Version:

Version:

Version:

Version:


Table of Contents

Deployment Guide

Download PDF
Copy Link

Licensing FortiSOAR

From version 6.4.0 onwards, FortiSOAR integrates with FortiGuard Distribution Network (FDN) to retrieve updated contract details.

Caution

You must be connected to FDN while you are deploying your license. If there is no connectivity to FDN, then your FortiSOAR UI access will be blocked after some hours. If any error occurs while deploying your license, see the Troubleshooting licensing issues section for some tips on how to resolve the issue.

FortiSOAR enforces licensing and restricts the usage of FortiSOAR by specifying the following:

  • The maximum number of active users in FortiSOAR at any point in time.
  • The type and edition of the license.
  • The expiration date of the license.

For a fresh install of FortiSOAR, see FortiSOAR licensing process. To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.

FortiSOAR licensing process

  1. You must have an account in FortiCare.
  2. Contact FortiSOAR Support to obtain FortiSOAR product SKU. You will require to provide the following information to be able to get the license for FortiSOAR™:
    • The license type that you want for FortiSOAR. For information on the different license types, see License Manager Page.
    • The license edition that you want for FortiSOAR. For information on the different license editions, see License Manager Page.
    • The number of licensed users required for FortiSOAR.
      Once you complete purchasing FortiSOAR, you will be sent a service contract registration code to your registered email address.
      If a customer wants additional users, then the customer has to also register the contract for additional users. A separate registration code will be sent for the contract of additional users.
      Note: If you have opted for a "Perpetual" or "Evaluation" license, you should download the license file only after the additional user contract, if any, is registered.
  3. Login to your FortiCare account and click Asset > Register/Activate to register your FortiSOAR product. You can register your FortiSOAR product using the instructions provided in the FortiCare registration wizard.
    You will require to copy-paste the service contract registration code from your email to register FortiSOAR.
    Once you have verified the registration, click Complete to complete the registration.
  4. Once you click Complete you are taken to the Product Information page. To generate the license file, click Edit on the Product Information page.
    On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

If you are an existing customer, then your entitlements would have already been imported into FortiCare and you would have received an email with respect to your FortiCare account. Also, your FortiSOAR product would already have been registered. However, you do require to update your Device UUID.

To update your Device UUID, do the following:

  1. Login to your FortiCare account and click Asset > Manage/View Products > Basic View.
  2. Click the row that contains the FortiSOAR (FSR) product to view the Product Information page.
  3. On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

FortiSOAR licensing using FortiManager

A closed or air-gapped environment is an environment where FortiSOAR does not have access to the internet and therefore cannot access the FDN servers. In such cases, FortiManager (FMG) can be used as an intermediary so that FMG provides license validation and FDN updates to FortiSOAR with limited or no internet connectivity. You can configure FMG for the following environments:

  • Complete air-gapped environment where FMG also does not have connectivity to FortiGuard Distribution Servers (FDS) and manual synchronization is required for customer entitlements.
  • FMG has network connectivity to FDS servers and can automatically synchronize customer entitlements.
    For more details on FMG and troubleshooting information, see the FortiManager documentation.
Note

Support to use FortiManager (FMG) as an intermediary in case of a closed or air-gapped environment for FortiSOAR licensing has been validated on 'FortiSOAR Version 6.4.4 - Build 3164' and 'FMG Version 6.4.4 GA-Build 2253'.

In case of an air-gapped environment, do the following:

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle OFF" the Enable Communication with FortiGuard Server setting.
      FortiGuard Server and Sevice Settings Page
    2. Click Upload beside Service License and upload your entitlement file, and then click OK.
      FortiGuard Settings - Uploading service license
    3. Click Apply to apply the above settings.
  5. Ensure that FMG is reachable or resolvable from your FortiSOAR instance.
  6. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  7. Restart the cyops-auth service.
  8. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.

