VM license
You can access the FortiGate VM License page from the Dashboard > Status page in the Virtual Machine widget. Click the device license and select FortiGate VM License.
The FortiGate VM License page displays the following information:
Field |
Description |
---|---|
License status |
Displays one of the following statuses:
As you cannot access Dashboard > Status page in the Virtual Machine widget when the license is in one of the following statuses, they do not display in the License status field:
|
Allocated vCPUs |
Number of allocated and total allowable vCPUs |
Allocated RAM |
Amount of allocated RAM. There are no RAM restrictions. |
Expires on |
Expiry date (value depends on the type of license) |
This information is visible in the CLI by running get system status
(see CLI troubleshooting).
Uploading a license file
After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.
Once the VM is registered, you can download the license file in .LIC format. On the FortiGate VM License page, click Upload. The system prompts you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.
The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.
In cases where the GUI is not accessible, you can upload the license using secure copy (SCP).
To upload the license using SCP:
- Enable SCP:
config system global set admin-scp enable end
- Enable SSH in the administrative access for the interface where the transfer will take place:
config system interface edit <interface> append allowaccess ssh next end
- On your computer, upload the VM license. This example is for Linux:
scp <filename> <admin-user>@<FortiGate_IP>:vmlicense
VM license types
FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).
FortiOS 7.2.1 introduces a new permanent trial license, and moves away from the 15-day trial license. See Permanent trial mode for FortiGate-VM.
The FortiFlex program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis.
Feature |
Normal series |
Trial |
V-series |
S-series |
FortiFlex |
---|---|---|---|---|---|
Licensing and support |
The VM base is perpetual. You must separately contract support services on an annual basis. See the price list for details. |
Hardware configuration restrictions apply. Support is not available. |
The VM base is perpetual. You must separately contract support services on an annual basis. See the price list for details. |
Single annually contracted SKU that contains a VM base and a FortiCare service bundle. Four support service bundle types are available:
|
An annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare bundle. Four support service bundle types are available:
|
vCPU number upgrade during contracted term |
Not supported. |
Supported. You can also upgrade the support service bundle. Contact a Fortinet sales representative to upgrade. |
Supported. You can apply different VM entitlement configurations in the FortiFlex portal. API is not supported at this time. |
||
vCPU number downgrade during contracted term |
Not supported.
|
||||
VDOM support |
By default, each CPU level supports up to a certain number of VDOMs. Refer to the FortiGate-VM data sheet for default limits. |
VDOMs are supported, but restricted by the CPU allowance for the trial license. |
By default, all CPU levels do not support adding VDOMs. |
By default, all CPU levels do not support adding VDOMs. S-series VM instances support the subscription VDOM license. |
|
Applying a FortiFlex token
You can apply a FortiFlex token n the FortiGate VM License page for the following VM instance types:
- Newly deployed or expired FortiGate-VM instances. After logging into the FortiOS GUI, a FortiFlex token option is available when the license popup appears.
- Already licensed FortiGate-VM instances. You can go to this page from the Virtual Machine dashboard widget or from System > FortiGuard. FortiFlex token option is available for migrating into FortiFlex.
Consuming a new vCPU
In 7.2.4 and later versions, FortiGate-VM supports automatic vCPU hot-add/hot-remove to the limit of the license entitlement after activating an S-series license or a FortiFlex license. This enhancement removes the requirement for the CLI command execute cpu add
to be run or a reboot to be performed when the FortiGate-VM has a lower number of vCPUs allocated than the licensed number of vCPUs.
CLI troubleshooting
In some cases, you can view more information from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.
Before you begin, ensure your FortiGate has the proper routes to connect to the internet. Run all following debug commands for a full picture of the issue.
To view the license status, expiration date, and VM resources:
# get system status Version: FortiGate-VM64-KVM v6.4.2,build1723,200730 (GA) ... Serial-Number: FGVM08********** .... License Status: Valid License Expiration Date: 2020-12-10 VM Resources: 1 CPU/8 allowed, 2010 MB RAM ...
