Licensing FortiSOAR

FortiSOAR integrates with FortiGuard Distribution Network (FDN) to retrieve updated contract details.

You need to be connected to FDN while you are deploying your license. If there is no connectivity to FDN, your FortiSOAR UI access will be blocked after the 96-hour grace period for license verification ends.If you encounter any errors during license deployment, see the Troubleshooting licensing issues section for tips in resolving the issue.

FortiSOAR enforces licensing and restricts the usage of FortiSOAR by specifying the following:

• The maximum number of active users in FortiSOAR at any point in time.
• The type and edition of the license.
• The expiration date of the license.

For a fresh install of FortiSOAR, see FortiSOAR licensing process. To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.

FortiSOAR licensing process

1. You must have an account in FortiCare.
2. Contact FortiSOAR Support to obtain FortiSOAR product SKU. You will require to provide the following information to be able to get the license for FortiSOAR™:
   • The license type that you want for FortiSOAR. For information on the different license types, see License Manager Page.
   • The license edition that you want for FortiSOAR. For information on the different license editions, see License Manager Page.
   • The number of licensed users required for FortiSOAR.
     Once you complete purchasing FortiSOAR, you will be sent a service contract registration code to your registered email address.
     If a customer wants additional users, then the customer has to also register the contract for additional users. A separate registration code will be sent for the contract of additional users.
     Note: If you have opted for a "Perpetual" or "Evaluation" license, you should download the license file only after the additional user contract, if any, is registered.
3. Login to your FortiCare account and click Asset > Register/Activate to register your FortiSOAR product. You can register your FortiSOAR product using the instructions provided in the FortiCare registration wizard.
   You will require to copy-paste the service contract registration code from your email to register FortiSOAR.
   Once you have verified the registration, click Complete to complete the registration.
4. Once you click Complete you are taken to the Product Information page. To generate the license file, click Edit on the Product Information page.
   On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
   Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
   To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
   The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

If you are an existing customer, then your entitlements would have already been imported into FortiCare and you would have received an email with respect to your FortiCare account. Also, your FortiSOAR product would already have been registered. However, you do require to update your Device UUID.

To update your Device UUID, do the following:

1. Login to your FortiCare account and click Asset > Manage/View Products > Basic View.
2. Click the row that contains the FortiSOAR (FSR) product to view the Product Information page.
3. On the Edit Product Information page, in the UUID field, enter the Device UUID of your FortiSOAR installation and click Save.
   Important: The license issued against one device UUID can later be used on another FortiSOAR virtual machine with a difference device UUID, as well in case of disaster recovery (DR). However, the same license cannot be active simultaneously on more than one node.
   To retrieve your Device UUID, see Retrieving the FortiSOAR Device UUID.
   The license file is generated after you enter the Device UUID. You can now download and deploy the FortiSOAR license, using the steps mentioned in Deploying the FortiSOAR license.

FortiSOAR licensing using FortiManager

A closed or air-gapped environment is an environment where FortiSOAR does not have access to the internet and therefore cannot access the FDN servers. In such cases, FortiManager (FMG) can be used as an intermediary so that FMG provides license validation and FDN updates to FortiSOAR with limited or no internet connectivity. You can configure FMG for the following environments:

• Complete air-gapped environment where FMG also does not have connectivity to FortiGuard Distribution Servers (FDS) and manual synchronization is required for customer entitlements.
• FMG has network connectivity to FDS servers and can automatically synchronize customer entitlements.
  For more details on FMG and troubleshooting information, see the FortiManager documentation.

Process to deploy the FortiSOAR license when you are in a complete air-gapped environment

1. You must have an account in FortiManager (FMG).
2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
3. Log onto FMG and navigate to FortiGuard.
4. Select the FortiGate Updates checkbox for the NIC that is active on FMG, as shown in the following image:
   
5. On the left-menu, click Settings, and apply the following settings:
   1. "Toggle OFF" the Enable Communication with FortiGuard Server setting.
      
   2. Click Upload beside Service License and upload your entitlement file, and then click OK.
      
   3. Click Apply to apply the above settings.
6. Ensure that FMG is reachable or resolvable from your FortiSOAR instance.
7. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
   [FDN]
host = https://<FMG Hostname>:8890
8. Restart the cyops-auth service.
9. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.

