Fortinet black logo

New Features

Injecting FortiFlex license via web proxy 7.0.4

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:256339
Download PDF

Injecting FortiFlex license via web proxy 7.0.4

You can inject a FortiFlex license into a FortiGate-VM instance via a web proxy. This enhancement allows a FortiGate-VM in an environment where it can only access the Internet via a web proxy to inject a FortiFlex license.

The process of injecting the FortiFlex license via a web proxy consists of the following steps:

  1. Ensure that the FortiGate-VM has Internet connectivity properly configured.
  2. Injecting a FortiFlex license into a FortiGate-VM instance . You can inject the FortiGate-VM instance with a FortiFlex license in one of the following ways:
    1. Using the FortiOS CLI. See To inject a FortiFlex license into the FortiGate-VM instance via the FortiOS CLI:.
    2. Using an OVF template. See To inject a FortiFlex license into the FortiGate-VM instance via an OVF template:.
    3. Using cloud-init. See To inject a FortiFlex license into the FortiGate-VM instance via cloud-init:.
  3. Confirming that the license token is injected
  4. Configuring web proxy tunneling for FDN

Injecting a FortiFlex license into a FortiGate-VM instance

To inject a FortiFlex license into the FortiGate-VM instance via the FortiOS CLI:

You can use of the following commands to inject a FortiFlex license into the FortiGate-VM instance:

execute vm-license <license_token> <proxy>

The following are examples of the syntax for <proxy>:

http://user:password@proxyip:proxyport

user:password@proxyip:proxyport

The following shows examples for each command:

exec vm-license 58923569A3FFB7F46879 http://qa:123456@10.1.100.74:8080

exec vm-license 95D87F50C075C6F20EE7 hazel:123456@10.1.100.74:8080

To inject a FortiFlex license into the FortiGate-VM instance via an OVF template:

While launching a new FGT-VM64 with vCenter, enter <license_token> http://user:password@proxyip:proxyport in the Customize template > License Token field. In the example, 95D87F50C075C6F20EE7 hazel:123456@10.1.100.74:8080 is entered in the License Token field.

To inject a FortiFlex license into the FortiGate-VM instance via cloud-init:

The following are the MIME files that you can use to inject a FortiFlex license into a FortiGate-VM instance using cloud-init. The first file contains configuration information for the FortiGate-VM, while the second file contains the license token information.

Content-Type: multipart/mixed; boundary="===============0740947994048919689=="

MIME-Version: 1.0

--===============0740947994048919689==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename="config"

config sys glo

set hostname FGT-MSSP-MIME

set admintimeout 480

end

......

--===============0740947994048919689==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename="license"

LICENSE-TOKEN:FF69500C90C1604F71EE

--===============0740947994048919689==--

See cloud-init Documentation for details.

Confirming that the license token is injected

To confirm that the license token is injected:

diagnose debug cloudinit show

>> Checking metadata source ovf

>> Found metadata source: ovf

>> Trying to install vmlicense ...

>> License-token:95D87F50C075C6F20EE7 http://qa:123456@10.1.100.74:8080

>> Config script is not available

get system status

Version: FortiGate-VM64 v7.0.4,build0292,220115 (interim)

Serial-Number: FGVMMLTM111111

Configuring web proxy tunneling for FDN

After the FortiFlex license is installed, the FortiGate-VM must validate the license on FDN servers. You can also configure a proxy to accomplish this.

To configure web proxy tunneling for FDN:

config system autoupdate tunneling

set status enable

set address "<web proxy IP address or FQDN>"

set port <web proxy port>

set username "<username>"

set password <password>

end

It may take a while for FortiGate-VM to be able to validate the VM license and update UTM signatures from FortiGuard. The following shows the output from get system status when the FortiGate-VM has completed the validation and update:

Version: FortiGate-VM64 v7.0.4,build0292,220115 (interim)

Virus-DB: 89.08825(2022-01-18 21:26)

Extended DB: 89.08825(2022-01-18 21:26)

Extreme DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 2.04168(2022-01-18 18:45)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 19.00243(2022-01-18 01:30)

APP-DB: 19.00243(2022-01-18 01:30)

INDUSTRIAL-DB: 19.00243(2022-01-18 01:30)

IPS Malicious URL Database: 3.00246(2022-01-18 20:50)

Serial-Number: FGVMMLTM111111

License Status: Valid

License Expiration Date: 2022-10-31

VM Resources: 1 CPU/2 allowed, 2007 MB RAM

Log hard disk: Available

Hostname: FGT-DEMO

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 1

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 0292

Release Version Information: interim

FortiOS x86-64: Yes

System time: Tue Jan 18 21:46:36 2022

Last reboot reason: warm reboot

Injecting FortiFlex license via web proxy 7.0.4

You can inject a FortiFlex license into a FortiGate-VM instance via a web proxy. This enhancement allows a FortiGate-VM in an environment where it can only access the Internet via a web proxy to inject a FortiFlex license.

