Fortinet white logo
Fortinet white logo

Administration Guide

VM license

VM license

You can access the FortiGate VM License page from the Dashboard > Status page in the Virtual Machine widget. Click the device license and select FortiGate VM License.

The FortiGate VM License page displays the following information:

Field

Description

License status

Displays one of the following statuses:

  • Valid: VM can connect and validate the license against a FortiManager or FortiGuard server. All features are available.
  • Warning: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is less than 30 days, the status does not change.

    Reasons for having a warning status include:

    • The network environment does not allow the FortiGate-VM to connect to the FortiGuard server within 30 days.
    • The license is expired but within the 30-day grace period. Check the expiration date for evaluation or term-based licenses.
  • Duplicate copy: license is a duplicate copy. FortiGuard returns code 401, and FortiOS sets the license status as an invalid copy. FortiGate firewall policy continues to work during this state. If the FortiGate keeps the duplicate copy status for more than 24 hours, the status changes to invalid.

As you cannot access Dashboard > Status page in the Virtual Machine widget when the license is in one of the following statuses, they do not display in the License status field:

  • Invalid: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is 30 days or more, the status changes to invalid. This status also occurs if the duplicate copy status persists for more than 24 hours. FortiOS restricts GUI access until a valid license is uploaded. Firewall policies do not work. FortiGuard downloads are unavailable. When the status is invalid, upon login, FortiOS redirects you to the VM license upload page.

    Reasons for having an invalid status include:

    • The VM license is expired and has passed the grace period.

    • Another VM has been already validated with FortiGuard using the same license. See Technical Note: VM License activation for details about duplicated VM instances.
  • Pending: temporary state where the VM attempts to validate its license. The GUI displays a loading page with the message License is being validated by FortiGuard.

Allocated vCPUs

Number of allocated and total allowable vCPUs

Allocated RAM

Amount of allocated RAM. There are no RAM restrictions.

Expires on

Expiry date (value depends on the type of license)

This information is visible in the CLI by running get system status (see CLI troubleshooting).

Uploading a license file

After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.

Once the VM is registered, you can download the license file in .LIC format. On the FortiGate VM License page, click Upload. The system prompts you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.

The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.

In cases where the GUI is not accessible, you can upload the license using secure copy (SCP).

To upload the license using SCP:
  1. Enable SCP:
    config system global
        set admin-scp enable
    end
  2. Enable SSH in the administrative access for the interface where the transfer will take place:
    config system interface
        edit <interface>
            append allowaccess ssh
        next
    end
  3. On your computer, upload the VM license. This example is for Linux:
    scp <filename> <admin-user>@<FortiGate_IP>:vmlicense

VM license types

FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).

FortiOS 7.2.1 introduces a new permanent trial license, and moves away from the 15-day trial license. See Permanent trial mode for FortiGate-VM.

The FortiFlex program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis.

Feature

Normal series

Trial

V-series

S-series

FortiFlex

Licensing and support

The VM base is perpetual.

You must separately contract support services on an annual basis.

See the price list for details.

Hardware configuration restrictions apply. Support is not available.

The VM base is perpetual.

You must separately contract support services on an annual basis.

See the price list for details.

Single annually contracted SKU that contains a VM base and a FortiCare service bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

An annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

vCPU number upgrade during contracted term

Not supported.

Supported. You can also upgrade the support service bundle.

Contact a Fortinet sales representative to upgrade.

Supported. You can apply different VM entitlement configurations in the FortiFlex portal. API is not supported at this time.

vCPU number downgrade during contracted term

Not supported.

VDOM support

By default, each CPU level supports up to a certain number of VDOMs.

Refer to the FortiGate-VM data sheet for default limits.

VDOMs are supported, but restricted by the CPU allowance for the trial license.

By default, all CPU levels do not support adding VDOMs.

By default, all CPU levels do not support adding VDOMs.

S-series VM instances support the subscription VDOM license.

Applying a FortiFlex token

You can apply a FortiFlex token n the FortiGate VM License page for the following VM instance types:

  • Newly deployed or expired FortiGate-VM instances. After logging into the FortiOS GUI, a FortiFlex token option is available when the license popup appears.
  • Already licensed FortiGate-VM instances. You can go to this page from the Virtual Machine dashboard widget or from System > FortiGuard. FortiFlex token option is available for migrating into FortiFlex.

Consuming a new vCPU

In 7.2.4 and later versions, FortiGate-VM supports automatic vCPU hot-add/hot-remove to the limit of the license entitlement after activating an S-series license or a FortiFlex license. This enhancement removes the requirement for the CLI command execute cpu add to be run or a reboot to be performed when the FortiGate-VM has a lower number of vCPUs allocated than the licensed number of vCPUs.

