Fortinet white logo
Fortinet white logo

Deployment Guide

Licensing FortiSOAR

Licensing FortiSOAR

From version 6.4.0 onwards, FortiSOAR integrates with FortiGuard Distribution Network (FDN) to retrieve updated contract details.

Caution

You must be connected to FDN while you are deploying your license. If there is no connectivity to FDN, then your FortiSOAR UI access will be blocked after some hours. If any error occurs while deploying your license, see the Troubleshooting licensing issues section for some tips on how to resolve the issue.

FortiSOAR enforces licensing and restricts the usage of FortiSOAR by specifying the following:

  • The maximum number of active users in FortiSOAR at any point in time.
  • The type and edition of the license.
  • The expiration date of the license.

For a fresh install of FortiSOAR, see FortiSOAR licensing process. To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.

FortiSOAR licensing process

  1. You must have an account in FortiCare.
  2. Contact FortiSOAR Support to obtain FortiSOAR product SKU. You will require to provide the following information to be able to get the license for FortiSOAR™:
    • The license type that you want for FortiSOAR. For information on the different license types, see License Manager Page.
    • The license edition that you want for FortiSOAR. For information on the different license editions, see License Manager Page.
    • The number of licensed users required for FortiSOAR.
      Once you complete purchasing FortiSOAR, you will be sent a service contract registration code to your registered email address.
      If a customer wants additional users, then the customer has to also register the contract for additional users. A separate registration code will be sent for the contract of additional users.
      Note: If you have opted for a "Perpetual" or "Evaluation" license, you should download the license file only after the additional user contract, if any, is registered.
  3. Login to your FortiCare account and click Asset > Register/Activate to register your FortiSOAR product. You can register your FortiSOAR product using the instructions provided in the FortiCare registration wizard.
    You will require to copy-paste the service contract registration code from your email to register FortiSOAR.
    Once you have verified the registration, click Complete to complete the registration.
  4. Once you click Complete you are taken to the Product Information page. To generate the license file, click Edit on the Product Information page.
    On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

If you are an existing customer, then your entitlements would have already been imported into FortiCare and you would have received an email with respect to your FortiCare account. Also, your FortiSOAR product would already have been registered. However, you do require to update your Device UUID.

To update your Device UUID, do the following:

  1. Login to your FortiCare account and click Asset > Manage/View Products > Basic View.
  2. Click the row that contains the FortiSOAR (FSR) product to view the Product Information page.
  3. On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

FortiSOAR licensing using FortiManager

A closed or air-gapped environment is an environment where FortiSOAR does not have access to the internet and therefore cannot access the FDN servers. In such cases, FortiManager (FMG) can be used as an intermediary so that FMG provides license validation and FDN updates to FortiSOAR with limited or no internet connectivity. You can configure FMG for the following environments:

  • Complete air-gapped environment where FMG also does not have connectivity to FortiGuard Distribution Servers (FDS) and manual synchronization is required for customer entitlements.
  • FMG has network connectivity to FDS servers and can automatically synchronize customer entitlements.
    For more details on FMG and troubleshooting information, see the FortiManager documentation.

Process to deploy the FortiSOAR license when you are in a complete air-gapped environment

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. Select the FortiGate Updates checkbox for the NIC that is active on FMG, as shown in the following image:
    Edit Network Interface screen - Fortigate updates checkbox on FMG
  5. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle OFF" the Enable Communication with FortiGuard Server setting.
      FortiGuard Server and Sevice Settings Page
    2. Click Upload beside Service License and upload your entitlement file, and then click OK.
      FortiGuard Settings - Uploading service license
    3. Click Apply to apply the above settings.
  6. Ensure that FMG is reachable or resolvable from your FortiSOAR instance.
  7. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  8. Restart the cyops-auth service.
  9. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.

Process to deploy the FortiSOAR license when you are not in a complete air-gapped environment

You might choose to deploy the license using FMG even if you are not in an air-gapped environment. In such cases do the following:

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle ON" the Enable Communication with FortiGuard Server setting.
    2. For the Communication with FortiGuard Server settings, select Global Servers.
    3. For the Server Override Mode settings, select Loose (Allow Access Other Servers).
    4. Expand "FortiGuard AntiVirus and IPS Setting", and "Turn ON" the Schedule Regular Updates setting.
      Once you turn on the Schedule Regular Updates settings, you need to define the frequency at which you want to get the updates:
      FortiGuard Settings for using FMG for FortiSOAR™ licensing
    5. Click Apply to apply the above settings.
  5. Ensure that FMG is reachable or resolvable from your FortiSOAR instance and ensure that FMG has access to the Internet.
  6. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  7. Restart the cyops-auth service.
  8. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.
    Important: In case of a non-closed environment, license deployment from FortiSOAR does not work at the first attempt since FMG is unable to send contracts that are required for license deployment. Therefore, users need to retry deploying the license on the FortiSOAR environment. This happens only when FMG is not a part of the air-gapped environment.

Retrieving the FortiSOAR Device UUID

Your FortiSOAR installation generates a Device UUID for your installation. This key is used to identify each unique FortiSOAR environment.

When you provision a new instance, a configuration wizard runs automatically on the first ssh login by the csadmin user. This wizard automatically generates your Device UUID and saves the Device UUID in the /home/csadmin/device_uuid file from which you can retrieve your device UUID. For more information, see the FortiSOAR Configuration Wizard topic. However, if you require the device UUID in the future, you can use the FortiSOAR Admin CLI (csadm) or from the see License Manager Page.

You can retrieve the FortiSOAR Device UUID using csadm. A root user can directly run the csadm license --get-device-uuid command to print the Device UUID on the CLI. For more information on the FortiSOAR Admin CLI, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

Deploying the FortiSOAR license

Caution

Before you start deploying your FortiSOAR license, you must ensure that you can connect to https://globalupdate.fortinet.net, else the license deployment will fail. Connectivity to this address is required for fetching the license entitlements and product functioning post-upgrade.