Process to deploy the FortiSOAR license when you are not in a complete air-gapped environment

You might choose to deploy the license using FMG even if you are not in an air-gapped environment. In such cases do the following:

1. You must have an account in FortiManager (FMG).
2. Contact FortiSOAR Customer Support to obtain an entitlement file, which contains all the contract details.
3. Log onto FMG and navigate to FortiGuard.
4. On the left-menu, click Settings, and apply the following settings:
   1. "Toggle ON" the Enable Communication with FortiGuard Server setting.
   2. For the Communication with FortiGuard Server settings, select Global Servers.
   3. For the Server Override Mode settings, select Loose (Allow Access Other Servers).
   4. Expand "FortiGuard AntiVirus and IPS Setting", and "Turn ON" the Schedule Regular Updates setting.
      Once you turn on the Schedule Regular Updates settings, you need to define the frequency at which you want to get the updates:
      
   5. Click Apply to apply the above settings.
5. Ensure that FMG is reachable or resolvable from your FortiSOAR instance and ensure that FMG has access to the Internet.
6. Modify your FortiSOAR config to connect to FMG by adding the following entry in the /opt/cyops-auth/utilities/das.ini file:
   [FDN]
host = https://<FMG Hostname>:8890
7. Restart the cyops-auth service.
8. Deploy your FortiSOAR license using the steps mentioned in Deploying the FortiSOAR license.
   Important: In case of a non-closed environment, license deployment from FortiSOAR does not work at the first attempt since FMG is unable to send contracts that are required for license deployment. Therefore, users need to retry deploying the license on the FortiSOAR environment. This happens only when FMG is not a part of the air-gapped environment.

Retrieving the FortiSOAR Device UUID

Your FortiSOAR installation generates a Device UUID for your installation. This key is used to identify each unique FortiSOAR environment.

When you provision a new instance, a configuration wizard runs automatically on the first ssh login by the csadmin user. This wizard automatically generates your Device UUID and saves the Device UUID in the /home/csadmin/device_uuid file from which you can retrieve your device UUID. For more information, see the FortiSOAR Configuration Wizard topic. However, if you require the device UUID in the future, you can use the FortiSOAR Admin CLI (csadm) or from the see License Manager Page.

You can retrieve the FortiSOAR Device UUID using csadm. A root user can directly run the csadm license --get-device-uuid command to print the Device UUID on the CLI. For more information on the FortiSOAR Admin CLI, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

Deploying the FortiSOAR license

Before you start deploying your FortiSOAR license, you must ensure that you can connect to https://globalupdate.fortinet.net, else the license deployment will fail. Connectivity to this address is required for fetching the license entitlements and product functioning post-upgrade.

Deploying the FortiSOAR license using the FortiSOAR UI

You can deploy your FortiSOAR license from the FortiSOAR UI itself, without the need to SSH to your FortiSOAR machine. This is extremely useful if the administration does not have ssh access to the FortiSOAR machine.

To deploy the initial FortiSOAR license or to upload a new license, if your FortiSOAR license has expired, you can use the FortiSOAR login screen and do the following:

1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen in the case of a fresh installation, i.e., when you are deploying an initial FortiSOAR license:
   
   Note: In case your  FortiSOAR license has expired, then you will see only the Upload License button and not the Activate Trial License button.
   If FortiSOAR detects that a duplicate license has been deployed on the current node, i.e., the same license has already been deployed on another active FortiSOAR node, then you can click Upload License on the following screen to upload a new license on one of the two nodes:
   
   If FortiSOAR detects that a duplicate license has been deployed in an HA cluster, i.e., the same license has already been deployed on another active FortiSOAR node in the HA cluster, then you can click Upload License in the row of any of the nodes in the HA cluster as shown in the following screen to upload a new license on one of the two nodes:
   
   If FortiSOAR detects a 'Device UUID change', generally due to restoring a snapshot of a FortiSOAR instance, or cloning of a FortiSOAR instance. In case a snapshot is restored on the instance, you can continue to log in by clicking Continue to Login. In case of a cloned instance, click Upload License to upload a new valid license:
   
   If FortiSOAR detects a 'Device UUID change' for node(s) that are part of an HA cluster, it will list the nodes on which the device UUID changes is detected. In the case of a hardware change, and if you want to continue using the old license, you can run the csadm license --refresh-device-uuid command on the specific node of the HA cluster, and then continue to log in to the system. In the case of new virtual machine, you can run the csadm license --deploy-license to deploy the new valid license for the specific node of the HA cluster:
   
2. Click Upload License to display the following "Upload License" dialog, in case you are deploying the license for the first time:
   
   In case you deploying a new license after the expiration of your FortiSOAR license, in the case of duplicate license detection, or in the case of deploying a new license for a new virtual machine, you also need to provide valid credentials of a FortiSOAR administrator having 'Security Update' permissions, before you can install the license:
   
   
3. Drag and drop your FortiSOAR License file or click the Upload icon and browse to the license file and import your FortiSOAR license.
   If the license file is invalid, FortiSOAR displays an error message, and the license is not installed.
   If the license file is valid, FortiSOAR displays the license details:
   
4. Click Install License File to install your FortiSOAR license.
   Once the license is successfully installed, FortiSOAR displays a License imported successfully message and the EULA is displayed. Once you accept the EULA, you can log on to the FortiSOAR UI and begin configuring the system.

Deploying the FortiSOAR license using the FortiSOAR Admin CLI

Ensure that you have copied the FortiSOAR license file, using SCP or other methods, to your FortiSOAR VM. Do not copy the contents of the license file and paste it into a new file; this will cause license validation to fail.

