flex-license-migration-lab

View on GitHub

1. Palo Alto Networks Professional Service Flex Licensing Migration Lab

1.1 Overview

The Following Lab guide will help you to understand how to migrate Non-Flex licensed Software Firewalls from Non-Flex license model (ELA, etc) to the new Flex License Model. It will also cover how to create Deployment profiles in the Customer Suport Portal (CSP) to cover several secanrios. The Lab will only cover Migration use cases as listed below 1. Standalone Firewall with Access to the CSP 2. Standalone Firewall, No Access to the CSP 3. Panorama-Managed Firewalls with Access to the CSP 4. Panorama-Managed Firewalls, No Access to the CSP

Private Cloud and other Public Cloud Providers will not be covered in the Lab. The deployed firewall are running in PanOS 9.1, 10.0.3, 10.2

1.2 Covered Secaniros

The following Secanrios and Lab activies are covered

  1. Deploy a new Lab Panorama to fullfill the Migration process
  2. Configure Panorama to perform the Lab activities
  3. Setup the Customer support Portal (CSP)
    1. Creating several Deployment Profiles
  4. Deploy Software Firewalls and License them with an ELA License
    1. 2 Firewalls in PanOS 9.1.13-h3
    2. 2 Firewalls in PanOS 10.0.9
    3. 2 Firewalls in PanOS 10.2.3
  5. Migrate Software Firewalls from NON-Flex License Model to Flex-License Model
    1. NON-Flex to Flex-License (Fixed Deployment Profile)
    2. Flex-License to Flex-License (Flexible Deployment Profile)
  6. How to update the Deployment Profile
    1. Enable/Disable CDSS
    2. Increase/Decrease vCPU count
  7. Troubleshooting

2 Deploy Panorama in Microsoft Azure

For this workshop you will create a first a Panorama before we deploy the Software Firewall in other Public Cloud Providers. The Panorama will have direct internet access. the Panorama is not connected to any other internal Ressource in Azure.

2.1 Deploy Azure Resource Group

  1. Login in to Azure Portal (https://portal.azure.com). As Login use your Palo Alto Networks Credentials AzurePortal
  2. Open Azure Cloud Shell
  3. In Cloud Shell execute the following command but change before the values [StudentRGName] and [Location] Available Regions are: North Europe, East US, UK South, UAE North, Australia Central
    az group create --name [StudentRGName] --location [Location] --tags Owner=Workshop-DeleteMe
  4. The Output should looks like the following Screenshot 2023-04-26 at 16 34 21

2.2 Deploy Panorama in Azure

As next we will create the Panorama from a pre-staged image, after successfully creating the Resource Group.

  1. Please go back to the Azure Cloud Shell
  2. In the following command updat the following variables with yours:
    1. [StudentRGName] #Use the same same of the previous created Resource Group in the Chapter Deploy new Resource Group in Azure
    2. [VM-Name]
    3. [YourPassword]

Don't change any other variables

az vm create -g [StudentRGName] -n [VM-Name] --authentication-type password --admin-password [YourPassword] --image /subscriptions/d47f1af8-9795-4e86-bbce-da72cfd0f8ec/resourceGroups/ImageRG/providers/Microsoft.Compute/galleries/PsLab/images/psazurelab/versions/1.0.0 --specialized --public-ip-sku Standard  --plan-name byol --plan-publisher paloaltonetworks --plan-product panorama --size Standard_D4_v2
  1. After you made the changes, execute the command in Azure Cloud Shell
  2. The Output should looks like the following Screenshot 2023-04-26 at 16 49 00
  3. Check your Ressource Group in Aure if the Deployment is completed Screenshot 2023-04-26 at 17 03 30
  4. In the Ressource Group select your NSG Screenshot 2023-04-26 at 17 04 28
  5. Now create an Inbound Security Rule to allow any traffic to your newly created Panorama Screenshot 2023-05-10 at 09 31 41
  6. Login to your Panorama via the Public IP associated to it. The Instructor will provide you the Usernam and Password.
    1. https://[Public-IP] Screenshot 2023-04-26 at 17 08 58

Congratulations!! You have succesfully deploye a Panorama in Microsoft Azure.

