Fortinet white logo
Fortinet white logo
7.6.0

Enabling license sharing

Enabling license sharing

To enable license sharing in a security fabric group, use the License Sharing Between FortiProxy Devices option in the GUI or the set license-sharing [enable|disable] command under config system csf.

FortiProxy support license sharing of the SWG Bundle, Browser Isolation (FNBI), and Content Analysis (FCAS) license types. To allow license sharing within a group of FortiProxy devices/VMs, every FortiProxy in the group must have at least one SWG Bundle license. Refer to the FortiProxy datasheet for more information about different license types.

The following section describes how to create a security fabric group with license sharing enabled.

To create a Security Fabric group in the GUI:
  1. Configure FortiAnalyzer or Cloud Logging. See Configuring logging and analytics for details.

    This step is optional if the security fabric group is for license sharing purposes only. It is still required if you need to use any security fabric functionality in the security fabric group.

  2. Configure the Security Fabric group root:
    Note

    The Security Fabric root can be any FortiProxy hardware or VM model. To optimize performance, Fortinet recommends dedicating the root to license sharing management without overloading it with other tasks. FPX-VM02 is a good option for a dedicated root for economic reasons. For non-dedicated roots, you must monitor the memory and CPU usage regularly to ensure stability.

    Fortinet recommends that you set the root as an active-passive HA group for better redundancy, in which case the HA group is treated as a single device and shares all of its entitled licenses with 14-day recovery period in case of node failure.

    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

    2. Change Status to Enabled.
    3. In Security Fabric role, select Serve as Fabric Root to configure a Security Fabric root.
    4. In the Fabric name and Group password fields, specify the group name and password, which are required for other devices to join the group. If the Group password field is unavailable, enable it using the set legacy-authentication enable option under config system csf.
    5. Enable Allow other Security Fabric devices to join.
    6. Add members to the trusted list by clicking Edit next to Device authorization and clicking Create New in the Device Authorization panel. Fill in the license serial number of the member and specify a name. The license serial number can be retrieved by running the get system status command in the member device.
    7. Enable License Sharing Between FortiProxy Devices which allows the root to share licenses with other devices within the group.
    8. Configure other options as needed.
    9. Click OK.
  3. Add additional members to the group by editing the root you just configured and repeat step f. Alternatively, you can add additional members by configuring a new Security Fabric Setup card:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Change Status to Enabled.
    3. In Security Fabric role, select Join Existing Fabric to configure a Security Fabric member.
    4. Fill in the root device address in Upstream FortiProxy IP/FQDN.
    5. In the Group password field, enter the password you set in the root.
    6. Enable License Sharing Between FortiProxy Devices which allows the device to share licenses with other devices within the group.
    7. Configure other options as needed.
  4. Verify the fabric group status using the fabric group topology in right-side menu on the Security Fabric >> Fabric Connectors page.

To create a Security Fabric group in the CLI:
  1. Configure FortiAnalyzer logging:
    config log fortianalyzer setting
        set status enable
        set server "172.18.64.234"
        set serial "FL-8HFT000000000"
        set upload-option realtime
        set reliable enable
    end

    Refer to config log fortianalyzer setting in the CLI guide for more details about each option and a full list of available options.

  2. Configure the security fabric group root to allow license sharing with a list of trusted members that are allowed to join the group:
    Note

    Fortinet recommends that you set the Security Fabric root as an active-passive HA group for better redundancy, in which case the HA group is treated as a single device and shares all of its entitled licenses with 14-day recovery period in case of node failure.

    config system csf

    set status enable

    set group-name <string>

    set downstream-access enable

    set license-sharing enable

    config trusted-list

    edit <MEMBER_DEVICE_NAME>

    set serial <LICENSE_SERIAL_OF_MEMBER_DEVICE>

    set preferred-seats <integer> (Optional)

    next

    edit <MEMBER_DEVICE_2_NAME>

    set serial <LICENSE_SERIAL_OF_MEMBER_DEVICE_2>

    set preferred-seats <integer> (Optional)

    next ...

    end

    When adding devices to the trusted list, you can retrieve the license serial number by running the get system status command in the member device.

