VM license
You can access FortiGate VM License from Dashboard > Status in the Virtual Machine widget. Click the device license and select FortiGate VM License.
FortiGate VM License displays the following information:
Field |
Description |
---|---|
License status |
Displays one of the following statuses:
As you cannot access Dashboard > Status in the Virtual Machine widget when the license is in one of the following statuses, they do not display in the License status field:
|
Allocated vCPUs |
Number of allocated and total allowable vCPUs |
Allocated RAM |
Amount of allocated RAM. There are no RAM restrictions. |
Expires on |
Expiry date (value depends on the type of license) |
This information is visible in the CLI by running get system status
. See CLI troubleshooting.
Uploading a license file
After you submit an order for a FortiGate-VM, Fortinet sends a license registration code to the email address that you entered in the order form. Use this code on the FortiCloud portal to register the FortiGate-VM.
Once you have registered the VM, you can download the license file in .LIC format. In FortiGate VM License, click Upload. The system prompts you to reboot and validate the license with the FortiGuard server. Once validated, your FortiGate-VM is fully functional.
The VM license window may also appear immediately after logging in if you are running a VM with an evaluation license that has expired.
In cases where the GUI is inaccessible, you can upload the license using secure copy (SCP).
For information about injecting FortiFlex licenses, see Injecting the FortiFlex license. |
To upload the license using SCP:
- Enable SCP:
config system global set admin-scp enable end
- Enable SSH in the administrative access for the interface where the transfer will take place:
config system interface edit <interface> append allowaccess ssh next end
- On your computer, upload the VM license. This example is for Linux:
scp <filename> <admin-user>@<FortiGate_IP>:vmlicense
VM license types
FortiGate-VM offers perpetual licensing (normal series and V-series) and annual subscription licensing (S-series). SKUs are based on the number of vCPUs (1, 2, 4, 8, 16, 32, or unlimited).
FortiGate-VM has a permanent trial license. See Permanent trial mode for FortiGate-VM.
The FortiFlex program allows qualified enterprise and MSSP customers to create as many VM entitlements as required. Resource consumption is based upon predefined points that are calculated on a daily basis. See Program guide.
Feature |
VM-Series |
Trial |
V-series |
S-series |
FortiFlex |
---|---|---|---|---|---|
Licensing and support |
The VM base is perpetual. You must purchase separately FortiGuard and FortiCare services on an annual basis. See the price list for details. |
Hardware configuration restrictions apply. Support is not available. |
The VM base is perpetual. You must purchase separately FortiGuard and FortiCare services on an annual basis. See the price list for details. |
Single annually contracted SKU that contains a VM base and a FortiCare/FortiGuard service bundle. Service bundles and a la carte services are available. |
Annually contracted program to create multiple sets of a single entitlement per VM. Entitlements contain a VM base and FortiCare/FortiGuard bundle. Service bundles and a la carte services are available. |
vCPU number upgrade or downgrade |
Not supported. |
Not supported. | Not supported. |
Supported via co-term. You can also upgrade the service bundle. Contact a Fortinet sales representative to upgrade. |
Natively supported via the scale up/down feature. |
VDOM support |
By default, each CPU level supports up to a certain number of VDOMs. See the FortiGate-VM data sheet for default limits. |
VDOMs are supported, but restricted by the CPU allowance for the trial license. |
By default, all CPU levels do not support adding VDOMs, but you can add additional VDOMs via a subscription VDOM license. |
By default, all CPU levels do not support adding VDOMs, but you can add additional VDOMs via the scale up/down feature. |
Applying a FortiFlex token
You can apply a FortiFlex token in the FortiGate VM License page for the following VM instance types:
- Newly deployed or expired FortiGate-VM instances. After logging into the FortiOS GUI, a FortiFlex token option is available when the license popup appears.
- Already licensed FortiGate-VM instances. You can go to this page from the Virtual Machine dashboard widget or from System > FortiGuard. FortiFlex token option is available for migrating into FortiFlex.
Consuming a new vCPU
FortiGate-VM supports automatic vCPU hot-add/hot-remove to the limit of the license entitlement after activating an S-series license or a FortiFlex license. This enhancement removes the requirement of running the CLI command execute cpu add
or performing a reboot when the FortiGate-VM has a lower number of vCPUs allocated than the licensed number of vCPUs.
CLI troubleshooting
In some cases, you can view more information from the CLI to diagnose issues with VM licensing. This is also useful when the GUI is inaccessible due to an invalid contract.
Before you begin, ensure your FortiGate has the proper routes to connect to the internet. Run all following debug commands for a full picture of the issue.