CLI troubleshooting

In some cases, you can view more information from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.

Before you begin, ensure your FortiGate has the proper routes to connect to the internet. Run all following debug commands for a full picture of the issue.

To view the license status, expiration date, and VM resources:
# get system status
Version: FortiGate-VM64-KVM v6.4.2,build1723,200730 (GA)
...
Serial-Number: FGVM08**********
....
License Status: Valid
License Expiration Date: 2020-12-10
VM Resources: 1 CPU/8 allowed, 2010 MB RAM
...
To display license details:
# diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2019
License expires: Thu Dec 10 00:00:00 2020
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full
UUID:     abbe****************************
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4604955037
warning:  4600905081
recv:     202009152207
dup:

Field

Value and description

Valid

0 – Invalid

1 – Valid

Status

0 – Startup

1 – Success

2 – Warning

3 – Error

4 – Invalid Copy

5 – Eval Expired

6 - Grace Period. For FortiFlex, there is a two-hour grace period to begin passing traffic upon retrieving the license from FortiCare.

Code

2xx, 3xx – Success

200 – Valid

202 – Accepted (treated as correct response code)

4xx - Error

400 – Expired

401 – Duplicate

5xx – Warning

500 - Warning

502 – Invalid. Cannot connect to FortiGuard Distribution Servers

6xx – Evaluation license expired

Other codes - Error

The following are examples of common combinations:

This combination indicates the license is valid and functioning normally:

valid: 1
status: 1
code: 200

This combination indicates the license itself is valid, but is running on a duplicate instance:

valid: 1
status: 4
code: 401

This combination indicates the system cannot connect to FortiGuard:

valid:    0
status:   2
code:     502

This combination indicates the license is expired and invalid:

valid: 0
status: 3
code: 400

This combination indicates the VM is unlicensed:

valid: 0
status: 3
code: 0

For FortiFlex licenses, the following command allows you to enter the license token and proxy information:

# execute vm-license <token> https://<username>:<password>@<proxy IP address>:<proxy port>

FortiOS can receive the following error codes from the FortiCare server:

1 - Runtime error (server unhandled error on FortiCare sever)

57 - License Token is invalid

58 - License Token is already used and cannot be used again to retrieve license key

The FortiGate can generate the following error code:

60 - Failed to request forticare license. Failed to download VM license.

Contact Fortinet Support for assistance if your licensing issue persists.

Customizing the FortiFlex license token activation retry parameters NEW

FortiOS supports the customization of the retries for FortiFlex license token activation. The token activation number of retries and the interval between each attempt can be configured using the following commands, respectively:

execute vm-license-options count <integer>
execute vm-license-options interval <interval length in seconds>
Note

If the vm-license-options count is set to zero, the token activation will retry indefinitely until success.

To define the FortiFlex token activation parameters:
  1. Set the number of retries allowed:

    execute vm-license-options count 4
  2. Set the retry interval:

    execute vm-license-options interval 5
  3. Activate the license. The FortiFlex license token will be requested four times, with an interval of five seconds in between, as set.

    • If the license cannot be verified within the set amount of retries, the download will fail:

      # execute vm-license F4FC697D65428013FAKE
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Failed to download VM license.
    • If the license can be verified within the set number of retries, the VM license will be successfully installed:

      # execute vm-license 227602862F7E6E9XXXX
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) VM license install succeeded. Rebooting firewall.

FortiFlex token activation parameters can also be defined in an ISO file using the mime user-data.

To define the parameters in an ISO file:
  1. Create a config drive ISO with a MIME file:

    Content-Type: text/plain; charset="us-ascii" 
    MIME-Version: 1.0 
    Content-Transfer-Encoding: 7bit 
    Content-Disposition: attachment; filename="license.txt
    "LICENSE-TOKEN: 334ADF7B49F2FEC1XXXX INTERVAL: 5 COUNT: 4

    See Cloud-init using config drive for more information.

  2. Attach the ISO config drive at boot time. See Cloud-init for more information.

  3. Boot up the VM and verify the token activation parameters:

    # diagnose debug cloudinit show
     >> Found config drive /dev/sr0
     >> Successfully mount config drive
     >> MIME parsed preconfig script
     >> MIME parsed VM token
     >> MIME parsed config script
     >> Found metadata source: config drive
     >> Run preconfig script
     >> FortiGate-VM64  conf sys global
     …
     >> Trying to install vmlicense ...
     >> License-token:334ADF7B49F2FEC1XXXX INTERVAL:5 COUNT:4
     >> Run config script

VM license

VM license

You can access the FortiGate VM License page from the Dashboard > Status page in the Virtual Machine widget. Click the device license and select FortiGate VM License.

