License Entitlement FAQ

This FAQ provides answers to questions regarding licensing in Cisco Vulnerability Management.

What type of asset counts toward my purchased license amount?

In Cisco Vulnerability Management, active assets count towards your purchased license amount, including assets that have no vulnerabilities. Inactive assets and assets with a file or URL primary asset locator do not count toward your purchased license amount.

In the Application Security Module, applications with a file or URL primary asset locator type do not count toward your purchased license amount. All other applications with locator types such as mac address, hostname, IP address, do count. 

Note: Currently, only Cisco Vulnerability Management asset licensing is enforced. Application Security Module findings licensing is not enforced.

How will I know what my asset utilization is?

If you are an administrator, you can access the License information page to see current licensing utilization. Hover your cursor over the gear icon in the top right corner of the UI and click Licenses. Cisco Vulnerability Management and AppSec licenses are tracked separately. The current number of assets used in your Cisco Vulnerability Management instance and the number of licenses you have purchased is displayed. 

In the following image, 48,351 assets out of 50,000 purchased are active in Cisco Vulnerability Management and 70 applications out of 200 purchased are active in Application Security Module. Hovering over the red triangle displays a message that explains what it means, in this case, the organization is using at least 90% of its licenses.

 

90% License Warning.png

 

Will I be warned if I am over my purchased license amount?

Yes! There are different alerting mechanisms to inform users of their license use.

Email notifications to Administrator user accounts
Administrator accounts receive email notifications when the Cisco Vulnerability Management license use is at 80%, 90% and 100%. Administrators can disable the 80% and 90% email notification in the Alerts page in Cisco Vulnerability Management.

Banner notification to all users when utilization is over 100%
When the utilization exceeds 100%, all users see a red banner at the top of every page, which can't be dismissed. For Administrator accounts only, the banner includes a View Licenses link.

Banner

 

In-app notification alerts

The in-app alert notification is the green dot that appears in the navigation bar beside the Alert icon. You receive one in-app alert per day when the instance exceeds either 80% or 90% utilization, which you can dismiss.

mceclip1.jpg

 

 

What happens when my account exceeds the purchased license amount?

You are able to exceed license entitlement by 20% without having to adjust paid licenses. This is meant for temporary changes in capacity and is not legal entitlement. Bursting parameters are subject to change.

When you have hit 100% of your license capacity and exceeded your burst percentage, any net-new assets that come into the Cisco Vulnerability Management platform will be considered “Overage Assets”. These Overage Assets will be created as an asset entry but will not have any associated vulnerabilities. Overage Assets will be displayed in the UI and there will be links available to view all of the assets that are in this state for Administrator users.

blobid3.png

 

An asset that Cisco Vulnerability Management does not see within a client-configurable period of time becomes inactive. If the asset is seen later (such as when a scanner again finds the system and synchronizes data to Cisco Vulnerability Management), it normally becomes active again. However, when inactive assets are seen again, but the account is already over its entitled licenses, the asset becomes an overage asset.

How do I view my Overage Assets?

Only Administrator accounts can view Overage Assets. There are multiple ways to view Overage Assets in the UI:

  • The Settings License page will also include a link to ‘View Overage Assets’
  • The Asset Detail page will indicate if a given asset is an overage asset
  • The Explore page will have a column that can be added to the View to display a True/False status of whether an asset is an Overage Asset or not

Screen

 

How do I refresh my data after I increase my license entitlement?

When entitlement is below 100%, full connector runs will occur automatically on the next run to refresh all the asset and vulnerability data in Cisco Vulnerability Management. To reduce license use below 100%, customers can purchase additional licenses, wait for assets to be purged automatically due to inactivity, or mark assets inactive manually.

How do I remove assets from counting against my license?

You can manually mark assets as inactive, and they will not count against your license count.

To automatically keep the active versus inactive status of your assets accurate, ensure you use best practices to set appropriate inactivity limits. For help setting asset inactivity limits, refer to Setting-Asset-Inactivity-Limits.

Cisco Vulnerability Management attempts to de-duplicate asset data in the platform by following an asset locator precedence order. This asset locator order can be adjusted to best suit your organization's needs. The default order is: 

  1. Container identifier
  2. Image identifier
  3. EC2 identifier
  4. MAC address
  5. NetBIOS
  6. external IP address
  7. hostname
  8. URL
  9. file name
  10. fully qualified domain name (FQDN)
  11. internal IP address (RFC 1918)
  12. scanner-specific asset ID (such as Qualys host ID, Nexpose device-id)
  13. database
  14. application

When assets are processed during connector runs, the de-duplication process starts at the top of the locator list. If there is a value in that field, it compares it to all existing assets in Cisco Vulnerability Management. If it finds a match, it updates the existing asset with the current information from the connector run. If it doesn’t find a match, Cisco Vulnerability Management creates a new asset. If there is no value in that field, it continues down to number 2, and so on. For example, from the previous list, if Cisco Vulnerability Management doesn’t receive a container identifier, it moves down to an image identifier and tries to match with that data. If there’s no image identifier, it moves down to an EC2 identifier, and so on, until it finds a value to use for de-duplication.

For help setting locator order, refer to Understanding-Locator-Order.

You can’t delete assets from within the UI. This is intentional as the upstream tools and systems should be configured to filter which assets are sent to Cisco Vulnerability Management. If the upstream tools and systems are not properly updated, assets will continue to be brought into Cisco Vulnerability Management.

Is this information available in the API?

Yes. You can also get your organization's overage status as 'true' or 'false' from the API. For more information, refer to the Get Overage Status API endpoint.

If you have API access, you can see the ‘overage’ parameter in the following API endpoints:

  • Show asset
  • List assets
  • Create asset
  • Search asset
  • Download assets
  • Get data export 

blobid2.png

In addition to the above API endpoints, you can also see information about overage assets on the POST API endpoints to create new assets or update vulnerabilities on an asset that is in an ‘overage’ state:

  • {"success":"false","error":"unprocessable_entity","message":"Cannot create asset while you are in overage"}
  • {"success":"false","error":"unprocessable_entity","message":"Cannot create vulnerability on overage asset"}

What about my Application Security Module assets?

Application Security Module licensing is not being enforced. Applications and assets with a file or URL primary asset locator do not count against active licenses.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.