Deploying the FortiSOAR license using the FortiSOAR UI

From version 7.0.0 onwards, you can deploy your FortiSOAR license from the FortiSOAR UI itself, without the need to SSH to your FortiSOAR machine. This is extremely useful if the administration does not have ssh access to the FortiSOAR machine.

To deploy the initial FortiSOAR license or to upload a new license, if your FortiSOAR license has expired, you can use the FortiSOAR login screen and do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen in the case of a fresh installation, i.e., when you are deploying an initial FortiSOAR license:
    Upload FortiSOAR license Screen
    Note: In case your  FortiSOAR license has expired, then you will see only the Upload License button and not the Activate Trial License button.
    From version 7.0.2 onwards, if FortiSOAR detects that a duplicate license has been deployed on the current node, i.e., the same license has already been deployed on another active FortiSOAR node, then you can click Upload License on the following screen to upload a new license on one of the two nodes:
    Upload FortiSOAR license Screen in case of duplicate license detection in an Enterprise system
    If FortiSOAR detects that a duplicate license has been deployed in an HA cluster, i.e., the same license has already been deployed on another active FortiSOAR node in the HA cluster, then you can click Upload License in the row of any of the nodes in the HA cluster as shown in the following screen to upload a new license on one of the two nodes:
    Upload FortiSOAR license Screen in case of duplicate license detection in an HA environment
    From version 7.0.2 onwards, if FortiSOAR detects a 'Device UUID change', generally due to restoring a snapshot of a FortiSOAR instance, or cloning of a FortiSOAR instance. In case a snapshot is restored on the instance, you can continue to log in by clicking Continue to Login. In case of a cloned instance, click Upload License to upload a new valid license:
    Upload FortiSOAR license Screen in case of device UUID change detection
    If FortiSOAR detects a 'Device UUID change' for node(s) that are part of an HA cluster, it will list the nodes on which the device UUID changes is detected. In the case of a hardware change, and if you want to continue using the old license, you can run the csadm license --refresh-device-uuid command on the specific node of the HA cluster, and then continue to log in to the system. In the case of new virtual machine, you can run the csadm license --deploy-enterprise-license (for enterprise systems) or the csadm license --deploy-multi-tenant-license command (for MSSP systems) to deploy the new valid license for the specific node of the HA cluster:
    Upload FortiSOAR license Screen in case of device UUID change detection for HA systems
  2. Click Upload License to display the following "Upload License" dialog, In case you are deploying the license for the first time:
    Upload FortiSOAR license dialog
    In case you deploying a new license after the expiration of your FortiSOAR license, in the case of duplicate license detection, or in the case of deploying a new license for a new virtual machine, you also need to provide valid credentials of a FortiSOAR administrator having 'Security Update' permissions, before you can install the license:
    Upload license dialog requiring admin credentials
  3. Drag and drop your FortiSOAR License file, or click the Upload icon and browse to the license file and import your FortiSOAR license.
    If the license file is invalid, FortiSOAR displays an error message and the license is not installed.
    If the license file is valid, FortiSOAR displays the license details:
    FortiSOAR license details
  4. Click Install License File to install your FortiSOAR license.
    Once the license is successfully installed, FortiSOAR displays a License imported successfully message and the EULA is displayed. Once you accept the EULA, you can log on to the FortiSOAR UI and begin configuring the system.

Deploying the FortiSOAR license using the FortiSOAR Admin CLI

Note

Ensure that you have copied the FortiSOAR license file, using SCP or other methods, to your FortiSOAR VM. Do not copy the contents of the license file and paste it into a new file; this will cause license validation to fail.

You can deploy the FortiSOAR license using the FortiSOAR Admin CLI. A root user can directly run the csadm license --deploy-enterprise-license <License File Path> command. For example, csadm license --deploy-enterprise-license temp/<Serial_No>.lic.

If your license is enabled for multitenancy, then run the csadm license --deploy-multi-tenant-license <License File Path command. For more information on csadm, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

The license path that you provide can either be relative to the current working directory or can be an absolute path. Once you have entered the license path, the csadm checks the license file for validity and whether you have selected the appropriate license type (enabled or not enabled for multi-tenancy).

When you deploy a license on FortiSOAR the license entitlements are fetched from FDN.

Note: If you deploy a license that does not match with the system UUID, then you will get a warning on CLI while deploying license. If you deploy the same license in more than one environment then the license is detected as duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

The FortiSOAR Admin CLI displays a Success message, if your license file is deployed successfully, or an Error message that contains the reason for the failure.

Once your system is licensed, you can log on to the FortiSOAR UI and begin configuring the system.

Activating the FortiCare Trial license for FortiSOAR

From version 7.0.0 onwards, you get a free trial license for an unlimited time for FortiSOAR per FortiCare account, i.e., if you have a FortiCare account, you can get FortiSOAR for free and for an unlimited time, but in a limited context. This license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.

Note

Important steps such as "Create Records", "Update Records", "Find Records", "Connection Actions", etc., are counted towards the maximum action count limit of 200. However, steps used for data manipulation such as "Wait", "Approval", "Loops", "Reference a Playbook", etc. are not counted towards the action count restriction.

To activate the FortiCare trial license for FortiSOAR, do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen:
    Upload FortiSOAR license Screen
  2. Click Activate Trial License.
  3. In the Activate FortiSOAR Free Trial dialog, enter your FortiCare username (email address) and password and click Activate Trial License.
    Activating Trial License Dialog
    If the email address and password provided are correct, then your FortiCare trial license for FortiSOAR is activated.

You can always update this trial license into a full-fledged production license at any time, by purchasing a FortiSOAR license and then updating it using either the FortiSOAR CLI or UI.

License Manager Page

In release 7.0.1, FortiSOAR introduced the concept of 'Concurrent User Seats', thereby supporting both 'Named' and 'Concurrent ' users. Concurrent user seats enable sharing of a fixed number of user seats among unlimited number of users restricted by the number of users simultaneously accessing FortiSOAR. This particularly is useful for a shift-oriented SOC environment where, for example, a 30-member team only has 10 members working in a given shift and therefore, in this scenario, administrators can create 10 concurrent users and re-use the seats across all shifts effectively. For more information, see the User Seat Support in FortiSOAR section.