You might choose to deploy the license using FMG even if you are not in an air-gapped environment. In such cases do the following:

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle ON" the Enable Communication with FortiGuard Server setting.
    2. For the Communication with FortiGuard Server settings, select Global Servers.
    3. For the Server Override Mode settings, select Loose (Allow Access Other Servers).
    4. Expand "FortiGuard AntiVirus and IPS Setting", and "Turn ON" the Schedule Regular Updates setting.
      Once you turn on the Schedule Regular Updates settings, you need to define the frequency at which you want to get the updates:
      FortiGuard Settings for using FMG for FortiSOAR™ licensing
    5. Click Apply to apply the above settings.
  5. Ensure that FMG is reachable or resolvable from your FortiSOAR instance and ensure that FMG has access to the Internet.
  6. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  7. Restart the cyops-auth service.
  8. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.
    Important: In case of a non-closed environment, license deployment from FortiSOAR does not work at the first attempt since FMG is unable to send contracts that are required for license deployment. Therefore, users need to retry deploying the license on the FortiSOAR environment. This happens only when FMG is not a part of the air-gapped environment.

Retrieving the FortiSOAR Device UUID

Your FortiSOAR installation generates a Device UUID for your installation. This key is used to identify each unique FortiSOAR environment.

When you provision a new instance, a configuration wizard runs automatically on the first ssh login by the csadmin user. This wizard automatically generates your Device UUID and saves the Device UUID in the /home/csadmin/device_uuid file from which you can retrieve your device UUID. For more information, see the FortiSOAR Configuration Wizard topic. However, if you require the device UUID in the future, you can use the FortiSOAR Admin CLI (csadm) or from the see License Manager Page.

You can retrieve the FortiSOAR Device UUID using csadm. A root user can directly run the csadm license --get-device-uuid command to print the Device UUID on the CLI. For more information on the FortiSOAR Admin CLI, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

Deploying the FortiSOAR license

Caution

Before you start deploying your FortiSOAR license, you must ensure that you can connect to https://globalupdate.fortinet.net, else the license deployment will fail. Connectivity to this address is required for fetching the license entitlements and product functioning post-upgrade.

Deploying the FortiSOAR license using the FortiSOAR UI

From version 7.0.0 onwards, you can deploy your FortiSOAR license from the FortiSOAR UI itself, without the need to SSH to your FortiSOAR machine. This is extremely useful if the administration does not have ssh access to the FortiSOAR machine.

To deploy the initial FortiSOAR license or to upload a new license, if your FortiSOAR license has expired, using the FortiSOAR UI, do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen:
    Upload FortiSOAR license Screen

  2. Click Upload License to display the "Upload License" dialog:
    Upload FortiSOAR license dialog

  3. Drag and drop your FortiSOAR License file, or click the Upload icon and browse to the license file and import your FortiSOAR license.
    If the license file is invalid, FortiSOAR displays an error message and the license is not installed.
    If the license file is valid, FortiSOAR displays the license details:
    FortiSOAR license details

  4. Click Install License File to install your FortiSOAR license.
    Once the license is successfully installed, FortiSOAR displays a License imported successfully message and the EULA is displayed. Once you accept the EULA, you can log on to the FortiSOAR UI and begin configuring the system.

Deploying the FortiSOAR license using the FortiSOAR Admin CLI

Note

Ensure that you have copied the FortiSOAR license file, using SCP or other methods, to your FortiSOAR VM. Do not copy the contents of the license file and paste it into a new file; this will cause license validation to fail.

You can deploy the FortiSOAR license using the FortiSOAR Admin CLI. A root user can directly run the csadm license --deploy-enterprise-license <License File Path> command. For example, csadm license --deploy-enterprise-license temp/<Serial_No>.lic.

If your license is enabled for multitenancy, then run the csadm license --deploy-multi-tenant-license <License File Path command. For more information on csadm, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

The license path that you provide can either be relative to the current working directory or can be an absolute path. Once you have entered the license path, the csadm checks the license file for validity and whether you have selected the appropriate license type (enabled or not enabled for multi-tenancy).

When you deploy a license on FortiSOAR the license entitlements are fetched from FDN.

Note: If you deploy a license that does not match with the system UUID, then you will get a warning on CLI while deploying license. If you deploy the same license in more than one environment then the license is detected as duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

The FortiSOAR Admin CLI displays a Success message, if your license file is deployed successfully, or an Error message that contains the reason for the failure.

Once your system is licensed, you can log on to the FortiSOAR UI and begin configuring the system.

Activating the FortiCare Trial license for FortiSOAR

From version 7.0.0 onwards, you get a free trial license for an unlimited time for FortiSOAR per FortiCare account, i.e., if you have a FortiCare account, you can get FortiSOAR for free and for an unlimited time, but in a limited context. This license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.

