Fortinet white logo
Fortinet white logo

Administration Guide

VM license

VM license

You can access FortiGate VM License from Dashboard > Status in the Virtual Machine widget. Click the device license and select FortiGate VM License.

FortiGate VM License displays the following information:

Field

Description

License status

Displays one of the following statuses:

  • Valid: VM can connect and validate the license against a FortiManager or FortiGuard server. All features are available.
  • Validation overdue: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is less than 30 days, the status does not change. You may be seeing this status because the network environment does not allow the FortiGate-VM to connect to the FortiGuard server within 30 days.
  • 30 day Grace Period: license is expired but within the 30-day grace period. Check the expiration date for evaluation or term-based licenses.
  • Duplicate copy: license is a duplicate copy. FortiGuard returns code 401 and FortiOS sets the license status as an invalid copy. FortiGate firewall policy continues to work during this state. If the FortiGate keeps the duplicate copy status for more than 24 hours, the status changes to invalid.

As you cannot access Dashboard > Status in the Virtual Machine widget when the license is in one of the following statuses, they do not display in the License status field:

  • Invalid: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is 30 days or more, the status changes to invalid. This status also occurs if the duplicate copy status persists for more than 24 hours. FortiOS restricts GUI access until you upload a valid license. Firewall policies do not work. FortiGuard downloads are unavailable. When the status is invalid, upon login, FortiOS redirects you to the VM license upload page.

    Reasons for having an invalid status include:

    • The VM license is expired and has passed the grace period.

    • Another VM has been already validated with FortiGuard using the same license. See Technical Note: VM License activation for details about duplicated VM instances.
  • Pending: temporary state where the VM attempts to validate its license. The GUI displays a loading page with the message License is being validated by FortiGuard.

Allocated vCPUs

Number of allocated and total allowable vCPUs

Allocated RAM

Amount of allocated RAM. There are no RAM restrictions.

Expires on

Expiry date (value depends on the type of license)

This information is visible in the CLI by running get system status. See CLI troubleshooting.

Uploading a license file

After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.

Once you have registered the VM, you can download the license file in .LIC format. In FortiGate VM License, click Upload. The system prompts you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.

The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.

In cases where the GUI is inaccessible, you can upload the license using secure copy (SCP).

Tooltip

For information about injecting FortiFlex licenses, see Injecting the FortiFlex license.

To upload the license using SCP:
  1. Enable SCP:
    config system global
        set admin-scp enable
    end
  2. Enable SSH in the administrative access for the interface where the transfer will take place:
    config system interface
        edit <interface>
            append allowaccess ssh
        next
    end
  3. On your computer, upload the VM license. This example is for Linux:
    scp <filename> <admin-user>@<FortiGate_IP>:vmlicense

VM license types

FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).

FortiGate-VM has a permanent trial license. See Permanent trial mode for FortiGate-VM.

The FortiFlex program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis. See Program guide.

Feature

VM-Series

Trial

V-series

S-series

FortiFlex

Licensing and support

The VM base is perpetual. You must purchase separately FortiGuard and FortiCare services on an annual basis. See the price list for details.

Hardware configuration restrictions apply. Support is not available.

The VM base is perpetual. You must purchase separately FortiGuard and FortiCare services on an annual basis. See the price list for details.

Single annually contracted SKU that contains a VM base and a FortiCare/FortiGuard service bundle. Service bundles and a la carte services are available.

Annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare/FortiGuard bundle. Service bundles and a la carte services are available.

vCPU number upgrade or downgrade

Not supported.

Not supported. Not supported.

Supported via co-term. You can also upgrade the service bundle. Contact a Fortinet sales representative to upgrade.

Natively supported via the scale up/down feature.

VDOM support

By default, each CPU level supports up to a certain number of VDOMs. See the FortiGate-VM data sheet for default limits.

VDOMs are supported, but restricted by the CPU allowance for the trial license.

By default, all CPU levels do not support adding VDOMs, but you can add additional VDOMs via a subscription VDOM license.

By default, all CPU levels do not support adding VDOMs, but you can add additional VDOMs via the scale up/down feature.

Applying a FortiFlex token

You can apply a FortiFlex token in the FortiGate VM License page for the following VM instance types:

  • Newly deployed or expired FortiGate-VM instances. After logging into the FortiOS GUI, a FortiFlex token option is available when the license popup appears.
  • Already licensed FortiGate-VM instances. You can go to this page from the Virtual Machine dashboard widget or from System > FortiGuard. FortiFlex token option is available for migrating into FortiFlex.