Click Settings > License Manager to open the License Manager page as shown in the following image:

License Manager Page

The License Manager page displays the serial number, type and edition of the license issued, the total number of users FortiSOAR is licensed for, the number of users created on the system per access type, the number of users who are currently logged into FortiSOAR, the date when the FortiSOAR license will expire, the number of days till the expiry of the FortiSOAR license, and your Device UUID. You can click the Copy Device UUID button to copy your Device UUID.

If your license is about the expire, you can update your license by clicking Update License and either dragging-and-dropping your updated license or by clicking and browsing to the location where your license file is located, then select the file and click Open. Now, if the user count is reduced in updated license and if the logged in users are more than the new count then the logged in users will get logged out at the time of session refresh one by one till the count becomes equal or less. Similarly, If the 'Named' user count in the system is more than the new user count in license, then no named user apart from the 'Super Admin' user will be able to log into system. For more information about named users, see the User Seat Support in FortiSOAR section. For more information about a 'Super Admin' user, see the Security Management chapter in the "Administration Guide."

Serial Number: The serial number is a unique ID that is created by the FortiCare portal when you register your FortiSOAR product.

The FortiSOAR license can be of the following types:

  • Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR.
  • Perpetual (Trial): This type of license provides you with a free trial license an unlimited time for FortiSOAR, but in a limited context, i.e., with restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.
    License Manager with Trial License details For more information on the trial license, see the Activating the FortiCare Trial license for FortiSOAR topic.
  • Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe.
    You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription.
  • Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date.

The FortiSOAR license can have the following editions:

  • Enterprise: This edition enables a regular "enterprise" production license.
  • MT : This edition enables multi-tenancy; both shared and distributed multi-tenancy are supported. The instance where this license is deployed would serve as a “master” node in a distributed deployment. For more information of what multi-tenancy is and what master nodes are, see the "Multi-tenancy support in FortiSOAR Guide."
  • MT_Tenant: This edition enables the node as a tenant in a multi-tenant deployment. This is the license to be deployed for a "customer" node of a Managed Security Services Provider (MSSP). The node can then be configured as a "tenant" to the MSSP server for syncing data and actions to and from the MSSP "master" server. The "MT_Tenant" license has only one user.
  • MT_RegionalSOC: This edition enables the node as a "Regional SOC" deployment at an organization having a distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time, it can be configured as "tenants" to the global SOC where the "MT" license is deployed and sync data and actions from the Global SOC FortiSOAR server.

Threat Intel Management Service Subscription displays if unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features are enabled or disabled. For more information, see the Licensing option to enable unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features topic.

Allowed User Seats displays the number of user seats that you have purchased for FortiSOAR. You cannot create more named active users, in your FortiSOAR environment, than the value specified as in this field. For example, if the Allowed User Seats field is set to five, then you can create a maximum of five named users, and an unlimited number of concurrent users; however, if all five named users are active, then no concurrent user will be able to log into FortiSOAR. Also, note that if a user is logging in from multiple places, then it is counted as a single user. For more information, see the User Seat Support in FortiSOAR section.

User Seats Consumed displays the number of active users, named and concurrent, who have consumed the FortiSOAR user seats. To view the number of users, named and concurrent, who are currently logged into FortiSOAR, you can hover over the tooltip.

Expiry Date displays the date at which your FortiSOAR license will expire and Remaining Days displays the number of days left for your license to expire.

FortiSOAR does not mandate 'Additional Users' entitlement to be the same across all cluster nodes. User count entitlement is validated from the primary node. The secondary nodes can have the basic two-user entitlement. The HA cluster shares the user count details from primary node of the cluster. Hence, all 'Concurrent Users' count restrictions apply as per the primary node. If a node leaves the cluster, the restriction will apply as per its own original license.

Note

In the case of an HA environment, you only need to buy one Threat Intelligence Management (TIM) subscription that can be used across your HA cluster. The primary node subscription gets cascaded to the secondary nodes.

In case your FortiSOAR instance is part of a High Availability (HA) cluster, then the License Manager page also displays information about the nodes in the cluster, if you have added secondary node(s) as shown in the following image:

License Manager Page in case of  your FortiSOAR instance is part of a High Availability cluster

As shown in the above image, the primary node is Node 2 and that node is licensed with 7 users, therefore the Allowed User Seats count displays as 7 users. For more information on licensing of nodes in an HA cluster, see the High Availability support in FortiSOAR chapter in the "Administration Guide."

You can update the license for each node by clicking Update License and uploading the license for that node as described in the following section.

Note

If you update a license that does not match with the system UUID, you will get a warning on UI while updating the license. If you update the same license in more than one environment then the license is detected duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

User Seat Support in FortiSOAR

FortiSOAR supports 'Named' and 'Concurrent ' users for licensing. User access details are used to calculate the number of concurrent users that can simultaneously log onto FortiSOAR.

Named Users

'Named' users are users for whom a seat is permanently reserved, i.e., such a user can always log onto FortiSOAR except in case of a license violation.

Concurrent Users

The ability to designate a user seat as a 'concurrent user seat' allows system administrators to create a floating seat that can be shared by unlimited users (only limited by the user seat limit). A 'Named' user has a FortiSOAR seat permanently reserved, i.e., such a user can always log onto FortiSOAR except in case of a license violation. However, a concurrent user can log in only when there is a concurrent seat available. Note that if a user is logging in from multiple places, it is counted as a single user.

For example, if you have purchased a five-user license, then a maximum of 5 named active users can be present in the system at a given time. However, there is no limit to concurrent user creation, i.e., you can create as many concurrent users as you want. Therefore, if out of five user seats that you have purchased, you have created two Named users, then those users can log into FortiSOAR at any time, and the other three seats are reserved for Concurrent users, who can log into FortiSOAR when concurrent seats are available. However, if the you create five Named users, then only those users will be able to log into FortiSOAR and Concurrent users will not be able to log into the system.