To display license details:
# diagnose debug vm-print-license SerialNumber: FGVM08********** CreateDate: Tue Dec 10 00:57:32 2019 License expires: Thu Dec 10 00:00:00 2020 Expiry: 366 Key: yes Cert: yes Key2: yes Cert2: yes Model: 08 (11) CPU: 8 MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full UUID: abbe**************************** valid: 1 status: 1 code: 200 warn: 0 copy: 0 received: 4604955037 warning: 4600905081 recv: 202009152207 dup:
Field |
Value and description |
---|---|
Valid |
0 – Invalid 1 – Valid |
Status |
0 – Startup 1 – Success 2 – Warning 3 – Error 4 – Invalid Copy 5 – Eval Expired 6 - Grace Period. For FortiFlex, there is a two-hour grace period to begin passing traffic upon retrieving the license from FortiCare. |
Code |
2xx, 3xx – Success 200 – Valid 202 – Accepted (treated as correct response code) 4xx - Error 400 – Expired 401 – Duplicate 5xx – Warning 500 - Warning 502 – Invalid. Cannot connect to FortiGuard Distribution Servers 6xx – Evaluation license expired
Other codes - Error |
The following are examples of common combinations:
This combination indicates the license is valid and functioning normally:
valid: 1 status: 1 code: 200
This combination indicates the license itself is valid, but is running on a duplicate instance:
valid: 1 status: 4 code: 401
This combination indicates the system cannot connect to FortiGuard:
valid: 0 status: 2 code: 502
This combination indicates the license is expired and invalid:
valid: 0 status: 3 code: 400
This combination indicates the VM is unlicensed:
valid: 0 status: 3 code: 0
For FortiFlex licenses, the following command allows you to enter the license token and proxy information:
# execute vm-license <token> https://<username>:<password>@<proxy IP address>:<proxy port>
FortiOS can receive the following error codes from the FortiCare server:
1 - Runtime error (server unhandled error on FortiCare sever)
57 - License Token is invalid
58 - License Token is already used and cannot be used again to retrieve license key
The FortiGate can generate the following error code:
60 - Failed to request forticare license. Failed to download VM license.
Contact Fortinet Support for assistance if your licensing issue persists.
Customizing the FortiFlex license token activation retry parameters NEW
FortiOS supports the customization of the retries for FortiFlex license token activation. The token activation number of retries and the interval between each attempt can be configured using the following commands, respectively:
execute vm-license-options count <integer> execute vm-license-options interval <interval length in seconds>
If the |
To define the FortiFlex token activation parameters:
-
Set the number of retries allowed:
execute vm-license-options count 4
-
Set the retry interval:
execute vm-license-options interval 5
-
Activate the license. The FortiFlex license token will be requested four times, with an interval of five seconds in between, as set.
-
If the license cannot be verified within the set amount of retries, the download will fail:
# execute vm-license F4FC697D65428013FAKE
This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Failed to download VM license. -
If the license can be verified within the set number of retries, the VM license will be successfully installed:
# execute vm-license 227602862F7E6E9XXXX
This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) VM license install succeeded. Rebooting firewall.
-
FortiFlex token activation parameters can also be defined in an ISO file using the mime user-data.
To define the parameters in an ISO file:
-
Create a config drive ISO with a MIME file:
Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="license.txt "LICENSE-TOKEN: 334ADF7B49F2FEC1XXXX INTERVAL: 5 COUNT: 4
See Cloud-init using config drive for more information.
-
Attach the ISO config drive at boot time. See Cloud-init for more information.
-
Boot up the VM and verify the token activation parameters:
# diagnose debug cloudinit show >> Found config drive /dev/sr0 >> Successfully mount config drive >> MIME parsed preconfig script >> MIME parsed VM token >> MIME parsed config script >> Found metadata source: config drive >> Run preconfig script >> FortiGate-VM64 conf sys global … >> Trying to install vmlicense ... >> License-token:334ADF7B49F2FEC1XXXX INTERVAL:5 COUNT:4 >> Run config script