The process of injecting the FortiFlex license via a web proxy consists of the following steps:

  1. Ensure that the FortiGate-VM has Internet connectivity properly configured.
  2. Injecting a FortiFlex license into a FortiGate-VM instance . You can inject the FortiGate-VM instance with a FortiFlex license in one of the following ways:
    1. Using the FortiOS CLI. See To inject a FortiFlex license into the FortiGate-VM instance via the FortiOS CLI:.
    2. Using an OVF template. See To inject a FortiFlex license into the FortiGate-VM instance via an OVF template:.
    3. Using cloud-init. See To inject a FortiFlex license into the FortiGate-VM instance via cloud-init:.
  3. Confirming that the license token is injected
  4. Configuring web proxy tunneling for FDN

Injecting a FortiFlex license into a FortiGate-VM instance

To inject a FortiFlex license into the FortiGate-VM instance via the FortiOS CLI:

You can use of the following commands to inject a FortiFlex license into the FortiGate-VM instance:

execute vm-license <license_token> <proxy>

The following are examples of the syntax for <proxy>:

http://user:password@proxyip:proxyport

user:password@proxyip:proxyport

The following shows examples for each command:

exec vm-license 58923569A3FFB7F46879 http://qa:123456@10.1.100.74:8080

exec vm-license 95D87F50C075C6F20EE7 hazel:123456@10.1.100.74:8080

To inject a FortiFlex license into the FortiGate-VM instance via an OVF template:

While launching a new FGT-VM64 with vCenter, enter <license_token> http://user:password@proxyip:proxyport in the Customize template > License Token field. In the example, 95D87F50C075C6F20EE7 hazel:123456@10.1.100.74:8080 is entered in the License Token field.

To inject a FortiFlex license into the FortiGate-VM instance via cloud-init:

The following are the MIME files that you can use to inject a FortiFlex license into a FortiGate-VM instance using cloud-init. The first file contains configuration information for the FortiGate-VM, while the second file contains the license token information.

Content-Type: multipart/mixed; boundary="===============0740947994048919689=="

MIME-Version: 1.0

--===============0740947994048919689==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename="config"

config sys glo

set hostname FGT-MSSP-MIME

set admintimeout 480

end

......

--===============0740947994048919689==

Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: attachment; filename="license"

LICENSE-TOKEN:FF69500C90C1604F71EE

--===============0740947994048919689==--

See cloud-init Documentation for details.

Confirming that the license token is injected

To confirm that the license token is injected:

diagnose debug cloudinit show

>> Checking metadata source ovf

>> Found metadata source: ovf

>> Trying to install vmlicense ...

>> License-token:95D87F50C075C6F20EE7 http://qa:123456@10.1.100.74:8080

>> Config script is not available

get system status

Version: FortiGate-VM64 v7.0.4,build0292,220115 (interim)

Serial-Number: FGVMMLTM111111

Configuring web proxy tunneling for FDN

After the FortiFlex license is installed, the FortiGate-VM must validate the license on FDN servers. You can also configure a proxy to accomplish this.

To configure web proxy tunneling for FDN:

config system autoupdate tunneling

set status enable

set address "<web proxy IP address or FQDN>"

set port <web proxy port>

set username "<username>"

set password <password>

end

It may take a while for FortiGate-VM to be able to validate the VM license and update UTM signatures from FortiGuard. The following shows the output from get system status when the FortiGate-VM has completed the validation and update:

Version: FortiGate-VM64 v7.0.4,build0292,220115 (interim)

Virus-DB: 89.08825(2022-01-18 21:26)

Extended DB: 89.08825(2022-01-18 21:26)

Extreme DB: 1.00000(2018-04-09 18:07)

AV AI/ML Model: 2.04168(2022-01-18 18:45)

IPS-DB: 6.00741(2015-12-01 02:30)

IPS-ETDB: 19.00243(2022-01-18 01:30)

APP-DB: 19.00243(2022-01-18 01:30)

INDUSTRIAL-DB: 19.00243(2022-01-18 01:30)

IPS Malicious URL Database: 3.00246(2022-01-18 20:50)

Serial-Number: FGVMMLTM111111

License Status: Valid

License Expiration Date: 2022-10-31

VM Resources: 1 CPU/2 allowed, 2007 MB RAM

Log hard disk: Available

Hostname: FGT-DEMO

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 1

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 0292

Release Version Information: interim

FortiOS x86-64: Yes

System time: Tue Jan 18 21:46:36 2022

Last reboot reason: warm reboot