Note

Administrators, i.e., users with Security and People Update access, can selectively change users' access type, i.e., Concurrent users to Named users, and vice-versa, at any time, or they can also bulk change users access type from Named to Concurrent. For more information, see the Security Management chapter in the "Administration Guide." They also have the privilege to forcefully log out selective 'Concurrent' users. When the administrators logs out a user from any instance, that user is notified before being logged out.

The default access type set for all SSO and MSSP users is 'Concurrent'. You can change the access type for the user later, if needed.

Updating your license using the FortiSOAR UI

You can update your license using your FortiSOAR UI. Click Settings > License Manager to open the License Manager page.

License Manager

You can use the License Manager page to view your license details and to update your license. FortiSOAR displays a message about the expiration of your license 15 days prior to the date your license is going to expire. If you license type is Evaluation or Perpetual, then you must update your license within 15 days, if you want to keep using FortiSOAR. To update your license, click Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open. If your license type is Subscription, you must renew your subscription.

Licensing option to enable unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features

FortiSOAR supports a licensing option that provides full access to the best-in-class FortiGuard threat intel feeds. This service allows you to use the Threat Intel Management service to its fullest extent, and includes unrestricted consumption of FortiGuard feeds. The feed is an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by our team of experts. The entire feeds database is labeled with the relevant threat types, and associated LockHeed Martin Kill Chain Phases, that enables user with contextual information to understand the nature of threat. In addition to these feeds, the new SKU option also enables the following features in the FortiSOAR Threat Intel Management experience:

  • Provide 'Contextual Sighting' Information: For every indicator that is created, FortiSOAR automatically looks up a match in its feeds database and links these matched indicators automatically to the extracted indicator. The advantage of this is two-fold:
    • Getting good contextual information even when information about these suspicious targets is not yet available with the standard enrichment sources.
    • Providing users with a dashboard displaying the relevance of various intelligence sources based on the number of actual sightings in their environment.
  • No limit on the feed volume that can be ingested per day in the 'Threat Intel Management' module using the FortiSOAR Feeds API.
    If the Threat Intel Management Service Subscription is 'Disabled', then the 'Ingest Feed' step can insert only 1000 records per day in the 'Threat Intel Management' module. Once this limit is exceeded, further feed ingestion playbooks start failing with the: 'Daily Feed Ingestion Limit reached' error till the counter is reset at midnight (UTC).
    An example of how this works: If you have 100 records left from the 1000 records per day limit, and you send 200 records as part of the ingestion feed, only 100 records are saved, and the remaining 100 are ignored.
  • No limit on the number of feeds that be exported using the FortiSOAR 'TAXII API' for sharing processed threat intelligence to SIEMs, Firewalls etc. If this SKU is not enabled, the TAXII-compatible API provides only 100 records as part of the API response.

For any SKU-related information, contact Fortinet Support.
To know if you have this licensing option enabled, check the Threat Intel Management Service Subscription option on your License Manager page in the FortiSOAR UI. The section shows if the option is Enabled or Disabled. For more information on TIM, see the Threat Intel Management Solution Pack documentation in the FortiSOAR Content Hub.

Troubleshooting licensing issues

FortiSOAR displays meaningful messages and troubleshooting tips during the license deployment process, and validates your FortiSOAR license, making it easier for you to debug licensing issues, as shown in the following image:

Errors displayed while deploying your FortiSOAR license

Also, note that if your connection to FDN is via a proxy, you must update the proxy settings.

If any error occurs while deploying your license, following are some troubleshooting steps:

  • If the license type is "Subscription", then the number of users and expiry date are not present inside the license. They require to be synced from FDN after the installation. The "License has expired issue after installation" issue occurs due to the following two reasons:
    • Sync with FDN failed
    • Sync was successful but we got wrong contract information.
      To verify the above-mentioned cases run the following command: java -jar <jar_path> <serial_no> <device_uuid> <globaupdate_url>
      For example, java -jar /opt/cyops-auth/bin/fdnclient.jar <serial_no> <device_uuid> https://globalupdate.fortinet.net
  • If the license type is "Evaluation" or "Perpetual", then the number of users and expiry date are present inside the license. If a license deployment failure occurs for these types of licenses, then check the license information using the csadm license —show-details <lic_file> command.
  • After deploying the license if the system is yet not reachable, restart the cyops-auth service and then the monitor the fdn.log and das.log files. If you continue to face issues, contact FortiSOAR support.

Troubleshooting issues while deploying the FortiSOAR license in a proxy environment

You might get the following error, when you are deploying your FortiSOAR license in a proxy environment:

FSR-Auth-003: License Entitlement Sync Failed. Ensure that [https://globalupdate.fort](https://globalupdate.fort/) is accessible from your environment. If the issue still persists, contact support."

This issue might occur due to some proxies doing the SSL decryption, which means that these proxies can intercept the https connection by modifying the peer certificate and changing the issuer of the certificate to itself. This can cause the license deployment or synchronization to fail as the new issuer is not trusted.

To identify this issue, check the PKIX path building failed error message in the fdn.log file:
# /var/log/cyops/cyops-auth/fdn.log file

Resolution

You can use the following two solutions to solve this issue.

Method 1: Do not use SSL decryption for globalupdate.fortinet.net.

Method 2: Import the proxy issuer certificate into truststore using the following command:
keytool -import -alias proxy_issuer_cert -keystore /opt/cyops-auth/certs/fdn_server_truststore.p12 -file<cert_file> -storepass MXakK2bj6vAteC47 -noprompt

Licensing FortiSOAR

Licensing FortiSOAR

From version 6.4.0 onwards, FortiSOAR integrates with FortiGuard Distribution Network (FDN) to retrieve updated contract details.