Note

Important steps such as "Create Records", "Update Records", "Find Records", "Connection Actions", etc., are counted towards the maximum action count limit of 200. However, steps used for data manipulation such as "Wait", "Approval", "Loops", "Reference a Playbook", etc. are not counted towards the action count restriction.

To activate the FortiCare trial license for FortiSOAR, do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen:
    Upload FortiSOAR license Screen
  2. Click Activate Trial License.
  3. In the Activate FortiSOAR Free Trial dialog, enter your FortiCare username (email address) and password and click Activate Trial License.
    Activating Trial License Dialog
    If the email address and password provided are correct, then your FortiCare trial license for FortiSOAR is activated.

You can always update this trial license into a full-fledged production license at any time, by purchasing a FortiSOAR license and then updating it using either the FortiSOAR CLI or UI.

License Manager Page

Click Settings > License Manager to open the License Manager page as shown in the following image:

License Manager Page

The License Manager page displays the serial number, type and edition of the license issued, the total number of users FortiSOAR is licensed for, the date when the FortiSOAR license will expire, the number of days till the expiry of the FortiSOAR license, and your Device UUID. You can click the Copy Device UUID button to copy your Device UUID.

Serial Number: The serial number is a unique ID that is created by the FortiCare portal when you register your FortiSOAR product.

The FortiSOAR license can be of the following types:

  • Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR.
  • Perpetual (Trial): This type of license provides you with a free trial license an unlimited time for FortiSOAR, but in a limited context, i.e., with restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.
    License Manager with Trial License details For more information on the trial license, see the Activating the FortiCare Trial license for FortiSOAR topic.
  • Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe.
    You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription.
  • Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date.

The FortiSOAR license can have the following editions:

  • Enterprise: This edition enables a regular "enterprise" production license.
  • MT : This edition enables multi-tenancy; both shared and distributed multi-tenancy are supported. The instance where this license is deployed would serve as a “master” node in a distributed deployment. For more information of what multi-tenancy is and what master nodes are, see the "Multi-tenancy support in FortiSOAR Guide."
  • MT_Tenant: This edition enables the node as a tenant in a multi-tenant deployment. This is the license to be deployed for a "customer" node of a Managed Security Services Provider (MSSP). The node can then be configured as a "tenant" to the MSSP server for syncing data and actions to and from the MSSP "master" server. The "MT_Tenant" license has only one user.
  • MT_RegionalSOC: This edition enables the node as a "Regional SOC" deployment at an organization having a distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time, it can be configured as "tenants" to the global SOC where the "MT" license is deployed and sync data and actions from the Global SOC FortiSOAR server.

Total Users displays the number of active users that can use FortiSOAR. You cannot create more active users, in your FortiSOAR environment, than the value specified in this field. For example, if the Total Users field is set to 50, you cannot create a 51^st^ active user in FortiSOAR.

Expiry Date displays the date at which your FortiSOAR license will expire and Remaining Days displays the number of days left for your license to expire.

FortiSOAR version 6.4.4 and later does not mandate 'Additional Users' entitlement to be the same across all cluster nodes. User count entitlement will now always be validated from the primary node. The secondary nodes can have the basic two-user entitlement.

In case your FortiSOAR instance is part of a High Availability (HA) cluster, then the License Manager page also displays information about the nodes in the cluster, if you have added secondary node(s) as shown in the following image:

License Manager Page in case of  your FortiSOAR instance is part of a High Availability cluster

As shown in the above image, the primary node is Node 2 and that node is licensed with 7 users, therefore the total user count displays as 7 users. For more information on licensing of nodes in an HA cluster, see the High Availability support in FortiSOAR chapter in the "Administration Guide."

You can update the license for each node by clicking Update License and uploading the license for that node as described in the following section.

Note

If you update a license that does not match with the system UUID, you will get a warning on UI while updating the license. If you update the same license in more than one environment then the license is detected duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

Updating your license using the FortiSOAR UI

You can update your license using your FortiSOAR UI. Click Settings > License Manager to open the License Manager page.

License Manager

You can use the License Manager page to view your license details and to update your license. FortiSOAR displays a message about the expiration of your license 15 days prior to the date your license is going to expire. If you license type is Evaluation or Perpetual, then you must update your license within 15 days, if you want to keep using FortiSOAR. To update your license, click Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open. If your license type is Subscription, you must renew your subscription.