To view the license status, expiration date, and VM resources:
# get system status Version: FortiGate-VM64-KVM v7.6.1,buildXXXX,200730 (GA) ... Serial-Number: FGVM08********** .... License Status: Valid License Expiration Date: 2024-12-10 VM Resources: 1 CPU/8 allowed, 2010 MB RAM ...
To display license details:
# diagnose debug vm-print-license
SerialNumber: FGVM08**********
CreateDate: Tue Dec 10 00:57:32 2019
License expires: Thu Dec 10 00:00:00 2024
Expiry: 366
Key: yes
Cert: yes
Key2: yes
Cert2: yes
Model: 08 (11)
CPU: 8
MEM: 2147483647
To display license information from FortiGuard:
# diagnose hardware sysinfo vm full UUID: abbe**************************** valid: 1 status: 1 code: 200 warn: 0 copy: 0 received: 4604955037 warning: 4600905081 recv: 202009152207 dup:
Field |
Value |
Description |
---|---|---|
valid |
0 |
Invalid |
1 |
Valid |
|
status |
0 |
Startup |
1 |
Success |
|
2 |
Warning |
|
3 |
Error |
|
4 |
Invalid copy |
|
5 |
Evaluation license expired |
|
6 |
Grace period. For FortiFlex, there is a two-hour grace period to begin passing traffic upon retrieving the license from FortiCloud. |
|
code |
2xx, 3xx |
Success |
200 |
Valid |
|
202 |
Accepted (treated as correct response code) |
|
4xx |
Error |
|
400 |
Expired |
|
401 |
Duplicate |
|
5xx, 500 |
Warning |
|
502 |
Invalid. Cannot connect to FortiGuard distribution servers |
|
6xx |
Evaluation license expired |
|
Other codes |
Error |
The following are examples of common combinations:
Combination |
Indicates... |
---|---|
valid: 1 status: 1 code: 200 |
License is valid and functioning normally. |
valid: 1 status: 4 code: 401 |
License is valid but running on a duplicate instance. |
valid: 0 status: 2 code: 502 |
System cannot connect to FortiGuard. |
valid: 0 status: 3 code: 400 |
License is expired and invalid. |
valid: 0 status: 3 code: 0 |
VM is unlicensed. |
For FortiFlex licenses, the following command allows you to enter the license token and proxy information:
# execute vm-license <token> https://<username>:<password>@<proxy IP address>:<proxy port>
FortiOS can receive the following error codes from the FortiCare server:
1 - Runtime error (server unhandled error on FortiCare sever)
57 - License Token is invalid
58 - License Token is already used and cannot be used again to retrieve license key
The FortiGate can generate the following error code:
60 - Failed to request forticare license. Failed to download VM license.
Contact Fortinet Support for assistance if your licensing issue persists.
Customizing the FortiFlex license token activation retry parameters
FortiOS supports the customization of the retries for FortiFlex license token activation. You can configure the token activation number of retries and the interval between each attempt using the following commands, respectively:
execute vm-license-options count <integer> execute vm-license-options interval <interval length in seconds>
If you set |
To define the FortiFlex token activation parameters:
-
Set the number of retries allowed:
execute vm-license-options count 4
-
Set the retry interval:
execute vm-license-options interval 5
-
Activate the license. FortiOS requests the FortiFlex license token four times, with an interval of five seconds in between, as set.
-
If FortiOS cannot verify the license within the set amount of retries, the download fails:
# execute vm-license F4FC697D65428013FAKE
This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Requesting FortiCare license token: *******, proxy:(null) Failed to download VM license. -
If FortiOS can verify the license within the set number of retries, FortiOS successfully installs the VM license:
# execute vm-license 227602862F7E6E9XXXX
This operation will reboot the system ! Do you want to continue? (y/n)y Requesting FortiCare license token: *******, proxy:(null) VM license install succeeded. Rebooting firewall.
-
You can also define FortiFlex token activation parameters in an ISO file using the mime user-data.
To define the parameters in an ISO file:
-
Create a config drive ISO with a MIME file:
Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="license.txt "LICENSE-TOKEN: 334ADF7B49F2FEC1XXXX INTERVAL: 5 COUNT: 4
See Cloud-init using config drive for more information.
-
Attach the ISO config drive at boot time. See Cloud-init for more information.
-
Boot up the VM and verify the token activation parameters:
# diagnose debug cloudinit show >> Found config drive /dev/sr0 >> Successfully mount config drive >> MIME parsed preconfig script >> MIME parsed VM token >> MIME parsed config script >> Found metadata source: config drive >> Run preconfig script >> FortiGate-VM64 conf sys global … >> Trying to install vmlicense ... >> License-token:334ADF7B49F2FEC1XXXX INTERVAL:5 COUNT:4 >> Run config script