Caution

You must be connected to FDN while you are deploying your license. If there is no connectivity to FDN, then your FortiSOAR UI access will be blocked after some hours. If any error occurs while deploying your license, see the Troubleshooting licensing issues section for some tips on how to resolve the issue.

FortiSOAR enforces licensing and restricts the usage of FortiSOAR by specifying the following:

  • The maximum number of active users in FortiSOAR at any point in time.
  • The type and edition of the license.
  • The expiration date of the license.

For a fresh install of FortiSOAR, see FortiSOAR licensing process. To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.

FortiSOAR licensing process

  1. You must have an account in FortiCare.
  2. Contact FortiSOAR Support to obtain FortiSOAR product SKU. You will require to provide the following information to be able to get the license for FortiSOAR™:
    • The license type that you want for FortiSOAR. For information on the different license types, see License Manager Page.
    • The license edition that you want for FortiSOAR. For information on the different license editions, see License Manager Page.
    • The number of licensed users required for FortiSOAR.
      Once you complete purchasing FortiSOAR, you will be sent a service contract registration code to your registered email address.
      If a customer wants additional users, then the customer has to also register the contract for additional users. A separate registration code will be sent for the contract of additional users.
      Note: If you have opted for a "Perpetual" or "Evaluation" license, you should download the license file only after the additional user contract, if any, is registered.
  3. Login to your FortiCare account and click Asset > Register/Activate to register your FortiSOAR product. You can register your FortiSOAR product using the instructions provided in the FortiCare registration wizard.
    You will require to copy-paste the service contract registration code from your email to register FortiSOAR.
    Once you have verified the registration, click Complete to complete the registration.
  4. Once you click Complete you are taken to the Product Information page. To generate the license file, click Edit on the Product Information page.
    On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

If you are an existing customer, then your entitlements would have already been imported into FortiCare and you would have received an email with respect to your FortiCare account. Also, your FortiSOAR product would already have been registered. However, you do require to update your Device UUID.

To update your Device UUID, do the following:

  1. Login to your FortiCare account and click Asset > Manage/View Products > Basic View.
  2. Click the row that contains the FortiSOAR (FSR) product to view the Product Information page.
  3. On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
    Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
    To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
    The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

FortiSOAR licensing using FortiManager

A closed or air-gapped environment is an environment where FortiSOAR does not have access to the internet and therefore cannot access the FDN servers. In such cases, FortiManager (FMG) can be used as an intermediary so that FMG provides license validation and FDN updates to FortiSOAR with limited or no internet connectivity. You can configure FMG for the following environments:

  • Complete air-gapped environment where FMG also does not have connectivity to FortiGuard Distribution Servers (FDS) and manual synchronization is required for customer entitlements.
  • FMG has network connectivity to FDS servers and can automatically synchronize customer entitlements.
    For more details on FMG and troubleshooting information, see the FortiManager documentation.

Process to deploy the FortiSOAR license when you are in a complete air-gapped environment

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. Select the FortiGate Updates checkbox for the NIC that is active on FMG, as shown in the following image:
    Edit Network Interface screen - Fortigate updates checkbox on FMG
  5. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle OFF" the Enable Communication with FortiGuard Server setting.
      FortiGuard Server and Sevice Settings Page
    2. Click Upload beside Service License and upload your entitlement file, and then click OK.
      FortiGuard Settings - Uploading service license
    3. Click Apply to apply the above settings.
  6. Ensure that FMG is reachable or resolvable from your FortiSOAR instance.
  7. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  8. Restart the cyops-auth service.
  9. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.

Process to deploy the FortiSOAR license when you are not in a complete air-gapped environment

You might choose to deploy the license using FMG even if you are not in an air-gapped environment. In such cases do the following:

  1. You must have an account in FortiManager (FMG).
  2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
  3. Log onto FMG and navigate to FortiGuard.
  4. On the left-menu, click Settings, and apply the following settings:
    1. "Toggle ON" the Enable Communication with FortiGuard Server setting.
    2. For the Communication with FortiGuard Server settings, select Global Servers.
    3. For the Server Override Mode settings, select Loose (Allow Access Other Servers).
    4. Expand "FortiGuard AntiVirus and IPS Setting", and "Turn ON" the Schedule Regular Updates setting.
      Once you turn on the Schedule Regular Updates settings, you need to define the frequency at which you want to get the updates:
      FortiGuard Settings for using FMG for FortiSOAR™ licensing
    5. Click Apply to apply the above settings.
  5. Ensure that FMG is reachable or resolvable from your FortiSOAR instance and ensure that FMG has access to the Internet.
  6. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
    [FDN]
    host = https://<FMG Hostname>:8890
  7. Restart the cyops-auth service.
  8. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.
    Important: In case of a non-closed environment, license deployment from FortiSOAR does not work at the first attempt since FMG is unable to send contracts that are required for license deployment. Therefore, users need to retry deploying the license on the FortiSOAR environment. This happens only when FMG is not a part of the air-gapped environment.

Retrieving the FortiSOAR Device UUID

Your FortiSOAR installation generates a Device UUID for your installation. This key is used to identify each unique FortiSOAR environment.

When you provision a new instance, a configuration wizard runs automatically on the first ssh login by the csadmin user. This wizard automatically generates your Device UUID and saves the Device UUID in the /home/csadmin/device_uuid file from which you can retrieve your device UUID. For more information, see the FortiSOAR Configuration Wizard topic. However, if you require the device UUID in the future, you can use the FortiSOAR Admin CLI (csadm) or from the see License Manager Page.

You can retrieve the FortiSOAR Device UUID using csadm. A root user can directly run the csadm license --get-device-uuid command to print the Device UUID on the CLI. For more information on the FortiSOAR Admin CLI, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

Deploying the FortiSOAR license

Caution

Before you start deploying your FortiSOAR license, you must ensure that you can connect to https://globalupdate.fortinet.net, else the license deployment will fail. Connectivity to this address is required for fetching the license entitlements and product functioning post-upgrade.