3. Customer Support Portal

In the following Lab section we will go to the Customer support portal (CSP) to create your first Deployment Profiles. This is needed for the intial Migration and generating a Serialnumber for the Panorama

3.1 Login To Customer Support Portal

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/
  2. In the Support Portal Change the Account Seletor to 132205 - Palo Alto Networks - Professional Services Screenshot 2023-04-28 at 10 27 55
  3. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits

3.2 Create Fixed Deployment Profiles

Now you will create one Deployment Profile in the Customer Support Portal.

3.2.1 Azure Deployment Profile

  1. On the Prisma NFGW Credits Pool click on Create Deployment Profile Screenshot 2023-04-28 at 10 34 00
  2. Select the following as shown on the picture below and click Next Screenshot 2023-04-28 at 10 35 37
  3. In the Deployment Profile use the following and replace Instructor-Lab under "Profile Name" with "Migration-Lab-Fixed-[StudentName]" Screenshot 2023-05-10 at 08 41 39
  4. Click "Create Deployment Profile"
  5. Verify that your Deployment Profile is successfully created Screenshot 2023-04-28 at 10 40 09

3.3 License Panorama

In the next steps you will create a Serialnumber for your previous created Panorama with the Flex License Credits

3.3.1 Provision Panorama Serialnumber

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/
  2. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits -> Details Screenshot 2023-05-08 at 13 57 29
  3. Now Search for your previous created Azure Deployment Profile here
  4. Click on the 3 dots and on Provision Panorama Screenshot 2023-05-08 at 14 01 29
  5. In the new window click on Provision Screenshot 2023-05-08 at 14 03 38
  6. Once the window is closed repeat the steps from step 3 Screenshot 2023-05-08 at 14 01 29
  7. Now you can see a Serialnumber in the Window. Copy and Paste the Serialnumber Screenshot 2023-05-08 at 14 06 13
  8. You can close the window by clicking Cancel

3.3.2 Configure Panorama

As next we will License your Panorama with the Serialnumber you created above and create a new Decive Group and Template inside your new Panorama and do some basic configuration in your Device Template

3.3.2.1 License Panorama

  1. Login to your Panorama https://[Public-IP]
  2. Copy the the Serialnummber you create on the CSP Portal and enter it under the Panorama Tab -> Setup -> Management -> General Settings Screenshot 2023-05-03 at 10 40 41
  3. Hit OK and reload the UI. Check if a pending commit on the Panorama is needed. If yes, commit to Panorama.
  4. In the Panorama check if you can see a Serialnummber is associated to it Screenshot 2023-04-28 at 10 42 49

3.3.2.2 Create Device Group and Device Template

  1. As next Create a Device Group, Template, and Template Stack. See the picture below as example Screenshot 2023-04-28 at 10 44 34 Screenshot 2023-04-28 at 10 44 48
  2. Once you done it commit your changes to the Panorama

3.3.2.3 Base config of the Device Template

  1. In the Panorama navigate to Device and select under Template your previous create Template (my example Stundent-TP) Screenshot 2023-05-10 at 14 50 48
  2. In your Template click on Select -> Service and click on the wheel. Screenshot 2023-05-10 at 14 52 55
  3. In the Services tab type 8.8.8.8 under Primary DNS Server Screenshot 2023-05-10 at 14 53 57
  4. As next click on the NTP tab and provide an NTP server from your region (my example 0.de.pool.ntp.org) Screenshot 2023-05-10 at 14 40 09
  5. Click Ok once you entert it
  6. As next click on the left panel on Dynamic Updates
  7. Change the settings as shown in the picture below Screenshot 2023-05-10 at 14 29 05
  8. At the end commit your changes to the Panorama Screenshot 2023-05-10 at 14 47 15

4. Deploy Firewalls in Azure

In the following chapter you will deploy several Software Firewalls in different PanOS version. The Software Firewalls will automatically join your previous created Panorama

4.1 What you will do?

  • Login to Azure Portal (https://portal.azure.com) and login with your Credentials
  • Download Terraform Code from GitHub
  • Modify Terraform Code
  • Execute Terraform Code
  • Validate Deployment in Azure Portal and Panorama

4.2 Deployment

  1. Login in to Azure Portal (https://portal.azure.com) AzurePortal

  2. Open Azure Cloud Shell

  3. click on Create storage. In some case it will not create a Storage Account. In that case click in "Show advanced settings" and create your own storage account.