The FortiGate VM License page displays the following information:

Field

Description

License status

Displays one of the following statuses:

  • Valid: VM can connect and validate the license against a FortiManager or FortiGuard server. All features are available.
  • Warning: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is less than 30 days, the status does not change.

    Reasons for having a warning status include:

    • The network environment does not allow the FortiGate-VM to connect to the FortiGuard server within 30 days.
    • The license is expired but within the 30-day grace period. Check the expiration date for evaluation or term-based licenses.
  • Duplicate copy: license is a duplicate copy. FortiGuard returns code 401, and FortiOS sets the license status as an invalid copy. FortiGate firewall policy continues to work during this state. If the FortiGate keeps the duplicate copy status for more than 24 hours, the status changes to invalid.

As you cannot access Dashboard > Status page in the Virtual Machine widget when the license is in one of the following statuses, they do not display in the License status field:

  • Invalid: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is 30 days or more, the status changes to invalid. This status also occurs if the duplicate copy status persists for more than 24 hours. FortiOS restricts GUI access until a valid license is uploaded. Firewall policies do not work. FortiGuard downloads are unavailable. When the status is invalid, upon login, FortiOS redirects you to the VM license upload page.

    Reasons for having an invalid status include:

    • The VM license is expired and has passed the grace period.

    • Another VM has been already validated with FortiGuard using the same license. See Technical Note: VM License activation for details about duplicated VM instances.
  • Pending: temporary state where the VM attempts to validate its license. The GUI displays a loading page with the message License is being validated by FortiGuard.

Allocated vCPUs

Number of allocated and total allowable vCPUs

Allocated RAM

Amount of allocated RAM. There are no RAM restrictions.

Expires on

Expiry date (value depends on the type of license)

This information is visible in the CLI by running get system status (see CLI troubleshooting).

Uploading a license file

After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.

Once the VM is registered, you can download the license file in .LIC format. On the FortiGate VM License page, click Upload. The system prompts you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.

The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.

In cases where the GUI is not accessible, you can upload the license using secure copy (SCP).

To upload the license using SCP:
  1. Enable SCP:
    config system global
        set admin-scp enable
    end
  2. Enable SSH in the administrative access for the interface where the transfer will take place:
    config system interface
        edit <interface>
            append allowaccess ssh
        next
    end
  3. On your computer, upload the VM license. This example is for Linux:
    scp <filename> <admin-user>@<FortiGate_IP>:vmlicense

VM license types

FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).

FortiOS 7.2.1 introduces a new permanent trial license, and moves away from the 15-day trial license. See Permanent trial mode for FortiGate-VM.

The FortiFlex program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis.

Feature

Normal series

Trial

V-series

S-series

FortiFlex

Licensing and support

The VM base is perpetual.

You must separately contract support services on an annual basis.

See the price list for details.

Hardware configuration restrictions apply. Support is not available.

The VM base is perpetual.

You must separately contract support services on an annual basis.

See the price list for details.

Single annually contracted SKU that contains a VM base and a FortiCare service bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

An annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare bundle.

Four support service bundle types are available:

  • Only FortiCare
  • UTM
  • Enterprise
  • ATP

vCPU number upgrade during contracted term

Not supported.

Supported. You can also upgrade the support service bundle.

Contact a Fortinet sales representative to upgrade.

Supported. You can apply different VM entitlement configurations in the FortiFlex portal. API is not supported at this time.

vCPU number downgrade during contracted term

Not supported.

VDOM support

By default, each CPU level supports up to a certain number of VDOMs.

Refer to the FortiGate-VM data sheet for default limits.

VDOMs are supported, but restricted by the CPU allowance for the trial license.

By default, all CPU levels do not support adding VDOMs.

By default, all CPU levels do not support adding VDOMs.

S-series VM instances support the subscription VDOM license.

Applying a FortiFlex token

You can apply a FortiFlex token n the FortiGate VM License page for the following VM instance types:

  • Newly deployed or expired FortiGate-VM instances. After logging into the FortiOS GUI, a FortiFlex token option is available when the license popup appears.
  • Already licensed FortiGate-VM instances. You can go to this page from the Virtual Machine dashboard widget or from System > FortiGuard. FortiFlex token option is available for migrating into FortiFlex.

Consuming a new vCPU

In 7.2.4 and later versions, FortiGate-VM supports automatic vCPU hot-add/hot-remove to the limit of the license entitlement after activating an S-series license or a FortiFlex license. This enhancement removes the requirement for the CLI command execute cpu add to be run or a reboot to be performed when the FortiGate-VM has a lower number of vCPUs allocated than the licensed number of vCPUs.