Deploying the FortiSOAR license using the FortiSOAR UI

From version 7.0.0 onwards, you can deploy your FortiSOAR license from the FortiSOAR UI itself, without the need to SSH to your FortiSOAR machine. This is extremely useful if the administration does not have ssh access to the FortiSOAR machine.

To deploy the initial FortiSOAR license or to upload a new license, if your FortiSOAR license has expired, you can use the FortiSOAR login screen and do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen in the case of a fresh installation, i.e., when you are deploying an initial FortiSOAR license:
    Upload FortiSOAR license Screen
    Note: In case your  FortiSOAR license has expired, then you will see only the Upload License button and not the Activate Trial License button.
    From version 7.0.2 onwards, if FortiSOAR detects that a duplicate license has been deployed on the current node, i.e., the same license has already been deployed on another active FortiSOAR node, then you can click Upload License on the following screen to upload a new license on one of the two nodes:
    Upload FortiSOAR license Screen in case of duplicate license detection in an Enterprise system
    If FortiSOAR detects that a duplicate license has been deployed in an HA cluster, i.e., the same license has already been deployed on another active FortiSOAR node in the HA cluster, then you can click Upload License in the row of any of the nodes in the HA cluster as shown in the following screen to upload a new license on one of the two nodes:
    Upload FortiSOAR license Screen in case of duplicate license detection in an HA environment
    From version 7.0.2 onwards, if FortiSOAR detects a 'Device UUID change', generally due to restoring a snapshot of a FortiSOAR instance, or cloning of a FortiSOAR instance. In case a snapshot is restored on the instance, you can continue to log in by clicking Continue to Login. In case of a cloned instance, click Upload License to upload a new valid license:
    Upload FortiSOAR license Screen in case of device UUID change detection
    If FortiSOAR detects a 'Device UUID change' for node(s) that are part of an HA cluster, it will list the nodes on which the device UUID changes is detected. In the case of a hardware change, and if you want to continue using the old license, you can run the csadm license --refresh-device-uuid command on the specific node of the HA cluster, and then continue to log in to the system. In the case of new virtual machine, you can run the csadm license --deploy-enterprise-license (for enterprise systems) or the csadm license --deploy-multi-tenant-license command (for MSSP systems) to deploy the new valid license for the specific node of the HA cluster:
    Upload FortiSOAR license Screen in case of device UUID change detection for HA systems
  2. Click Upload License to display the following "Upload License" dialog, In case you are deploying the license for the first time:
    Upload FortiSOAR license dialog
    In case you deploying a new license after the expiration of your FortiSOAR license, in the case of duplicate license detection, or in the case of deploying a new license for a new virtual machine, you also need to provide valid credentials of a FortiSOAR administrator having 'Security Update' permissions, before you can install the license:
    Upload license dialog requiring admin credentials
  3. Drag and drop your FortiSOAR License file, or click the Upload icon and browse to the license file and import your FortiSOAR license.
    If the license file is invalid, FortiSOAR displays an error message and the license is not installed.
    If the license file is valid, FortiSOAR displays the license details:
    FortiSOAR license details
  4. Click Install License File to install your FortiSOAR license.
    Once the license is successfully installed, FortiSOAR displays a License imported successfully message and the EULA is displayed. Once you accept the EULA, you can log on to the FortiSOAR UI and begin configuring the system.

Deploying the FortiSOAR license using the FortiSOAR Admin CLI

Note

Ensure that you have copied the FortiSOAR license file, using SCP or other methods, to your FortiSOAR VM. Do not copy the contents of the license file and paste it into a new file; this will cause license validation to fail.

You can deploy the FortiSOAR license using the FortiSOAR Admin CLI. A root user can directly run the csadm license --deploy-enterprise-license <License File Path> command. For example, csadm license --deploy-enterprise-license temp/<Serial_No>.lic.

If your license is enabled for multitenancy, then run the csadm license --deploy-multi-tenant-license <License File Path command. For more information on csadm, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

The license path that you provide can either be relative to the current working directory or can be an absolute path. Once you have entered the license path, the csadm checks the license file for validity and whether you have selected the appropriate license type (enabled or not enabled for multi-tenancy).

When you deploy a license on FortiSOAR the license entitlements are fetched from FDN.

Note: If you deploy a license that does not match with the system UUID, then you will get a warning on CLI while deploying license. If you deploy the same license in more than one environment then the license is detected as duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

The FortiSOAR Admin CLI displays a Success message, if your license file is deployed successfully, or an Error message that contains the reason for the failure.

Once your system is licensed, you can log on to the FortiSOAR UI and begin configuring the system.

Activating the FortiCare Trial license for FortiSOAR

From version 7.0.0 onwards, you get a free trial license for an unlimited time for FortiSOAR per FortiCare account, i.e., if you have a FortiCare account, you can get FortiSOAR for free and for an unlimited time, but in a limited context. This license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.

Note

Important steps such as "Create Records", "Update Records", "Find Records", "Connection Actions", etc., are counted towards the maximum action count limit of 200. However, steps used for data manipulation such as "Wait", "Approval", "Loops", "Reference a Playbook", etc. are not counted towards the action count restriction.

To activate the FortiCare trial license for FortiSOAR, do the following:

  1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen:
    Upload FortiSOAR license Screen
  2. Click Activate Trial License.
  3. In the Activate FortiSOAR Free Trial dialog, enter your FortiCare username (email address) and password and click Activate Trial License.
    Activating Trial License Dialog
    If the email address and password provided are correct, then your FortiCare trial license for FortiSOAR is activated.

You can always update this trial license into a full-fledged production license at any time, by purchasing a FortiSOAR license and then updating it using either the FortiSOAR CLI or UI.

License Manager Page

In release 7.0.1, FortiSOAR introduced the concept of 'Concurrent User Seats', thereby supporting both 'Named' and 'Concurrent ' users. Concurrent user seats enable sharing of a fixed number of user seats among unlimited number of users restricted by the number of users simultaneously accessing FortiSOAR. This particularly is useful for a shift-oriented SOC environment where, for example, a 30-member team only has 10 members working in a given shift and therefore, in this scenario, administrators can create 10 concurrent users and re-use the seats across all shifts effectively. For more information, see the User Seat Support in FortiSOAR section.