Consuming a new vCPU

FortiGate-VM supports automatic vCPU hot-add/hot-remove to the limit of the license entitlement after activating an S-series license or a FortiFlex license. This enhancement removes the requirement of running the CLI command execute cpu add or performing a reboot when the FortiGate-VM has a lower number of vCPUs allocated than the licensed number of vCPUs.

CLI troubleshooting

In some cases, you can view more information from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.

Before you begin, ensure your FortiGate has the proper routes to connect to the internet. Run all following debug commands for a full picture of the issue.

To view the license status, expiration date, and VM resources:
# get system status
Version: FortiGate-VM64-KVM v7.6.1,buildXXXX,200730 (GA)
...
Serial-Number: FGVM08**********
....
License Status: Valid
License Expiration Date: 2024-12-10
VM Resources: 1 CPU/8 allowed, 2010 MB RAM
...
To display license details:
# diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2019
License expires: Thu Dec 10 00:00:00 2024
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full
UUID:     abbe****************************
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4604955037
warning:  4600905081
recv:     202009152207
dup:

Field

Value

Description

valid

0

Invalid

1

Valid

status

0

Startup

1

Success

2

Warning

3

Error

4

Invalid copy

5

Evaluation license expired

6

Grace period. For FortiFlex, there is a two-hour grace period to begin passing traffic upon retrieving the license from FortiCloud.

code

2xx, 3xx

Success

200

Valid

202

Accepted (treated as correct response code)

4xx

Error

400

Expired

401

Duplicate

5xx, 500

Warning

502

Invalid. Cannot connect to FortiGuard distribution servers

6xx

Evaluation license expired

Other codes

Error

The following are examples of common combinations:

Combination

Indicates...

valid: 1
status: 1
code: 200

License is valid and functioning normally.

valid: 1
status: 4
code: 401

License is valid but running on a duplicate instance.

valid:    0
status:   2
code:     502

System cannot connect to FortiGuard.

valid: 0
status: 3
code: 400

License is expired and invalid.

valid: 0
status: 3
code: 0

VM is unlicensed.

For FortiFlex licenses, the following command allows you to enter the license token and proxy information:

# execute vm-license <token> https://<username>:<password>@<proxy IP address>:<proxy port>

FortiOS can receive the following error codes from the FortiCare server:

1 - Runtime error (server unhandled error on FortiCare sever)

57 - License Token is invalid

58 - License Token is already used and cannot be used again to retrieve license key

The FortiGate can generate the following error code:

60 - Failed to request forticare license. Failed to download VM license.

Contact Fortinet Support for assistance if your licensing issue persists.

Customizing the FortiFlex license token activation retry parameters

FortiOS supports the customization of the retries for FortiFlex license token activation. You can configure the token activation number of retries and the interval between each attempt using the following commands, respectively:

execute vm-license-options count <integer>
execute vm-license-options interval <interval length in seconds>
Note

If you set vm-license-options count to zero, the token activation retries indefinitely until success.

To define the FortiFlex token activation parameters:
  1. Set the number of retries allowed:

    execute vm-license-options count 4
  2. Set the retry interval:

    execute vm-license-options interval 5
  3. Activate the license. FortiOS requests the FortiFlex license token four times, with an interval of five seconds in between, as set.

    • If FortiOS cannot verify the license within the set amount of retries, the download fails:

      # execute vm-license F4FC697D65428013FAKE
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Failed to download VM license.
    • If FortiOS can verify the license within the set number of retries, FortiOS successfully installs the VM license:

      # execute vm-license 227602862F7E6E9XXXX
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) VM license install succeeded. Rebooting firewall.

You can also define FortiFlex token activation parameters in an ISO file using the mime user-data.

To define the parameters in an ISO file:
  1. Create a config drive ISO with a MIME file:

    Content-Type: text/plain; charset="us-ascii" 
    MIME-Version: 1.0 
    Content-Transfer-Encoding: 7bit 
    Content-Disposition: attachment; filename="license.txt
    "LICENSE-TOKEN: 334ADF7B49F2FEC1XXXX INTERVAL: 5 COUNT: 4

    See Cloud-init using config drive for more information.

  2. Attach the ISO config drive at boot time. See Cloud-init for more information.

  3. Boot up the VM and verify the token activation parameters:

    # diagnose debug cloudinit show
     >> Found config drive /dev/sr0
     >> Successfully mount config drive
     >> MIME parsed preconfig script
     >> MIME parsed VM token
     >> MIME parsed config script
     >> Found metadata source: config drive
     >> Run preconfig script
     >> FortiGate-VM64  conf sys global
     …
     >> Trying to install vmlicense ...
     >> License-token:334ADF7B49F2FEC1XXXX INTERVAL:5 COUNT:4
     >> Run config script

VM license

VM license

You can access FortiGate VM License from Dashboard > Status in the Virtual Machine widget. Click the device license and select FortiGate VM License.

