SonicWall Cloud Secure Edge (CSE) Licensing & Expiration Mega FAQ

Description

Welcome to the comprehensive licensing guide for SonicWall Cloud Secure Edge (CSE). Because CSE is a cloud-native Security Service Edge (SSE) and Zero Trust Network Access (ZTNA) platform, its licensing, scaling, and expiration behave differently than traditional physical firewalls.

Resolution

Understanding CSE Licensing

Q: How does CSE licensing work in general?

A: CSE licenses are assigned per-user, not per-device or concurrently connected basis. You purchase a fixed number of licenses (your License Entitlement). A user consumes one of these floating licenses when an administrator grants them a license in the directory, or implicitly when they are assigned to a specific CSE service (like a Service Tunnel or a ITP policy). A single user can register multiple devices (e.g., a laptop and a mobile phone) while only consuming a single user license.

Q: How are user limits enforced if I exceed my licensed quantity?

A: SonicWall uses a "soft enforcement" model for CSE licensing. This means if your organization temporarily exceeds your purchased license quantity, your end-users will not be blocked from connecting or immediately locked out. However, active user consumption is routinely audited. If your usage exceeds your licensed entitlement, you will be notified and required to purchase an upgrade to cover the overage.

Q: How can I control which users consume a CSE license?

A: The most effective way to manage and restrict license consumption is directly through your Identity Provider (IdP) (e.g., Microsoft Entra ID, Okta, Google Workspace). You can control who connects by configuring your IdP to only authenticate specific users or security groups for the CSE application. If a user is blocked from authenticating at the IdP level, they cannot access CSE and will not consume a license.

Q: What is the difference between SPA and SIA?

A: CSE features are divided into two main licensing categories based on what the user needs to access:

  • Secure Private Access (SPA): Provides zero-trust access to your internal applications and infrastructure. It acts as a modern replacement for traditional VPNs (VPN-as-a-Service) and provides granular, identity-aware Zero Trust Network Access (ZTNA) to on-premise or multi-cloud private resources.

  • Secure Internet Access (SIA): Provides secure access to public internet resources and SaaS applications. It acts as your cloud-delivered web gateway, protecting users from web-based threats, enforcing DNS compliance filtering, and providing Cloud Access Security Broker (CASB) capabilities.

Q: What is the difference between "Basic" and "Advanced" tiers?

A: Both SPA and SIA are available in Basic and Advanced tiers (consult the datasheet for in depth information):

  • SPA Basic vs. Advanced: SPA Basic provides tunnel-based ZTNA (Cloud VPN) and device posture checks. SPA Advanced adds proxy-based ZTNA (for specific HTTP/TCP applications without exposing the network), SSH/RDP access, and deeper integrations with third-party EDR/MDM solutions.

  • SIA Basic vs. Advanced: SIA Basic focuses on DNS-based compliance and malicious domain filtering. SIA Advanced adds the Secure Web Gateway features such as URL Filtering, Geo-blocking and Malware Download Protection.

Q: Do I need both SPA and SIA?

A: It depends on your security goals. Many organizations combine both SPA and SIA for a complete Secure Service Edge (SSE) deployment. If you are simply looking to replace an aging SSL-VPN with a modern zero-trust architecture, you purchase SPA licenses. If you are looking for a DNS filtering or Secure Web Gateway solution on the endpoint that will protect the device anytime, anywhere, you purchase SIA licenses. 

Q: Can I purchase different quantities of SPA and SIA licenses? A: Yes. SPA and SIA user quantities are completely independent of one another. For example, you might have 500 users licensed for SIA to protect all of their web traffic and SaaS usage, but only 100 of those users might require SPA licenses to access internal private servers. You can easily mix and match user quantities based on your organization's specific access needs.

Renewals, Proration, and Adding Users

Q: How do I add more users to my existing CSE tenant mid-term?

 A: If your company grows and you need to add more users, you can purchase additional CSE user licenses through your SonicWall partner. Once purchased, you simply apply the new activation key to your existing CSE serial number in your MySonicWall or Unified Management inventory.

Q: How does proration work when I add new users mid-term?
A: SonicWall uses a feature called Service Co-termination to handle proration. Instead of having multiple expiration dates for different batches of users, Co-termination calculates a unified expiration date for your entire CSE tenant. See Renewing or upgrading licensing on an existing Cloud Secure Edge product for more details. 

Q: Where do I manage my CSE licenses and renewals? 

A: Your CSE licenses are managed through your SonicWall inventory. While SonicWall is actively transitioning from MySonicWall to the new Unified Management platform, the inventory and renewal functions remain identical in both. You can locate your CSE Serial Number under My Workspace > Products (or your respective inventory view) to check expiration dates or apply new activation keys. 

Q: How do I know when my CSE subscription is about to expire?

 A: The primary account contacts will receive automated email notifications leading up to the expiration date. You will also see the active status and exact expiration date listed on your CSE serial number in your MySonicWall or Unified Management portal. 

Expirations and The 45-Day Lifecycle

Q: What happens the day my CSE subscription expires?