CLI troubleshooting

In some cases, you can view more information from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.

Before you begin, ensure your FortiGate has the proper routes to connect to the internet. Run all following debug commands for a full picture of the issue.

To view the license status, expiration date, and VM resources:
# get system status
Version: FortiGate-VM64-KVM v6.4.2,build1723,200730 (GA)
...
Serial-Number: FGVM08**********
....
License Status: Valid
License Expiration Date: 2020-12-10
VM Resources: 1 CPU/8 allowed, 2010 MB RAM
...
To display license details:
# diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2019
License expires: Thu Dec 10 00:00:00 2020
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full
UUID:     abbe****************************
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4604955037
warning:  4600905081
recv:     202009152207
dup:

Field

Value and description

Valid

0 – Invalid

1 – Valid

Status

0 – Startup

1 – Success

2 – Warning

3 – Error

4 – Invalid Copy

5 – Eval Expired

6 - Grace Period. For FortiFlex, there is a two-hour grace period to begin passing traffic upon retrieving the license from FortiCare.

Code

2xx, 3xx – Success

200 – Valid

202 – Accepted (treated as correct response code)

4xx - Error

400 – Expired

401 – Duplicate

5xx – Warning

500 - Warning

502 – Invalid. Cannot connect to FortiGuard Distribution Servers

6xx – Evaluation license expired

Other codes - Error

The following are examples of common combinations:

This combination indicates the license is valid and functioning normally:

valid: 1
status: 1
code: 200

This combination indicates the license itself is valid, but is running on a duplicate instance:

valid: 1
status: 4
code: 401

This combination indicates the system cannot connect to FortiGuard:

valid:    0
status:   2
code:     502

This combination indicates the license is expired and invalid:

valid: 0
status: 3
code: 400

This combination indicates the VM is unlicensed:

valid: 0
status: 3
code: 0

For FortiFlex licenses, the following command allows you to enter the license token and proxy information:

# execute vm-license <token> https://<username>:<password>@<proxy IP address>:<proxy port>

FortiOS can receive the following error codes from the FortiCare server:

1 - Runtime error (server unhandled error on FortiCare sever)

57 - License Token is invalid

58 - License Token is already used and cannot be used again to retrieve license key

The FortiGate can generate the following error code:

60 - Failed to request forticare license. Failed to download VM license.

Contact Fortinet Support for assistance if your licensing issue persists.

Customizing the FortiFlex license token activation retry parameters NEW

FortiOS supports the customization of the retries for FortiFlex license token activation. The token activation number of retries and the interval between each attempt can be configured using the following commands, respectively:

execute vm-license-options count <integer>
execute vm-license-options interval <interval length in seconds>
Note

If the vm-license-options count is set to zero, the token activation will retry indefinitely until success.

To define the FortiFlex token activation parameters:
  1. Set the number of retries allowed:

    execute vm-license-options count 4
  2. Set the retry interval:

    execute vm-license-options interval 5
  3. Activate the license. The FortiFlex license token will be requested four times, with an interval of five seconds in between, as set.

    • If the license cannot be verified within the set amount of retries, the download will fail:

      # execute vm-license F4FC697D65428013FAKE
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Failed to download VM license.
    • If the license can be verified within the set number of retries, the VM license will be successfully installed:

      # execute vm-license 227602862F7E6E9XXXX
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) VM license install succeeded. Rebooting firewall.

FortiFlex token activation parameters can also be defined in an ISO file using the mime user-data.

To define the parameters in an ISO file:
  1. Create a config drive ISO with a MIME file:

    Content-Type: text/plain; charset="us-ascii" 
    MIME-Version: 1.0 
    Content-Transfer-Encoding: 7bit 
    Content-Disposition: attachment; filename="license.txt
    "LICENSE-TOKEN: 334ADF7B49F2FEC1XXXX INTERVAL: 5 COUNT: 4

    See Cloud-init using config drive for more information.

  2. Attach the ISO config drive at boot time. See Cloud-init for more information.

  3. Boot up the VM and verify the token activation parameters:

    # diagnose debug cloudinit show
     >> Found config drive /dev/sr0
     >> Successfully mount config drive
     >> MIME parsed preconfig script
     >> MIME parsed VM token
     >> MIME parsed config script
     >> Found metadata source: config drive
     >> Run preconfig script
     >> FortiGate-VM64  conf sys global
     …
     >> Trying to install vmlicense ...
     >> License-token:334ADF7B49F2FEC1XXXX INTERVAL:5 COUNT:4
     >> Run config script