FortiGate VM License displays the following information:

Field

Description

License status

Displays one of the following statuses:

  • Valid: VM can connect and validate the license against a FortiManager or FortiGuard server. All features are available.
  • Validation overdue: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is less than 30 days, the status does not change. You may be seeing this status because the network environment does not allow the FortiGate-VM to connect to the FortiGuard server within 30 days.
  • 30 day Grace Period: license is expired but within the 30-day grace period. Check the expiration date for evaluation or term-based licenses.
  • Duplicate copy: license is a duplicate copy. FortiGuard returns code 401 and FortiOS sets the license status as an invalid copy. FortiGate firewall policy continues to work during this state. If the FortiGate keeps the duplicate copy status for more than 24 hours, the status changes to invalid.

As you cannot access Dashboard > Status in the Virtual Machine widget when the license is in one of the following statuses, they do not display in the License status field:

  • Invalid: VM cannot connect and validate against a FortiManager or FortiGuard server. A check is made against how many days the warning status is continuous. If the number is 30 days or more, the status changes to invalid. This status also occurs if the duplicate copy status persists for more than 24 hours. FortiOS restricts GUI access until you upload a valid license. Firewall policies do not work. FortiGuard downloads are unavailable. When the status is invalid, upon login, FortiOS redirects you to the VM license upload page.

    Reasons for having an invalid status include:

    • The VM license is expired and has passed the grace period.

    • Another VM has been already validated with FortiGuard using the same license. See Technical Note: VM License activation for details about duplicated VM instances.
  • Pending: temporary state where the VM attempts to validate its license. The GUI displays a loading page with the message License is being validated by FortiGuard.

Allocated vCPUs

Number of allocated and total allowable vCPUs

Allocated RAM

Amount of allocated RAM. There are no RAM restrictions.

Expires on

Expiry date (value depends on the type of license)

This information is visible in the CLI by running get system status. See CLI troubleshooting.

Uploading a license file

After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.

Once you have registered the VM, you can download the license file in .LIC format. In FortiGate VM License, click Upload. The system prompts you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.

The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.

In cases where the GUI is inaccessible, you can upload the license using secure copy (SCP).

Tooltip

For information about injecting FortiFlex licenses, see Injecting the FortiFlex license.

To upload the license using SCP:
  1. Enable SCP:
    config system global
        set admin-scp enable
    end
  2. Enable SSH in the administrative access for the interface where the transfer will take place:
    config system interface
        edit <interface>
            append allowaccess ssh
        next
    end
  3. On your computer, upload the VM license. This example is for Linux:
    scp <filename> <admin-user>@<FortiGate_IP>:vmlicense

VM license types

FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).

FortiGate-VM has a permanent trial license. See Permanent trial mode for FortiGate-VM.

The FortiFlex program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis. See Program guide.

Feature

VM-Series

Trial

V-series

S-series

FortiFlex

Licensing and support

The VM base is perpetual. You must purchase separately FortiGuard and FortiCare services on an annual basis. See the price list for details.

Hardware configuration restrictions apply. Support is not available.

The VM base is perpetual. You must purchase separately FortiGuard and FortiCare services on an annual basis. See the price list for details.

Single annually contracted SKU that contains a VM base and a FortiCare/FortiGuard service bundle. Service bundles and a la carte services are available.

Annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare/FortiGuard bundle. Service bundles and a la carte services are available.

vCPU number upgrade or downgrade

Not supported.

Not supported. Not supported.

Supported via co-term. You can also upgrade the service bundle. Contact a Fortinet sales representative to upgrade.

Natively supported via the scale up/down feature.

VDOM support

By default, each CPU level supports up to a certain number of VDOMs. See the FortiGate-VM data sheet for default limits.

VDOMs are supported, but restricted by the CPU allowance for the trial license.

By default, all CPU levels do not support adding VDOMs, but you can add additional VDOMs via a subscription VDOM license.

By default, all CPU levels do not support adding VDOMs, but you can add additional VDOMs via the scale up/down feature.

Applying a FortiFlex token

You can apply a FortiFlex token in the FortiGate VM License page for the following VM instance types:

  • Newly deployed or expired FortiGate-VM instances. After logging into the FortiOS GUI, a FortiFlex token option is available when the license popup appears.
  • Already licensed FortiGate-VM instances. You can go to this page from the Virtual Machine dashboard widget or from System > FortiGuard. FortiFlex token option is available for migrating into FortiFlex.