Click Settings > License Manager to open the License Manager page as shown in the following image:

License Manager Page

The License Manager page displays the serial number, type and edition of the license issued, the total number of users FortiSOAR is licensed for, the number of users created on the system per access type, the number of users who are currently logged into FortiSOAR, the date when the FortiSOAR license will expire, the number of days till the expiry of the FortiSOAR license, and your Device UUID. You can click the Copy Device UUID button to copy your Device UUID.

If your license is about the expire, you can update your license by clicking Update License and either dragging-and-dropping your updated license or by clicking and browsing to the location where your license file is located, then select the file and click Open. Now, if the user count is reduced in updated license and if the logged in users are more than the new count then the logged in users will get logged out at the time of session refresh one by one till the count becomes equal or less. Similarly, If the 'Named' user count in the system is more than the new user count in license, then no named user apart from the 'Super Admin' user will be able to log into system. For more information about named users, see the User Seat Support in FortiSOAR section. For more information about a 'Super Admin' user, see the Security Management chapter in the "Administration Guide."

Serial Number: The serial number is a unique ID that is created by the FortiCare portal when you register your FortiSOAR product.

The FortiSOAR license can be of the following types:

  • Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR.
  • Perpetual (Trial): This type of license provides you with a free trial license an unlimited time for FortiSOAR, but in a limited context, i.e., with restrictions on the number of users and actions that can be performed in FortiSOAR in a day. By default, this license is an "Enterprise" type license and is restricted to 3 users using FortiSOAR for a maximum of 200 actions a day.
    License Manager with Trial License details For more information on the trial license, see the Activating the FortiCare Trial license for FortiSOAR topic.
  • Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe.
    You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription.
  • Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date.

The FortiSOAR license can have the following editions:

  • Enterprise: This edition enables a regular "enterprise" production license.
  • MT : This edition enables multi-tenancy; both shared and distributed multi-tenancy are supported. The instance where this license is deployed would serve as a “master” node in a distributed deployment. For more information of what multi-tenancy is and what master nodes are, see the "Multi-tenancy support in FortiSOAR Guide."
  • MT_Tenant: This edition enables the node as a tenant in a multi-tenant deployment. This is the license to be deployed for a "customer" node of a Managed Security Services Provider (MSSP). The node can then be configured as a "tenant" to the MSSP server for syncing data and actions to and from the MSSP "master" server. The "MT_Tenant" license has only one user.
  • MT_RegionalSOC: This edition enables the node as a "Regional SOC" deployment at an organization having a distributed SOC. It is enabled as a complete SOAR platform by the regional SOC team. At the same time, it can be configured as "tenants" to the global SOC where the "MT" license is deployed and sync data and actions from the Global SOC FortiSOAR server.

Threat Intel Management Service Subscription displays if unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features are enabled or disabled. For more information, see the Licensing option to enable unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features topic.

Allowed User Seats displays the number of user seats that you have purchased for FortiSOAR. You cannot create more named active users, in your FortiSOAR environment, than the value specified as in this field. For example, if the Allowed User Seats field is set to five, then you can create a maximum of five named users, and an unlimited number of concurrent users; however, if all five named users are active, then no concurrent user will be able to log into FortiSOAR. Also, note that if a user is logging in from multiple places, then it is counted as a single user. For more information, see the User Seat Support in FortiSOAR section.

User Seats Consumed displays the number of active users, named and concurrent, who have consumed the FortiSOAR user seats. To view the number of users, named and concurrent, who are currently logged into FortiSOAR, you can hover over the tooltip.

Expiry Date displays the date at which your FortiSOAR license will expire and Remaining Days displays the number of days left for your license to expire.

FortiSOAR does not mandate 'Additional Users' entitlement to be the same across all cluster nodes. User count entitlement is validated from the primary node. The secondary nodes can have the basic two-user entitlement. The HA cluster shares the user count details from primary node of the cluster. Hence, all 'Concurrent Users' count restrictions apply as per the primary node. If a node leaves the cluster, the restriction will apply as per its own original license.

Note

In the case of an HA environment, you only need to buy one Threat Intelligence Management (TIM) subscription that can be used across your HA cluster. The primary node subscription gets cascaded to the secondary nodes.

In case your FortiSOAR instance is part of a High Availability (HA) cluster, then the License Manager page also displays information about the nodes in the cluster, if you have added secondary node(s) as shown in the following image:

License Manager Page in case of  your FortiSOAR instance is part of a High Availability cluster

As shown in the above image, the primary node is Node 2 and that node is licensed with 7 users, therefore the Allowed User Seats count displays as 7 users. For more information on licensing of nodes in an HA cluster, see the High Availability support in FortiSOAR chapter in the "Administration Guide."

You can update the license for each node by clicking Update License and uploading the license for that node as described in the following section.

Note

If you update a license that does not match with the system UUID, you will get a warning on UI while updating the license. If you update the same license in more than one environment then the license is detected duplicate and you require to correct the license, else your FortiSOAR UI will be blocked in 2 hours.

User Seat Support in FortiSOAR

FortiSOAR supports 'Named' and 'Concurrent ' users for licensing. User access details are used to calculate the number of concurrent users that can simultaneously log onto FortiSOAR.

Named Users

'Named' users are users for whom a seat is permanently reserved, i.e., such a user can always log onto FortiSOAR except in case of a license violation.

Concurrent Users

The ability to designate a user seat as a 'concurrent user seat' allows system administrators to create a floating seat that can be shared by unlimited users (only limited by the user seat limit). A 'Named' user has a FortiSOAR seat permanently reserved, i.e., such a user can always log onto FortiSOAR except in case of a license violation. However, a concurrent user can log in only when there is a concurrent seat available. Note that if a user is logging in from multiple places, it is counted as a single user.