Troubleshooting licensing issues

FortiSOAR displays meaningful messages and troubleshooting tips during the license deployment process, and also validates your FortiSOAR license, making it easier for you to debug licensing issues, as shown in the following image:

Errors displayed while deploying your FortiSOAR license

Also, note that if your connection to FDN is via a proxy, you must update the proxy settings.

If any error occurs while deploying your license, following are some troubleshooting steps:

  • If the license type is "Subscription", then the number of users and expiry date are not present inside the license. They require to be synced from FDN after the installation. The "License has expired issue after installation" issue occurs due to the following two reasons:
    • Sync with FDN failed
    • Sync was successful but we got wrong contract information.
      To verify the above-mentioned cases run the following command: java -jar /opt/cyops-auth/bin/fdnclient.jar <serial_no> https://globalupdate.fortinet.net
  • If the license type is "Evaluation" or "Perpetual", then the number of users and expiry date are present inside the license. If a license deployment failure occurs for these types of licenses, then check the license information using the csadm license —show-details <lic_file> command.
  • After deploying the license if the system is yet not reachable, restart the cyops-auth service and then the monitor the fdn.log and das.log files. If you continue to face issues, contact FortiSOAR support.

Troubleshooting issues while deploying the FortiSOAR license in a proxy environment

You might get the following error, when you are deploying your FortiSOAR license in a proxy environment:

FSR-Auth-003: License Entitlement Sync Failed. Ensure that [https://globalupdate.fort](https://globalupdate.fort/) is accessible from your environment. If the issue still persists, contact support."

This issue might occur due to some proxies doing the SSL decryption, which means that these proxies can intercept the https connection by modifying the peer certificate and changing the issuer of the certificate to itself. This can cause the license deployment or synchronization to fail as the new issuer is not trusted.

To identify this issue, check the PKIX path building failed error message in the fdn.log file:
# /var/log/cyops/cyops-auth/fdn.log file

Resolution

You can use the following two solutions to solve this issue.

Method 1: Do not use SSL decryption for globalupdate.fortinet.net.

Method 2: Import the proxy issuer certificate into truststore using the following command:
keytool -import -alias proxy_issuer_cert -keystore /opt/cyops-auth/certs/fdn_server_truststore.p12 -file<cert_file> -storepass MXakK2bj6vAteC47 -noprompt

Licensing FortiSOAR

From version 6.4.0 onwards, FortiSOAR integrates with FortiGuard Distribution Network (FDN) to retrieve updated contract details.

Caution

You must be connected to FDN while you are deploying your license. If there is no connectivity to FDN, then your FortiSOAR UI access will be blocked after some hours. If any error occurs while deploying your license, see the Troubleshooting licensing issues section for some tips on how to resolve the issue.

FortiSOAR enforces licensing and restricts the usage of FortiSOAR by specifying the following:

  • The maximum number of active users in FortiSOAR at any point in time.
  • The type and edition of the license.
  • The expiration date of the license.

For a fresh install of FortiSOAR, see FortiSOAR licensing process. To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.

FortiSOAR licensing process

  1. You must have an account in FortiCare.
  2. Contact FortiSOAR Support to obtain FortiSOAR product SKU. You will require to provide the following information to be able to get the license for FortiSOAR™:
    • The license type that you want for FortiSOAR. For information on the different license types, see License Manager Page.
    • The license edition that you want for FortiSOAR. For information on the different license editions, see License Manager Page.
    • The number of licensed users required for FortiSOAR.
      Once you complete purchasing FortiSOAR, you will be sent a service contract registration code to your registered email address.
      If a customer wants additional users, then the customer has to also register the contract for additional users. A separate registration code will be sent for the contract of additional users.
      Note: If you have opted for a "Perpetual" or "Evaluation" license, you should download the license file only after the additional user contract, if any, is registered.
  3. Login to your FortiCare account and click Asset > Register/Activate to register your FortiSOAR product. You can register your FortiSOAR product using the instructions provided in the FortiCare registration wizard.
    You will require to copy-paste the service contract registration code from your email to register FortiSOAR.
    Once you have verified the registration, click Complete to complete the registration.
  4. Once you click Complete you are taken to the Product Information page. To generate the license file, click Edit on the Product Information page.
    On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

If you are an existing customer, then your entitlements would have already been imported into FortiCare and you would have received an email with respect to your FortiCare account. Also, your FortiSOAR product would already have been registered. However, you do require to update your Device UUID.