Consuming a new vCPU

FortiGate-VM supports automatic vCPU hot-add/hot-remove to the limit of the license entitlement after activating an S-series license or a FortiFlex license. This enhancement removes the requirement of running the CLI command execute cpu add or performing a reboot when the FortiGate-VM has a lower number of vCPUs allocated than the licensed number of vCPUs.

CLI troubleshooting

In some cases, you can view more information from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.

Before you begin, ensure your FortiGate has the proper routes to connect to the internet. Run all following debug commands for a full picture of the issue.

To view the license status, expiration date, and VM resources:
# get system status
Version: FortiGate-VM64-KVM v7.6.1,buildXXXX,200730 (GA)
...
Serial-Number: FGVM08**********
....
License Status: Valid
License Expiration Date: 2024-12-10
VM Resources: 1 CPU/8 allowed, 2010 MB RAM
...
To display license details:
# diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2019
License expires: Thu Dec 10 00:00:00 2024
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full
UUID:     abbe****************************
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4604955037
warning:  4600905081
recv:     202009152207
dup:

Field

Value

Description

valid

0

Invalid

1

Valid

status

0

Startup

1

Success

2

Warning

3

Error

4

Invalid copy

5

Evaluation license expired

6

Grace period. For FortiFlex, there is a two-hour grace period to begin passing traffic upon retrieving the license from FortiCloud.

code

2xx, 3xx

Success

200

Valid

202

Accepted (treated as correct response code)

4xx

Error

400

Expired

401

Duplicate

5xx, 500

Warning

502

Invalid. Cannot connect to FortiGuard distribution servers

6xx

Evaluation license expired

Other codes

Error

The following are examples of common combinations:

Combination

Indicates...

valid: 1
status: 1
code: 200

License is valid and functioning normally.

valid: 1
status: 4
code: 401

License is valid but running on a duplicate instance.

valid:    0
status:   2
code:     502

System cannot connect to FortiGuard.

valid: 0
status: 3
code: 400

License is expired and invalid.

valid: 0
status: 3
code: 0

VM is unlicensed.

For FortiFlex licenses, the following command allows you to enter the license token and proxy information:

# execute vm-license <token> https://<username>:<password>@<proxy IP address>:<proxy port>

FortiOS can receive the following error codes from the FortiCare server:

1 - Runtime error (server unhandled error on FortiCare sever)

57 - License Token is invalid

58 - License Token is already used and cannot be used again to retrieve license key

The FortiGate can generate the following error code:

60 - Failed to request forticare license. Failed to download VM license.

Contact Fortinet Support for assistance if your licensing issue persists.

Customizing the FortiFlex license token activation retry parameters

FortiOS supports the customization of the retries for FortiFlex license token activation. You can configure the token activation number of retries and the interval between each attempt using the following commands, respectively:

execute vm-license-options count <integer>
execute vm-license-options interval <interval length in seconds>
Note

If you set vm-license-options count to zero, the token activation retries indefinitely until success.

To define the FortiFlex token activation parameters:
  1. Set the number of retries allowed:

    execute vm-license-options count 4
  2. Set the retry interval:

    execute vm-license-options interval 5
  3. Activate the license. FortiOS requests the FortiFlex license token four times, with an interval of five seconds in between, as set.

    • If FortiOS cannot verify the license within the set amount of retries, the download fails:

      # execute vm-license F4FC697D65428013FAKE
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Failed to download VM license.
    • If FortiOS can verify the license within the set number of retries, FortiOS successfully installs the VM license:

      # execute vm-license 227602862F7E6E9XXXX
      
      This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) VM license install succeeded. Rebooting firewall.

You can also define FortiFlex token activation parameters in an ISO file using the mime user-data.

To define the parameters in an ISO file:
  1. Create a config drive ISO with a MIME file:

    Content-Type: text/plain; charset="us-ascii" 
    MIME-Version: 1.0 
    Content-Transfer-Encoding: 7bit 
    Content-Disposition: attachment; filename="license.txt
    "LICENSE-TOKEN: 334ADF7B49F2FEC1XXXX INTERVAL: 5 COUNT: 4

    See Cloud-init using config drive for more information.

  2. Attach the ISO config drive at boot time. See Cloud-init for more information.

  3. Boot up the VM and verify the token activation parameters:

    # diagnose debug cloudinit show
     >> Found config drive /dev/sr0
     >> Successfully mount config drive
     >> MIME parsed preconfig script
     >> MIME parsed VM token
     >> MIME parsed config script
     >> Found metadata source: config drive
     >> Run preconfig script
     >> FortiGate-VM64  conf sys global
     …
     >> Trying to install vmlicense ...
     >> License-token:334ADF7B49F2FEC1XXXX INTERVAL:5 COUNT:4
     >> Run config script