  4. Once the creation of the storage is completed you will see the following

  5. Download Terraform Code from GitHub

    1. in the Cloud shell execute the following command
      git clone https://github.com/PaloAltoNetworks/flex-license-migration-lab.git
    2. As output you will see the following

  6. Now browse to the deployment folder folder

    cd cd flex-license-migration-lab/azure/single\ firewall\ deployment/

  7. Rename the terraform.tfvars.example to terraform.tfvars mv ./example.tfvars terraform.tfvars

    **Command:**
``` mv ./terraform.tfvars.example terraform.tfvars```

  8. Modify the terraform.tfvars inside Cloud shell with the vi command

    1. Modify the following variables in the File.
    resource_group_name     = "migration-[Studenname]" #replace [Studentname] with your Name
password                = "SecurePassWord12!!" #change the password. Use a complex password
storage_account_name    = "pantfstorage[Studenname]" #replace [Studentname] with your name in small letters without space
storage_share_name      = "bootstrapshare[Studenname]" #replace [Studentname] with your name in small letters without space

Screenshot 2023-05-09 at 18 34 28

  1. Save your changes by pressing ESC and type :wq! and ENTER

  2. As next switch to the folder files and rename the init-cfg.sample.txt to init-cfg.txt using the mv command

  3. Modify the init-cfg.txt inside Cloud shell with the vi command. Make sure you added the same name of the Device Group and Template Stack you created in your Panorama. The value for the varibles tplname and dgname can be found in the section 3.3.2 License Panorama / Create Device Group and Template 

     type=dhcp-client
 vm-auth-key=123456789012345   #Follow the fLink below to create/show the key
 panorama-server=10.1.2.3      #change it to the Public IP of your Panorama
 tplname=my-stack              #change it to the Template Stack inside your Panorama Section [3.3.2]
 dgname=my-device-group        #change it to the Device Group inside your Panorama Section [3.3.2]
 dhcp-send-hostname=yes
 dhcp-send-client-id=yes
 dhcp-accept-server-hostname=yes
 dhcp-accept-server-domain=yes

    LINK to Guide for the Key creation

  4. As next in folder files and rename the authcodes.sample to authcodes using the mv command

  5. Modify the authcodes files with the vi command.

    XXXXXXX # Instructor will provide you the Key via Slack

  6. Save your changes by pressing ESC and type :wq! and ENTER

  7. Move back to the single\ firewall\ deployment folder with the command cd..

  8. Once you made all your changes execute the Terraform code with following commands:

    1. terraform init.
    2. terraform plan.
    3. terraform apply once you get the prompet type yes

  9. Important! The complete deployment will take up to 10 Minutes after the completing the Terraform Apply. It is a good time for a break

  10. Terraform Init

  11. Terraform Plan

  12. Terraform Apply

  13. Once the terraform apply is completed you will see the following output

4.3 Validate Deployment

  • Login into Panorama
  • Validate Deployment
  1. Login into Panorama Public IP
  2. Once you logged into the Panorama Navigate to the Panorama tab validate you can see your newly deployed Firewalls (The deployment and bootstrapping process can take up to 10-15 minutes). If the Deployment was succesful you will see the following output in Panorama -> Managed Devices -> Summary

Screenshot 2023-05-09 at 18 27 15

  1. You succesfull deployed your Environment if you can see the above output

Congratulations you succesfully deployed several VM-Series Firewalls in different PanOS Version and bootstrapped them.

5 License Migration

In the following steps you will migrate the previous created from a NON-Flex License model to the Flex-License model. You will do several migrations and create/update some Deployment profiles to fulfill the activities.

5.1 Covered Secanrios in Detail

  1. Migrate all Software Firewall to Flex License model (Fixed Deployment Profile) via Panorama
  2. Migrate one (1) Firewall with PanOS 9.1.13-h3 to Fixed License via Panorama