    The preferred number of seats is an optional setting that defines the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

    Refer to config system csf in the CLI guide for more details about each option and a full list of available options.

  3. Apply the following configuration to each trusted member device you defined in step 2:

    config system csf

    set status enable

    set upstream <IP_OF_FABRIC_ROOT>

    set group-name <FABRIC_GROUP_NAME>

    set group-password <FABRIC_GROUP_PASSWORD>

    set configuration-sync local

    end

    Setting configuration-sync to local disables configuration synchronization with a management device, which is recommended for license sharing.

    Refer to config system csf in the CLI guide for more details about each option and a full list of available options.

  4. Verify the fabric group status:
    • To check connected member devices to the root, run diag system csf downstream. All connected devices will be listed, regardless of the authorization status.

    • To check the root device status, run diag system csf upstream. The connection status should be Authorized. If the connection status is Authorization Rejected, check if the member device is added to the trusted list of the root device.

    • To check the fabric group setting, run get system csf. Example result from a root device:

      status : enable

      upstream :

      upstream-port : 8013

      group-name : my_fabric_grp

      group-password : *

      accept-auth-by-cert : enable

      log-unification : enable

      authorization-request-type: serial

      fabric-workers : 2

      downstream-access : enable

      license-sharing : enable

      downstream-accprofile: super_admin

      configuration-sync : local

      fabric-object-unification: local

      trusted-list:

      == [ 1 ]

      name: 1 serial: FPX*************

      ha-members:

      fabric-connector:

      forticloud-account-enforcement: enable

Enabling license sharing

Enabling license sharing

To enable license sharing in a security fabric group, use the License Sharing Between FortiProxy Devices option in the GUI or the set license-sharing [enable|disable] command under config system csf.

FortiProxy support license sharing of the SWG Bundle, Browser Isolation (FNBI), and Content Analysis (FCAS) license types. To allow license sharing within a group of FortiProxy devices/VMs, every FortiProxy in the group must have at least one SWG Bundle license. Refer to the FortiProxy datasheet for more information about different license types.

The following section describes how to create a security fabric group with license sharing enabled.

To create a Security Fabric group in the GUI:
  1. Configure FortiAnalyzer or Cloud Logging. See Configuring logging and analytics for details.

    This step is optional if the security fabric group is for license sharing purposes only. It is still required if you need to use any security fabric functionality in the security fabric group.

  2. Configure the Security Fabric group root:
    Note

    The Security Fabric root can be any FortiProxy hardware or VM model. To optimize performance, Fortinet recommends dedicating the root to license sharing management without overloading it with other tasks. FPX-VM02 is a good option for a dedicated root for economic reasons. For non-dedicated roots, you must monitor the memory and CPU usage regularly to ensure stability.

    Fortinet recommends that you set the root as an active-passive HA group for better redundancy, in which case the HA group is treated as a single device and shares all of its entitled licenses with 14-day recovery period in case of node failure.

    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.