To update your Device UUID, do the following:

  1. Login to your FortiCare account and click Asset > Manage/View Products > Basic View.
  2. Click the row that contains the FortiSOAR (FSR) product to view the Product Information page.
  3. On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

FortiSOAR licensing using FortiManager

A closed or air-gapped environment is an environment where FortiSOAR does not have access to the internet and therefore cannot access the FDN servers. In such cases, FortiManager (FMG) can be used as an intermediary so that FMG provides license validation and FDN updates to FortiSOAR with limited or no internet connectivity. You can configure FMG for the following environments:

  • Complete air-gapped environment where FMG also does not have connectivity to FortiGuard Distribution Servers (FDS) and manual synchronization is required for customer entitlements.
  • FMG has network connectivity to FDS servers and can automatically synchronize customer entitlements.
    For more details on FMG and troubleshooting information, see the FortiManager documentation.
Note

Support to use FortiManager (FMG) as an intermediary in case of a closed or air-gapped environment for FortiSOAR licensing has been validated on 'FortiSOAR Version 6.4.4 - Build 3164' and 'FMG Version 6.4.4 GA-Build 2253'.

In case of an air-gapped environment, do the following:

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle OFF" the Enable Communication with FortiGuard Server setting.
      FortiGuard Server and Sevice Settings Page
    2. Click Upload beside Service License and upload your entitlement file, and then click OK.
      FortiGuard Settings - Uploading service license
    3. Click Apply to apply the above settings.
  5. Ensure that FMG is reachable or resolvable from your FortiSOAR instance.
  6. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  7. Restart the cyops-auth service.
  8. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.

You might choose to deploy the license using FMG even if you are not in an air-gapped environment. In such cases do the following:

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle ON" the Enable Communication with FortiGuard Server setting.
    2. For the Communication with FortiGuard Server settings, select Global Servers.
    3. For the Server Override Mode settings, select Loose (Allow Access Other Servers).
    4. Expand "FortiGuard AntiVirus and IPS Setting", and "Turn ON" the Schedule Regular Updates setting.
      Once you turn on the Schedule Regular Updates settings, you need to define the frequency at which you want to get the updates:
      FortiGuard Settings for using FMG for FortiSOAR™ licensing
    5. Click Apply to apply the above settings.
  5. Ensure that FMG is reachable or resolvable from your FortiSOAR instance and ensure that FMG has access to the Internet.
  6. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  7. Restart the cyops-auth service.
  8. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.
    Important: In case of a non-closed environment, license deployment from FortiSOAR does not work at the first attempt since FMG is unable to send contracts that are required for license deployment. Therefore, users need to retry deploying the license on the FortiSOAR environment. This happens only when FMG is not a part of the air-gapped environment.

Retrieving the FortiSOAR Device UUID

Your FortiSOAR installation generates a Device UUID for your installation. This key is used to identify each unique FortiSOAR environment.

When you provision a new instance, a configuration wizard runs automatically on the first ssh login by the csadmin user. This wizard automatically generates your Device UUID and saves the Device UUID in the /home/csadmin/device_uuid file from which you can retrieve your device UUID. For more information, see the FortiSOAR Configuration Wizard topic. However, if you require the device UUID in the future, you can use the FortiSOAR Admin CLI (csadm) or from the see License Manager Page.

You can retrieve the FortiSOAR Device UUID using csadm. A root user can directly run the csadm license --get-device-uuid command to print the Device UUID on the CLI. For more information on the FortiSOAR Admin CLI, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

Deploying the FortiSOAR license

Caution

Before you start deploying your FortiSOAR license, you must ensure that you can connect to https://globalupdate.fortinet.net, else the license deployment will fail. Connectivity to this address is required for fetching the license entitlements and product functioning post-upgrade.

Deploying the FortiSOAR license using the FortiSOAR UI

From version 7.0.0 onwards, you can deploy your FortiSOAR license from the FortiSOAR UI itself, without the need to SSH to your FortiSOAR machine. This is extremely useful if the administration does not have ssh access to the FortiSOAR machine.

