license count for your environment.

How do I choose the correct license count?

The appropriate band can be calculated by counting the number of unique hosts behind NG Firewall on any given day. More explicitly, it is the number of unique IP addresses on any non-WAN (local) interface, including VPN users, being filtered at any given time.

If your Maximum Active count is consistent and you do not expect fluctuations in active hosts, you should choose the tier which includes that count. For example, using the screenshot above, you would choose the "up to 12 hosts" tier.

What happens if I exceed my license count?

Any host in excess of your count is automatically bypassed: exempted from filtering & processing. These devices retain full internet access but are not subject to filtering apps like Web Filter, Application Control, or Threat Prevention.

This logic also applies in reverse: you can create Bypass Rules to exempt traffic from filtering. Doing so also excludes them from your license count. For example, if you have ten computers, five VoIP phones, and a multi-function printer, you have 16 total hosts. However, the VoIP devices & printer can be bypassed, reducing your "filtered" host count to just the ten computers.

More details here: How to bypass traffic from filtering

How can I see my current subscription's license count?

Please refer to this article: How can I find out how many devices my NG Firewall license allows?

How many NG Firewalls are protected by my license?

Just one: a license can only be assigned to a single NG Firewall instance at a time (although it can be freely transferred between multiple NG Firewalls).

If you have multiple sites using NG Firewall, each site needs its own subscription.

Can I move my license between different locations or test environments? &
What happens if a license key is used in multiple locations? 

 Arista NG Firewall subscriptions are valid for only one active deployment at a time. If a single license key is moved across too many networks or locations in a short period, it will trigger an automatic security lock.

Specifically, if our licensing servers see a subscription reporting from five (5) or more unique public IP addresses within a rolling 24-hour window, the license will lock and temporarily disable your filtering apps.

How to resolve it: The system constantly recalculates this data, so the license will automatically unlock itself once the number of active public IPs drops back below five over a 24-hour period (for example, after old test environments or temporary links age out). If you need to clear the lock immediately or think this happened in error, please reach out to the ETM Support Team so we can verify your deployment and get you back up and running.