    2. Change Status to Enabled.
    3. In Security Fabric role, select Serve as Fabric Root to configure a Security Fabric root.
    4. In the Fabric name and Group password fields, specify the group name and password, which are required for other devices to join the group. If the Group password field is unavailable, enable it using the set legacy-authentication enable option under config system csf.
    5. Enable Allow other Security Fabric devices to join.
    6. Add members to the trusted list by clicking Edit next to Device authorization and clicking Create New in the Device Authorization panel. Fill in the license serial number of the member and specify a name. The license serial number can be retrieved by running the get system status command in the member device.
    7. Enable License Sharing Between FortiProxy Devices which allows the root to share licenses with other devices within the group.
    8. Configure other options as needed.
    9. Click OK.
  3. Add additional members to the group by editing the root you just configured and repeat step f. Alternatively, you can add additional members by configuring a new Security Fabric Setup card:
    1. Go to Security Fabric > Fabric Connectors and double-click the Security Fabric Setup card.
    2. Change Status to Enabled.
    3. In Security Fabric role, select Join Existing Fabric to configure a Security Fabric member.
    4. Fill in the root device address in Upstream FortiProxy IP/FQDN.
    5. In the Group password field, enter the password you set in the root.
    6. Enable License Sharing Between FortiProxy Devices which allows the device to share licenses with other devices within the group.
    7. Configure other options as needed.
  4. Verify the fabric group status using the fabric group topology in right-side menu on the Security Fabric >> Fabric Connectors page.

To create a Security Fabric group in the CLI:
  1. Configure FortiAnalyzer logging:
    config log fortianalyzer setting
        set status enable
        set server "172.18.64.234"
        set serial "FL-8HFT000000000"
        set upload-option realtime
        set reliable enable
    end

    Refer to config log fortianalyzer setting in the CLI guide for more details about each option and a full list of available options.

  2. Configure the security fabric group root to allow license sharing with a list of trusted members that are allowed to join the group:
    Note

    Fortinet recommends that you set the Security Fabric root as an active-passive HA group for better redundancy, in which case the HA group is treated as a single device and shares all of its entitled licenses with 14-day recovery period in case of node failure.

    config system csf

    set status enable

    set group-name <string>

    set downstream-access enable

    set license-sharing enable

    config trusted-list

    edit <MEMBER_DEVICE_NAME>

    set serial <LICENSE_SERIAL_OF_MEMBER_DEVICE>

    set preferred-seats <integer> (Optional)

    next

    edit <MEMBER_DEVICE_2_NAME>

    set serial <LICENSE_SERIAL_OF_MEMBER_DEVICE_2>

    set preferred-seats <integer> (Optional)

    next ...

    end

    When adding devices to the trusted list, you can retrieve the license serial number by running the get system status command in the member device.

    The preferred number of seats is an optional setting that defines the desired number of seats to allocate to the member. The number of guaranteed seats is the minimum of the number of local purchased seats and the number of preferred seats. When the preferred number of seat request fails or is only partially fulfilled due to lack of seats in the pool, the remaining preferred seats will be allocated from shared pool at higher priority.

    Refer to config system csf in the CLI guide for more details about each option and a full list of available options.

  3. Apply the following configuration to each trusted member device you defined in step 2:

    config system csf

    set status enable

    set upstream <IP_OF_FABRIC_ROOT>

    set group-name <FABRIC_GROUP_NAME>

    set group-password <FABRIC_GROUP_PASSWORD>

    set configuration-sync local

    end

    Setting configuration-sync to local disables configuration synchronization with a management device, which is recommended for license sharing.

    Refer to config system csf in the CLI guide for more details about each option and a full list of available options.

  4. Verify the fabric group status:
    • To check connected member devices to the root, run diag system csf downstream. All connected devices will be listed, regardless of the authorization status.

    • To check the root device status, run diag system csf upstream. The connection status should be Authorized. If the connection status is Authorization Rejected, check if the member device is added to the trusted list of the root device.

    • To check the fabric group setting, run get system csf. Example result from a root device:

      status : enable

      upstream :

      upstream-port : 8013

      group-name : my_fabric_grp

      group-password : *

      accept-auth-by-cert : enable

      log-unification : enable

      authorization-request-type: serial

      fabric-workers : 2

      downstream-access : enable

      license-sharing : enable

      downstream-accprofile: super_admin

      configuration-sync : local

      fabric-object-unification: local

      trusted-list:

      == [ 1 ]

      name: 1 serial: FPX*************

      ha-members:

      fabric-connector:

      forticloud-account-enforcement: enable