  3. Migrate one (1) Firewall with PanOS 10.0.9 to Fixed License via Panorama
  4. Migrate one (1) Firewall with PanOS 10.0.9 from Fixed License to Flex via Panorama
  5. Migrate one (1) Firewall with PanOS 10.2.3 to Fixed License via Panorama
  6. Migrate one (1) Firewall with PanOS 10.2.3 from Fixed License to Flex via Panorama
  7. Migrate one (1) Firewall with PanOS 10.2.3 from Flex to Flex with increasing the vCPU via Panorama

5.2 Migrate Software Firewalls

In the following section we will migrate now all Software Firewall from the NON-Flex license model to the Flex license model. For that we will use the Deployment profile fou created in the section 3.2 Create Fixed Deployment Profiles.

5.2.1 Initial Migration

In the following section you migrate all Software Firewalls from NON-Flex Licensing to Flex Licensing.

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/
  2. In the Support Portal Change the Account Seletor to 132205 - Palo Alto Networks - Professional Services Screenshot 2023-04-28 at 10 27 55
  3. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits -> Details Screenshot 2023-05-08 at 13 57 29
  4. Now Search for your previous created Azure Deployment Profile Here
  5. Now Copy the Auth Code of your Profile. Screenshot 2023-05-10 at 08 55 41
  6. As next Login in to your Panorama https://[Public-IP]
  7. In Your Panorama navigate to Panorama -> Device Deployment -> Licenses Screenshot 2023-05-10 at 08 58 44
  8. In the License window click at the bottom Activate Screenshot 2023-05-10 at 09 01 09
  9. In the opened Window select now all available Firewalls and type in AUTH CODE field the auth code and click Activate Screenshot 2023-05-10 at 09 04 13
  10. The Migration process will now take several minutes.
  11. Once Migration is completed you will see the following outcome Screenshot 2023-05-10 at 09 07 12
  12. As next check on the CSP if your credits got consumed from your deployment profile. You should see the below outcome Screenshot 2023-05-10 at 09 10 04

Congratulations!!! You Migrated successful all your Software Firewalls from a NON-Flex license model to Flex License model (Fixed Deployment Profile) via Panorama

5.2.2 Migrate PanOS 10.0.9 to Flexible Deployment Profile

In the following section we will create a new Deployment Profile to migrate the Software Firewalls from a Fixed Deployment Profile to a Flexible Deployment Profile

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/
  2. In the Support Portal Change the Account Seletor to 132205 - Palo Alto Networks - Professional Services Screenshot 2023-04-28 at 10 27 55
  3. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits
  4. On the Prisma NFGW Credits Pool click on Create Deployment Profile Screenshot 2023-04-28 at 10 34 00
  5. Select the following as shown on the picture below and click Next Screenshot 2023-05-10 at 11 00 39
  6. In the Deployment Profile use the following and use the NAME under "Profile Name" with "Migration-Lab-Flex-[StudentName]" Screenshot 2023-05-16 at 15 56 52
  7. Click "Create Deployment Profile"
  8. Verify that your Deployment Profile is successfully created Screenshot 2023-05-10 at 11 06 15
  9. Now Copy the Auth Code of the newly created Deployment Profile
  10. As next Login in to your Panorama https://[Public-IP]
  11. In Your Panorama navigate to Panorama -> Device Deployment -> Licenses Screenshot 2023-05-10 at 08 58 44
  12. In the License window click at the bottom Activate Screenshot 2023-05-10 at 09 01 09
  13. Select now Firewall 3 and 4 or as in shown in the Picture the firewalls with the name "PA-VM". You can verify the Name of the firewalls in the Summary tab. Now type in AUTH CODE field the auth code and click Activate Screenshot 2023-05-10 at 14 08 34
  14. Are the upgrade is working? If no, Why?
</details>
  1. Before you can perform the License Key upgrade you have to install on the Software Firewalls the License API Key. Follow the instructions to perform the task. Repeat that
  2. Install API License Key on ALL other Software Firewalls (1-6) too for future tasks
