Licensing Overview
Forward Enterprise uses a tiered licensing model organized along two dimensions:
- Feature tier determines which platform capabilities are unlocked. Currently, the feature tiers offered by Forward Enterprise include Base, Network, and Security, and their combinations.
- License unit is the entity license capacity is measured against: a network device (Network Device Licensing), a cloud compute instance (Cloud Licensing), or a collected endpoint (Endpoint Licensing).
To size a Forward Enterprise license, customers typically follow two steps:
- Choose the feature tier based on the problem to solve and the capabilities required. Use the Feature-to-Tier Summary below to identify which tier (or tier combination) covers the functionality needed.
- Choose the license units based on the composition of the infrastructure to model in Forward — the network devices, cloud compute instances, and endpoints that make up the digital twin. Each unit type has its own capacity model and is purchased independently.
Tiers apply uniformly across all devices in a network. Partial license upgrades within a network are not supported.
License Units
Forward Enterprise supports three license units, each with its own capacity model:
| License Unit | How Capacity Is Measured | Examples |
|---|---|---|
| Network device | Per network device | Routers, switches, firewalls, load balancers, SD-WAN appliances |
| Cloud | Cloud Credit Hours (CCH) | AWS, Azure, GCP, and IBM Cloud environments. CCH is a consumption metric that tracks modeled compute instances over time |
| Endpoint | Per collected endpoint | Servers, printers, IP phones, and similar endpoints discovered and collected by Forward |
Peripheral devices (such as wireless access points and smart NICs) are licensed as part of Network Device Licensing but are tracked separately against a dedicated Peripheral capacity. For details on how each license unit tracks and consumes capacity, see License Management.
Feature Tiers
Forward Enterprise offers three feature tiers — Base, Network, and Security — that determine which platform capabilities are enabled.
- Base is the entry-level tier and a prerequisite for all other tiers. It provides essential discovery, inventory, topology, and text search capabilities that form the foundation of the Forward digital twin.
- Network is an add-on to Base or Security that unlocks full network modeling, verification, and operational intelligence (including path analysis, NQE, Diffs, custom commands, dashboards, intent verification, and integrations). It is designed for network engineering and operations teams.
- Security is an add-on to Base or Network that enables security policy analysis, compliance auditing, and vulnerability management. It is designed for NetSecOps and compliance teams.
For the full breakdown of capabilities per tier, see Feature-to-Tier Summary below.
The same tier structure applies to the Cloud and Endpoint license units (Cloud Base, Cloud Network, Endpoint Base, Endpoint Network, etc.). Each license unit is purchased at its own tier — for example, an organization that needs the Network tier across network and cloud infrastructure must purchase Base + Network for both.
Valid Tier Combinations
Base is always required. Network and Security are independent add-ons to Base.
Base
Base + Network
Base + Security
Base + Network + Security
Feature-to-Tier Summary
The following table summarizes which major capabilities are available at each tier level.
| Area | Feature | Base | Network | Security |
|---|---|---|---|---|
| Snapshot | Select, Edit, Import, Export | ✓ | ✓ | ✓ |
| Sherlock | ✓ | ✓ | ✓ | |
| Topology | Physical, Annotations, Tags | ✓ | ✓ | ✓ |
| Network Maps | ✓ | |||
| Security rules table | ✓ | |||
| Path Search | Simple, Search bar options | ✓ | ✓ | |
| Save as Intent, Real-time | ✓ | ✓ | ||
| Health status, Path Diff | ✓ | |||
| Inventory+ | Built-in (NQE) | ✓ | ✓ | ✓ |
| Modifiable (NQE) | ✓ | ✓ | ||
| Security Folder | ✓ | |||
| Historical view | ✓ | |||
| Verifications (NQE) | Execute and view details | ✓ | ✓ | |
| Add NQE queries | ✓ | ✓ | ||
| Verifications (Predefined) | ✓ | |||
| Verifications (Intent) | Existence, Isolation | ✓ | ✓ | |
| Reachability | ✓ | ✓ | ||
| Security (all apps) | ✓ | |||
| Diff | Overview, Files, Inventory | ✓ | ✓ | |
| Routes, Interfaces, Links | ✓ | |||
| VLANs, NATs | ✓ | ✓ | ||
| ACLs | ✓ | |||
| Dashboards | Network complexity | ✓ | ✓ | ✓ |
| System | ✓ | ✓ | ✓ | |
| Insights, Scorecards, KPIs | ✓ | |||
| Network Performance | ✓ | |||
| Network Verification | ✓ | ✓ | ||
| Custom Dashboards | ✓ | ✓ | ||
| Security-related | ✓ | |||
| NQE Library | Execute | ✓ | ✓ | |
| New Query, Copy, Commit, Export | ✓ | |||
| NQE Assist, Data model | ✓ | |||
| Sources and Collection | ✓ | ✓ | ✓ | |
| Custom Commands | ✓ |
Features associated with tiers you have not purchased remain visible in the user interface but are disabled (greyed out). This allows you to see what additional capabilities are available at higher tiers without losing context in your workflow.
What's Next
- License Management - Details on device counting, cloud credit hours, license installation, and administrative operations.