To deploy the initial FortiSOAR license or to upload a new license, if your FortiSOAR license has expired, using the FortiSOAR UI, do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen:
    Upload FortiSOAR license Screen

  2. Click Upload License to display the "Upload License" dialog:
    Upload FortiSOAR license dialog

  3. Drag and drop your FortiSOAR License file, or click the Upload icon and browse to the license file and import your FortiSOAR license.
    If the license file is invalid, FortiSOAR displays an error message and the license is not installed.
    If the license file is valid, FortiSOAR displays the license details:
    FortiSOAR license details

  4. Click Install License File to install your FortiSOAR license.
    Once the license is successfully installed, FortiSOAR displays a License imported successfully message and the EULA is displayed. Once you accept the EULA, you can log on to the FortiSOAR UI and begin configuring the system.

Deploying the FortiSOAR license using the FortiSOAR Admin CLI

Note

Ensure that you have copied the FortiSOAR license file, using SCP or other methods, to your FortiSOAR VM. Do not copy the contents of the license file and paste it into a new file; this will cause license validation to fail.

You can deploy the FortiSOAR license using the FortiSOAR Admin CLI. A root user can directly run the csadm license --deploy-enterprise-license <License File Path> command. For example, csadm license --deploy-enterprise-license temp/<Serial_No>.lic.

If your license is enabled for multitenancy, then run the csadm license --deploy-multi-tenant-license <License File Path command. For more information on csadm, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

The license path that you provide can either be relative to the current working directory or can be an absolute path. Once you have entered the license path, the csadm checks the license file for validity and whether you have selected the appropriate license type (enabled or not enabled for multi-tenancy).

When you deploy a license on FortiSOAR the license entitlements are fetched from FDN.

Note: If you deploy a license that does not match with the system UUID, then you will get a warning on CLI while deploying license. If you deploy the same license in more than one environment then the license is detected as duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

The FortiSOAR Admin CLI displays a Success message, if your license file is deployed successfully, or an Error message that contains the reason for the failure.

Once your system is licensed, you can log on to the FortiSOAR UI and begin configuring the system.

Activating the FortiCare Trial license for FortiSOAR

From version 7.0.0 onwards, you get a free trial license for an unlimited time for FortiSOAR per FortiCare account, i.e., if you have a FortiCare account, you can get FortiSOAR for free and for an unlimited time, but in a limited context. This license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.

Note

Important steps such as "Create Records", "Update Records", "Find Records", "Connection Actions", etc., are counted towards the maximum action count limit of 200. However, steps used for data manipulation such as "Wait", "Approval", "Loops", "Reference a Playbook", etc. are not counted towards the action count restriction.

To activate the FortiCare trial license for FortiSOAR, do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen:
    Upload FortiSOAR license Screen
  2. Click Activate Trial License.
  3. In the Activate FortiSOAR Free Trial dialog, enter your FortiCare username (email address) and password and click Activate Trial License.
    Activating Trial License Dialog
    If the email address and password provided are correct, then your FortiCare trial license for FortiSOAR is activated.

You can always update this trial license into a full-fledged production license at any time, by purchasing a FortiSOAR license and then updating it using either the FortiSOAR CLI or UI.

License Manager Page

Click Settings > License Manager to open the License Manager page as shown in the following image:

License Manager Page

The License Manager page displays the serial number, type and edition of the license issued, the total number of users FortiSOAR is licensed for, the date when the FortiSOAR license will expire, the number of days till the expiry of the FortiSOAR license, and your Device UUID. You can click the Copy Device UUID button to copy your Device UUID.

Serial Number: The serial number is a unique ID that is created by the FortiCare portal when you register your FortiSOAR product.

The FortiSOAR license can be of the following types:

  • Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR.
  • Perpetual (Trial): This type of license provides you with a free trial license an unlimited time for FortiSOAR, but in a limited context, i.e., with restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.
    License Manager with Trial License details For more information on the trial license, see the Activating the FortiCare Trial license for FortiSOAR topic.
  • Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe.
    You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription.
  • Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date.

The FortiSOAR license can have the following editions:

  • Enterprise: This edition enables a regular "enterprise" production license.
  • MT : This edition enables multi-tenancy; both shared and distributed multi-tenancy are supported. The instance where this license is deployed would serve as a “master” node in a distributed deployment. For more information of what multi-tenancy is and what master nodes are, see the "Multi-tenancy support in FortiSOAR Guide."
  • MT_Tenant: This edition enables the node as a tenant in a multi-tenant deployment. This is the license to be deployed for a "customer" node of a Managed Security Services Provider (MSSP). The node can then be configured as a "tenant" to the MSSP server for syncing data and actions to and from the MSSP "master" server. The "MT_Tenant" license has only one user.
  • MT_RegionalSOC: This edition enables the node as a "Regional SOC" deployment at an organization having a distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time, it can be configured as "tenants" to the global SOC where the "MT" license is deployed and sync data and actions from the Global SOC FortiSOAR server.