  3. Once you added the API go in your Panorama and switch the context to Firewall 3 or 4 (or PA-VM) Screenshot 2023-05-10 at 13 02 30
  4. In the Firewall navigate Device -> License and click on Upgrade VM capacity Screenshot 2023-05-10 at 13 04 55
  5. In the window add under Authorization Code your atuh code and click Continue Screenshot 2023-05-10 at 13 05 53
  6. You will see the below outcome once it completed. Click close and refresh the UI Screenshot 2023-05-10 at 13 18 38
  7. In the Firewall switch to the Dashboard and you can see the VM License changed to VM-FLEX-4 Screenshot 2023-05-10 at 13 18 47
  8. Repeat the same steps for the second firewall.
  9. When you know go to the Support Portal and check your profiles, you can see that the count of the Fixed prile is reduced by 2 firewalls and 8 vcpus and the Flex profile increased. Screenshot 2023-05-10 at 13 24 11

Congratulations!!! You successful migrated 2 Firewalls from a Fixed License Deployment Profile to an Flexible Deployment profile and implemented the API License Key on the Firewalls

5.2.3 Migrate PanOS 10.2.3 to Flexible Deployment Profile

In the following section we will create a new Deployment Profile to migrate the Software Firewalls from a Fixed Deployment Profile to a Flexible Deployment Profile

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/
  2. In the Support Portal Change the Account Seletor to 132205 - Palo Alto Networks - Professional Services Screenshot 2023-04-28 at 10 27 55
  3. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits
  4. On the Prisma NFGW Credits Pool click on Create Deployment Profile Screenshot 2023-04-28 at 10 34 00
  5. Select the following as shown on the picture below and click Next Screenshot 2023-05-10 at 11 00 39
  6. In the Deployment Profile use the following and use the NAME under "Profile Name" with "Migration-Lab-Flex-10.2-[StudentName]" Screenshot 2023-05-10 at 14 05 47
  7. Click "Create Deployment Profile"
  8. Verify that your Deployment Profile is successfully created Screenshot 2023-05-10 at 14 06 25
  9. Now Copy the Auth Code of the newly created Deployment Profile
  10. As next Login in to your Panorama https://[Public-IP]
  11. In Your Panorama navigate to Panorama -> Device Deployment -> Licenses Screenshot 2023-05-10 at 08 58 44
  12. In the License window click at the bottom Activate Screenshot 2023-05-10 at 09 01 09
  13. Select now Firewall 5 and 6 or as in shown in the Picture. You can verify the Name of the firewalls in the Summary tab. Now type in AUTH CODE field the auth code and click Activate Screenshot 2023-05-10 at 14 17 35
  14. It will fail too because of the same issue you already faced above. Please follow the same instructions from the previous chapter to migrate the firewalls to Flexible Deployment profile.

5.3 Change vCPU on PanOS 10.2.3 Firewall

In the following section we will create a new Deployment Profile to change the vCPU on the already licensed Software Firewall

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/

  2. In the Support Portal Change the Account Seletor to 132205 - Palo Alto Networks - Professional Services Screenshot 2023-04-28 at 10 27 55

  3. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits

  4. On the Prisma NFGW Credits Pool click on Create Deployment Profile Screenshot 2023-04-28 at 10 34 00

  5. Select the following as shown on the picture below and click Next Screenshot 2023-05-10 at 11 00 39

  6. In the Deployment Profile use the following and use the NAME under "Profile Name" with "Migration-Lab-Flex-10.2-3vcpu-[StudentName]"

  7. Click "Create Deployment Profile"

  8. Verify that your Deployment Profile is successfully created

  9. Verify at first that both software Firewalls (5 and 6) are migrated to the new Flexible Deployment Profile. Check the Firewall Dashboard if you can see (VM-Series-4)

  10. As next login to Firewall 5 or 6 via ssh. In my Example i migrate Firewall 6 ssh -oHostKeyAlgorithms=+ssh-rsa USERNAME@FIREWALL IP

  11. In the CLI type the following command to set the Core value to 3 request plugins vm_series set-cores cores 3

  12. The requires a reboot. Type the following command to rebbot the Firewall request restart system