A: Because CSE is a cloud-hosted infrastructure, we prioritize keeping your business online. When your license expires, your tenant immediately enters a 44-day grace period. During this time, the system operates in a restricted administrative state, but remote access continues to function.

Q: Will I lose remote access connectivity or internet access security during the grace period?

A: No. End-user continuity is maintained throughout the 44-day grace period. Your employees can continue to authenticate and access Secure Private Access (SPA) and are protected by Secure Internet Access (SIA) the same as usual. 

Q: Can I still manage my policies if the license is expired?

A: No. To enforce the expiration, administrators are locked out of the CSE Admin Console starting on Day 1 of the expiration. While end-users can still connect, IT will not be able to log in to modify policies, adjust device trust scoring, view audit logs, or manage user directories until a renewal license is applied.

Q: What happens on Day 45 after expiration?

A: If a valid renewal key is not applied to your account by Day 45, SonicWall initiates an automated, irreversible teardown of your CSE environment.

  • Total Access Loss: All remote workforce connections routed through the CSE platform are immediately severed.

  • Permanent Deletion: Your organization's specific cloud backend, Zero Trust policies, custom PKI/certificate authorities, and user inventories are securely and permanently wiped.

  • Inventory Removal: The CSE serial number is permanently removed from your MySonicWall/Unified Management account.

[!IMPORTANT] Example Timeline: If your subscription expires on October 16th, your grace period runs from October 17th through November 29th. On November 30th (Day 45), the tenant is permanently deleted.

Manual Serial Number Deletion

Q: What happens if I manually delete my CSE Serial Number in MySonicWall/Unified Management? A: Do not delete your CSE serial number unless you intend to permanently destroy your tenant. Manually deleting the serial number acts as an immediate termination command. It bypasses the 44-day grace period entirely.

Q: What are the exact consequences of manual deletion?

  1. Immediate Outage: All end-user connections (SPA and SIA) are instantly dropped.

  2. Permanent Data Purge: The cloud backend, including all configurations, policies, and directories, is immediately scheduled for permanent deletion.

  3. Irreversible: SonicWall Support cannot recover a tenant that has been manually deleted. If you delete the serial number by mistake, you will have to set up a brand new CSE environment from scratch and re-enroll your entire workforce.

Q: I want to move my CSE tenant to a different MySonicWall account. Should I delete it and re-register it?

A: No! Deleting it will destroy the tenant. If you need to move a CSE tenant to a different account (e.g., moving from an MSP's account to a customer's account), you must use the Transfer Product feature within MySonicWall/Unified Management. This safely moves the serial number without impacting the cloud backend or end-user connectivity. Transfer Product between organizations will soon be supported through the UI but in the meanwhile please contact Customer Service to request transfer between organizations. 

Multi-Tenant Management & MSP Billing

Q: Can I provision multiple CSE instances within a single MSW/UM tenant?

 A: No. You can only provision one instance of CSE per MySonicWall (MSW) or Unified Management (UM) tenant.

Q: How should Managed Service Providers (MSPs) structure CSE for multiple customers?

A: Because of the single-instance limitation, you must use a 1:1 ratio where each customer has their own dedicated MSW or UM tenant. This allows you to provision a distinct CSE instance for each customer and ensures tenant isolation.

Q: What are the benefits of assigning each customer their own tenant and CSE instance?

 A: Maintaining separate tenants for each customer provides several critical operational advantages:

  • Strict Data Boundaries: It guarantees complete isolation of user directories, audit logs, and access policies. Mixing multiple customers into a single CSE instance leads to data cross-pollination and poses severe security and compliance risks.

  • Accurate Billing: It allows for a precise, easy-to-read monthly billing breakdown of usage per customer.

  • PSA Integration: It ensures seamless integration with Professional Services Automation (PSA) tools (such as ConnectWise or Autotask) for automated ticketing, license synchronization, and billing.

  • Firewall Connector Compatibility: This isolated architecture is a strict requirement if you plan to use SonicWall firewalls as CSE Connectors.

Q: Can I use a SonicWall firewall as a CSE Connector in a multi-tenant environment?

A: Yes, SonicWall Gen7 firewalls can act as routing connectors for your CSE environment. However, the SonicWall firewall and the CSE instance must reside within the exact same MSW/UM tenant. You cannot link a customer's firewall to a centralized CSE instance sitting in an overarching parent/MSP tenant.

Q: Is monthly billing available for CSE?

A: Yes. For partners enrolled in the SonicWall Service Provider Program (MSSP/Monthly billing program), CSE can be easily provisioned as a monthly subscription without requiring upfront activation keys. Existing annual or term-based CSE licenses can also be converted to monthly billing, providing a no-commitment, pay-as-you-go model that perfectly aligns with managed service deployments.

Related Articles

  • How to collect CSE Desktop App debug logs
    Read More
  • How to reach a destination behind an existing Site-to-Site (S2S) VPN from a Banyan user connected via Cloud Secure Edge (CSE)
    Read More
  • CSE - How to Reach an External URL Through Your Firewall from Banyan?
    Read More

Categories

Cloud Secure Edge
MySonicWall
not finding your answers?
Ask the Community
Chat