Total Users displays the number of active users that can use FortiSOAR. You cannot create more active users, in your FortiSOAR environment, than the value specified in this field. For example, if the Total Users field is set to 50, you cannot create a 51^st^ active user in FortiSOAR.

Expiry Date displays the date at which your FortiSOAR license will expire and Remaining Days displays the number of days left for your license to expire.

FortiSOAR version 6.4.4 and later does not mandate 'Additional Users' entitlement to be the same across all cluster nodes. User count entitlement will now always be validated from the primary node. The secondary nodes can have the basic two-user entitlement.

In case your FortiSOAR instance is part of a High Availability (HA) cluster, then the License Manager page also displays information about the nodes in the cluster, if you have added secondary node(s) as shown in the following image:

License Manager Page in case of  your FortiSOAR instance is part of a High Availability cluster

As shown in the above image, the primary node is Node 2 and that node is licensed with 7 users, therefore the total user count displays as 7 users. For more information on licensing of nodes in an HA cluster, see the High Availability support in FortiSOAR chapter in the "Administration Guide."

You can update the license for each node by clicking Update License and uploading the license for that node as described in the following section.

Note

If you update a license that does not match with the system UUID, you will get a warning on UI while updating the license. If you update the same license in more than one environment then the license is detected duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

Updating your license using the FortiSOAR UI

You can update your license using your FortiSOAR UI. Click Settings > License Manager to open the License Manager page.

License Manager

You can use the License Manager page to view your license details and to update your license. FortiSOAR displays a message about the expiration of your license 15 days prior to the date your license is going to expire. If you license type is Evaluation or Perpetual, then you must update your license within 15 days, if you want to keep using FortiSOAR. To update your license, click Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open. If your license type is Subscription, you must renew your subscription.

Troubleshooting licensing issues

FortiSOAR displays meaningful messages and troubleshooting tips during the license deployment process, and also validates your FortiSOAR license, making it easier for you to debug licensing issues, as shown in the following image:

Errors displayed while deploying your FortiSOAR license

Also, note that if your connection to FDN is via a proxy, you must update the proxy settings.

If any error occurs while deploying your license, following are some troubleshooting steps:

  • If the license type is "Subscription", then the number of users and expiry date are not present inside the license. They require to be synced from FDN after the installation. The "License has expired issue after installation" issue occurs due to the following two reasons:
    • Sync with FDN failed
    • Sync was successful but we got wrong contract information.
      To verify the above-mentioned cases run the following command: java -jar /opt/cyops-auth/bin/fdnclient.jar <serial_no> https://globalupdate.fortinet.net
  • If the license type is "Evaluation" or "Perpetual", then the number of users and expiry date are present inside the license. If a license deployment failure occurs for these types of licenses, then check the license information using the csadm license —show-details <lic_file> command.
  • After deploying the license if the system is yet not reachable, restart the cyops-auth service and then the monitor the fdn.log and das.log files. If you continue to face issues, contact FortiSOAR support.

Troubleshooting issues while deploying the FortiSOAR license in a proxy environment

You might get the following error, when you are deploying your FortiSOAR license in a proxy environment:

FSR-Auth-003: License Entitlement Sync Failed. Ensure that [https://globalupdate.fort](https://globalupdate.fort/) is accessible from your environment. If the issue still persists, contact support."

This issue might occur due to some proxies doing the SSL decryption, which means that these proxies can intercept the https connection by modifying the peer certificate and changing the issuer of the certificate to itself. This can cause the license deployment or synchronization to fail as the new issuer is not trusted.

To identify this issue, check the PKIX path building failed error message in the fdn.log file:
# /var/log/cyops/cyops-auth/fdn.log file

Resolution

You can use the following two solutions to solve this issue.

Method 1: Do not use SSL decryption for globalupdate.fortinet.net.

Method 2: Import the proxy issuer certificate into truststore using the following command:
keytool -import -alias proxy_issuer_cert -keystore /opt/cyops-auth/certs/fdn_server_truststore.p12 -file<cert_file> -storepass MXakK2bj6vAteC47 -noprompt