  13. The Reboot of the firewall will take now around ~ 5 Minutes

  14. Once the Firewall is back online and function login to the Firewall via Panorama or directly to the Firewall

  15. In the Firewall navigate Device -> License and click on Upgrade VM capacity Screenshot 2023-05-10 at 13 04 55

  16. In the window add under Authorization Code your auth code (3 vCPU) and click Continue Screenshot 2023-05-10 at 13 05 53

  17. You will see the below outcome once it completed. Click close and refresh the UI Screenshot 2023-05-16 at 12 54 19

  18. In the Firewall go to the Dashboard and you can see the VM License changed to VM-FLEX-3 Screenshot 2023-05-16 at 13 04 32

Congratulations!!! You successful migrated 1 Software Firewalls from Flexible Deployment Profile with 4 vCPU's to a Flexible Deployment Profile and changed the Cores count via CLI

5.4 Change/Update Deployment Profiles

In the following section you will now update your Deployment Profile ("Migration-Lab-Flex-10.2-[StudentName]") too remove some Subscription and enable subscriptions

5.4.1 Add Security Subscriptions

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/

  2. In the Support Portal Change the Account Seletor to 132205 - Palo Alto Networks - Professional Services Screenshot 2023-04-28 at 10 27 55

  3. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits

  4. Go to youe Deployment Profile "Migration-Lab-Flex-10.2-[StudentName]" click in the three dots and Edit Profile

  5. In your Deployment Profile select the Global Protect and Click Update Deployment Profile Screenshot 2023-05-16 at 15 48 24

  6. Click YES in the new Window Screenshot 2023-05-16 at 15 49 27

  7. As next Login to your Panorama

  8. In Your Panorama navigate to Panorama -> Device Deployment -> Licenses Screenshot 2023-05-10 at 08 58 44

  9. Select Refresh Screenshot 2023-05-16 at 16 02 12

  10. Now Select the firewall who was associated with the Auth Code of the "Migration-Lab-Flex-10.2-[StudentName]" Deployment Profile (In the Example is it Firewall 5) and click Refresh Screenshot 2023-05-16 at 16 04 09

  11. You should see the following output if it was successfull Screenshot 2023-05-16 at 16 04 33

  12. Refresh the Panorama UI

  13. Now you should see that on Software Firewall 5 is the Global Protect License Active Screenshot 2023-05-16 at 16 06 31

Congratulations!!! You successful Updated your Deployment Profile and added another Security subscription

5.4.2 Remove Security Subscriptions

  1. Login with your PANW Credentials at the Customer Support Portal https://support.paloaltonetworks.com/

  2. In the Support Portal Change the Account Seletor to 132205 - Palo Alto Networks - Professional Services Screenshot 2023-04-28 at 10 27 55

  3. On the Support Portal Page on the left side go to Assets -> Software NGFW Credits

  4. Go to youe Deployment Profile "Migration-Lab-Flex-10.2-3vcpu-[StudentName]" click in the three dots and Edit Profile

  5. In your Deployment Profile de-select the DNSt and Click Update Deployment Profile

  6. Click YES in the new Window Screenshot 2023-05-16 at 15 49 27

  7. As next Login to your Panorama

  8. In Your Panorama navigate to Panorama -> Device Deployment -> Licenses Screenshot 2023-05-10 at 08 58 44

  9. Select Refresh

  10. Now Select the Firewall who is associated with the Update Auth Code.

  11. Are the Update working?

  12. If everything Worked you have to refresh the UI. In some cases it will show you an error but when you check the Panorama you can see the DNS license got removed or is listed as expired

Congratulations!!! You successful Updated your Deployment Profile and removed a Security subscription

6 Lab Clean Up

In the following Section you will Clean UP your Lab environment. This includes the removing ot the Azure Ressource Group (Panorama and Firewall) and deleting the Deployment Profiles in the CSP Account

6.1 Remove Firewall Ressource Group

6.2 Remove Panorama Ressource Group

6.3 Remove Deployment Profiles

Developer Sites

Social


Copyright © 2023 Palo Alto Networks, Inc. All rights reserved.