For example, if you have purchased a five-user license, then a maximum of 5 named active users can be present in the system at a given time. However, there is no limit to concurrent user creation, i.e., you can create as many concurrent users as you want. Therefore, if out of five user seats that you have purchased, you have created two Named users, then those users can log into FortiSOAR at any time, and the other three seats are reserved for Concurrent users, who can log into FortiSOAR when concurrent seats are available. However, if the you create five Named users, then only those users will be able to log into FortiSOAR and Concurrent users will not be able to log into the system.

Note

Administrators, i.e., users with Security and People Update access, can selectively change users' access type, i.e., Concurrent users to Named users, and vice-versa, at any time, or they can also bulk change users access type from Named to Concurrent. For more information, see the Security Management chapter in the "Administration Guide." They also have the privilege to forcefully log out selective 'Concurrent' users. When the administrators logs out a user from any instance, that user is notified before being logged out.

The default access type set for all SSO and MSSP users is 'Concurrent'. You can change the access type for the user later, if needed.

Updating your license using the FortiSOAR UI

You can update your license using your FortiSOAR UI. Click Settings > License Manager to open the License Manager page.

License Manager

You can use the License Manager page to view your license details and to update your license. FortiSOAR displays a message about the expiration of your license 15 days prior to the date your license is going to expire. If you license type is Evaluation or Perpetual, then you must update your license within 15 days, if you want to keep using FortiSOAR. To update your license, click Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open. If your license type is Subscription, you must renew your subscription.

Licensing option to enable unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features

FortiSOAR supports a licensing option that provides full access to the best-in-class FortiGuard threat intel feeds. This service allows you to use the Threat Intel Management service to its fullest extent, and includes unrestricted consumption of FortiGuard feeds. The feed is an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by our team of experts. The entire feeds database is labeled with the relevant threat types, and associated LockHeed Martin Kill Chain Phases, that enables user with contextual information to understand the nature of threat. In addition to these feeds, the new SKU option also enables the following features in the FortiSOAR Threat Intel Management experience:

  • Provide 'Contextual Sighting' Information: For every indicator that is created, FortiSOAR automatically looks up a match in its feeds database and links these matched indicators automatically to the extracted indicator. The advantage of this is two-fold:
    • Getting good contextual information even when information about these suspicious targets is not yet available with the standard enrichment sources.
    • Providing users with a dashboard displaying the relevance of various intelligence sources based on the number of actual sightings in their environment.
  • No limit on the feed volume that can be ingested per day in the 'Threat Intel Management' module using the FortiSOAR Feeds API.
    If the Threat Intel Management Service Subscription is 'Disabled', then the 'Ingest Feed' step can insert only 1000 records per day in the 'Threat Intel Management' module. Once this limit is exceeded, further feed ingestion playbooks start failing with the: 'Daily Feed Ingestion Limit reached' error till the counter is reset at midnight (UTC).
    An example of how this works: If you have 100 records left from the 1000 records per day limit, and you send 200 records as part of the ingestion feed, only 100 records are saved, and the remaining 100 are ignored.
  • No limit on the number of feeds that be exported using the FortiSOAR 'TAXII API' for sharing processed threat intelligence to SIEMs, Firewalls etc. If this SKU is not enabled, the TAXII-compatible API provides only 100 records as part of the API response.

For any SKU-related information, contact Fortinet Support.
To know if you have this licensing option enabled, check the Threat Intel Management Service Subscription option on your License Manager page in the FortiSOAR UI. The section shows if the option is Enabled or Disabled. For more information on TIM, see the Threat Intel Management Solution Pack documentation in the FortiSOAR Content Hub.

Troubleshooting licensing issues

FortiSOAR displays meaningful messages and troubleshooting tips during the license deployment process, and validates your FortiSOAR license, making it easier for you to debug licensing issues, as shown in the following image:

Errors displayed while deploying your FortiSOAR license

Also, note that if your connection to FDN is via a proxy, you must update the proxy settings.

If any error occurs while deploying your license, following are some troubleshooting steps:

  • If the license type is "Subscription", then the number of users and expiry date are not present inside the license. They require to be synced from FDN after the installation. The "License has expired issue after installation" issue occurs due to the following two reasons:
    • Sync with FDN failed
    • Sync was successful but we got wrong contract information.
      To verify the above-mentioned cases run the following command: java -jar <jar_path> <serial_no> <device_uuid> <globaupdate_url>
      For example, java -jar /opt/cyops-auth/bin/fdnclient.jar <serial_no> <device_uuid> https://globalupdate.fortinet.net
  • If the license type is "Evaluation" or "Perpetual", then the number of users and expiry date are present inside the license. If a license deployment failure occurs for these types of licenses, then check the license information using the csadm license —show-details <lic_file> command.
  • After deploying the license if the system is yet not reachable, restart the cyops-auth service and then the monitor the fdn.log and das.log files. If you continue to face issues, contact FortiSOAR support.

Troubleshooting issues while deploying the FortiSOAR license in a proxy environment

You might get the following error, when you are deploying your FortiSOAR license in a proxy environment:

FSR-Auth-003: License Entitlement Sync Failed. Ensure that [https://globalupdate.fort](https://globalupdate.fort/) is accessible from your environment. If the issue still persists, contact support."

This issue might occur due to some proxies doing the SSL decryption, which means that these proxies can intercept the https connection by modifying the peer certificate and changing the issuer of the certificate to itself. This can cause the license deployment or synchronization to fail as the new issuer is not trusted.

To identify this issue, check the PKIX path building failed error message in the fdn.log file:
# /var/log/cyops/cyops-auth/fdn.log file

Resolution

You can use the following two solutions to solve this issue.

Method 1: Do not use SSL decryption for globalupdate.fortinet.net.

Method 2: Import the proxy issuer certificate into truststore using the following command:
keytool -import -alias proxy_issuer_cert -keystore /opt/cyops-auth/certs/fdn_server_truststore.p12 -file<cert_file> -storepass MXakK2bj6vAteC47 -noprompt