Fortinet black logo

New Features

Obtain FortiCare-generated license and certificates for GCP PAYG instances

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:802171
Download PDF

Obtain FortiCare-generated license and certificates for GCP PAYG instances

GCP PAYG instances can obtain FortiCare-generated licenses upon a new deployment, or in the CLI (execute vm-license) when upgrading from previous firmware. The process generates Fortinet_Factory and Fortinet_Factory_Backup certificates that contain the common name (CN) of the FortiGate serial number to uniquely identify this FortiGate.

Installing a new deployment

A newly deployed instance will automatically retrieve the signed certificate from FortiCare. Appropriately 30 seconds after booting the instance, it will get the certificate and reboot once to install the new certificate.

To verify the installation in a new deployment:
  1. Enable debugging and check the update status:
    # diagnose debug enable
    # diagnose debug update -1
    Debug messages will be on for 30 minutes.
    VM license install succeeded. Rebooting firewall.
  2. After the reboot, verify the license information:
    # diagnose debug vm-print-license 
    SerialNumber: FGVM04TM********
    CreateDate: Tue Jun 8 02:30:19 2021
    Key: yes
    Cert: yes
    Key2: yes
    Cert2: yes
    Model: PG (22)
    CPU: 2147483647 
    MEM: 2147483647
  3. Verify the Fortinet_Factory certificate information (the CN is the serial number):
    config vpn certificate local 
        # get Fortinet_Factory
        name                : Fortinet_Factory
        password            : * 
        private-key         : *
        certificate         : 
                Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGVM04TM********, emailAddress = support@fortinet.com
                Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com
                Valid from:  2021-06-08 02:30:19  GMT
                Valid to:    2056-01-19 03:14:07  GMT
                ...

Upgrading the firmware

To obtain a FortiCare-generated license during an upgrade:
  1. Before upgrading, verify the Fortinet_Factory certificate information (the CN is FortiGate):
    config vpn certificate local 
        # get Fortinet_Factory
        name                : Fortinet_Factory
        password            : * 
        private-key         : *
        certificate         : 
                Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com
                Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com
                Valid from:  2016-11-30 19:58:17  GMT
                Valid to:    2056-11-20 19:58:07  GMT
                ...
  2. Verify the license information:
    # diagnose debug vm-print-license 
    SerialNumber: FGTMCGPH********
    CreateDate: 1623112103
    Model: PG (22)
    CPU: 2147483647 
    MEM: 2147483647

    Since there is no unique certificate from FortiCare, there are no Key, Cert, Key2, or Cert2 fields.

  3. Upgrade the firmware and update the license:
    # execute vm-license
    This operation will reboot the system !
    Do you want to continue? (y/n)y
    
    Get instance JWT token
    Requesting FortiCare license: FGTMCGPH********
    VM license install succeeded. Rebooting firewall.
  4. Verify the new Fortinet_Factory certificate information (the CN is the serial number):
    config vpn certificate local 
        # get Fortinet_Factory
        name                : Fortinet_Factory
        password            : * 
        private-key         : *
        certificate         : 
                Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGTMCGPH********, emailAddress = support@fortinet.com
                Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com
                Valid from:  2021-06-08 02:30:19  GMT
                Valid to:    2056-01-19 03:14:07  GMT
                ...
  5. Verify the license information (Key, Cert, Key2, or Cert2 fields are now available):
    # diagnose debug vm-print-license 
    SerialNumber: FGTMCGPH********
    CreateDate: Tue Jun 8 02:30:19 2021
    Key: yes
    Cert: yes
    Key2: yes
    Cert2: yes
    Model: PG (22)
    CPU: 2147483647 
    MEM: 2147483647

Obtain FortiCare-generated license and certificates for GCP PAYG instances

GCP PAYG instances can obtain FortiCare-generated licenses upon a new deployment, or in the CLI (execute vm-license) when upgrading from previous firmware. The process generates Fortinet_Factory and Fortinet_Factory_Backup certificates that contain the common name (CN) of the FortiGate serial number to uniquely identify this FortiGate.

Installing a new deployment

A newly deployed instance will automatically retrieve the signed certificate from FortiCare. Appropriately 30 seconds after booting the instance, it will get the certificate and reboot once to install the new certificate.

To verify the installation in a new deployment:
  1. Enable debugging and check the update status:
    # diagnose debug enable
    # diagnose debug update -1
    Debug messages will be on for 30 minutes.
    VM license install succeeded. Rebooting firewall.
  2. After the reboot, verify the license information:
    # diagnose debug vm-print-license 
    SerialNumber: FGVM04TM********
    CreateDate: Tue Jun 8 02:30:19 2021
    Key: yes
    Cert: yes
    Key2: yes
    Cert2: yes
    Model: PG (22)
    CPU: 2147483647 
    MEM: 2147483647
  3. Verify the Fortinet_Factory certificate information (the CN is the serial number):
    config vpn certificate local 
        # get Fortinet_Factory
        name                : Fortinet_Factory
        password            : * 
        private-key         : *
        certificate         : 
                Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGVM04TM********, emailAddress = support@fortinet.com
                Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com
                Valid from:  2021-06-08 02:30:19  GMT
                Valid to:    2056-01-19 03:14:07  GMT
                ...

Upgrading the firmware

To obtain a FortiCare-generated license during an upgrade:
  1. Before upgrading, verify the Fortinet_Factory certificate information (the CN is FortiGate):
    config vpn certificate local 
        # get Fortinet_Factory
        name                : Fortinet_Factory
        password            : * 
        private-key         : *
        certificate         : 
                Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com
                Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com
                Valid from:  2016-11-30 19:58:17  GMT
                Valid to:    2056-11-20 19:58:07  GMT
                ...
  2. Verify the license information:
    # diagnose debug vm-print-license 
    SerialNumber: FGTMCGPH********
    CreateDate: 1623112103
    Model: PG (22)
    CPU: 2147483647 
    MEM: 2147483647

    Since there is no unique certificate from FortiCare, there are no Key, Cert, Key2, or Cert2 fields.

  3. Upgrade the firmware and update the license:
    # execute vm-license
    This operation will reboot the system !
    Do you want to continue? (y/n)y
    
    Get instance JWT token
    Requesting FortiCare license: FGTMCGPH********
    VM license install succeeded. Rebooting firewall.
  4. Verify the new Fortinet_Factory certificate information (the CN is the serial number):
    config vpn certificate local 
        # get Fortinet_Factory
        name                : Fortinet_Factory
        password            : * 
        private-key         : *
        certificate         : 
                Subject:     C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGTMCGPH********, emailAddress = support@fortinet.com
                Issuer:      C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com
                Valid from:  2021-06-08 02:30:19  GMT
                Valid to:    2056-01-19 03:14:07  GMT
                ...
  5. Verify the license information (Key, Cert, Key2, or Cert2 fields are now available):
    # diagnose debug vm-print-license 
    SerialNumber: FGTMCGPH********
    CreateDate: Tue Jun 8 02:30:19 2021
    Key: yes
    Cert: yes
    Key2: yes
    Cert2: yes
    Model: PG (22)
    CPU: 2147483647 
    MEM: 2147483647