You can deploy the FortiSOAR license using the FortiSOAR Admin CLI. A root user can directly run the csadm license --deploy-license <License File Path> command. For example, csadm license --deploy-license temp/<Serial_No>.lic. Your license file specifies the FortiSOAR edition: 'Enterprise', 'HA' or 'Multi-Tenant'. For details on editions, see the License Manager Page section, and for more information on csadm, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

The license path that you provide can either be relative to the current working directory or can be an absolute path. Once you have entered the license path, the csadm checks the license file for validity and whether you have selected the appropriate license type (enabled or not enabled for multi-tenancy).

When you deploy a license on FortiSOAR the license entitlements are fetched from FDN.

NOTE: If you deploy a license that does not match the system UUID, you will receive a warning on the CLI during deployment. If you deploy the same license in multiple environments, it will be detected as a duplicate and you will be required to correct the license. Otherwise, your FortiSOAR UI will be blocked as follows:

• Once a license is identified as a duplicate, it is checked using FDN sync every hour to verify if the duplicate license issue has been resolved.

• After two such warnings, with a one-hour gap between them, the FortiSOAR UI will be blocked for users.

• The FortiSOAR UI will remain blocked until a new license is deployed or the system with the duplicate license is shut down.

The FortiSOAR Admin CLI displays a Success message, if your license file is deployed successfully, or an Error message that contains the reason for the failure.

Once your system is licensed, you can log on to the FortiSOAR UI and begin configuring the system.

Activating the FortiCare Trial License for FortiSOAR

You can get a free trial license for FortiSOAR through your FortiCare account. This trial license has unlimited duration but comes with certain limitations, such as restrictions on the number of users and actions that can be performed in FortiSOAR per day. From release 7.6.0, the default trial license edition restricts FortiSOAR usage to 2 users for a maximum of 1000 actions per day, and users can choose the edition, either "Enterprise" or "Multi-Tenant" they want to deploy. Prior to release 7.6.0, the trial license was of type "Enterprise" and which restricted FortiSOAR usage to 3 users for a maximum of 200 actions a day. Due to this change in behavior, existing users should take note of the following:

• Users who had activated their trial license previously will retain their current action count of 200. If after upgrading you do not see the new action count of 1000, you should contact Fortinet Support to clear your existing trial license from your FortiSOAR system and then reactivate the trial license to get the updated action count of 1000.
• Users with an active trial license will remain on the "Enterprise" edition. If they want to change the edition to "Multi-Tenant (Manager)" they must contact Fortinet Support to decommission their current trial and re-register for a new trial license with the "Multi-Tenant (Manager)" edition.

Important steps such as "Create Records", "Update Records", "Connector Actions", "Set Variable", etc., are counted towards the maximum action count limit of 1000. However, steps used for data manipulation such as "Wait", "Approval", "Loops", "Reference a Playbook", etc. are not counted towards the action count restriction.

To activate the FortiCare trial license for FortiSOAR, do the following:

1. In the browser type https://<YourFortisoarHostname>/login to open your FortiSOAR UI. This will display the following screen:
   
2. Click Activate Trial License.
3. In the Activate FortiSOAR Free Trial dialog, enter your FortiCare username (email address) and password, and choose "Enterprise" or Multi-Tenant (Manager) as the edition you want to deploy on your instance. Selecting Multi-Tenant will designate the instance as the "manager" node.
   Once you have completed entering the details, click Activate Trial License:
   
   If the email address and password provided are correct, then your FortiCare trial license for FortiSOAR is activated.

You can upgrade this trial license to a full production license at any time by purchasing a FortiSOAR license and updating it either the FortiSOAR CLI or UI.

License Manager Page

FortiSOAR supports both 'Named' and 'Concurrent ' users. Concurrent user seats allow sharing a fixed number of user seats among an unlimited number of users, limited by the number of users accessing FortiSOAR simultaneously. This feature is beneficial for shift-oriented SOC environments, where a team may have a limited number of members working in a given shift, for example a 30-member team only has 10 members working in a given shift. In this scenario, administrators can create 10 concurrent users and efficiently manage user seats across all shifts. For more information, see the User Seat Support in FortiSOAR section.

Click Settings > License Manager to open the License Manager page as shown in the following image:

The License Manager page displays essential information such as the serial number, type and edition of the license issued, the total number of users FortiSOAR is licensed for, the number of users created on the system per access type, the number of users who are currently logged into FortiSOAR, the date when the FortiSOAR license will expire, the number of days till the expiry of the FortiSOAR license, and your Device UUID. You can click the Copy Device UUID button to copy your Device UUID.

If your license is about to expire, you can update it by clicking Update License and uploading the updated license file, by either dragging-and-dropping your updated license or by clicking and browsing to the location where your license file is located, then selecting the file and clicking Open. If the user count is reduced in updated license and exceeds the number of logged-in users, i.e., if the logged in users are more than the new count then the logged in users will get logged out at the time of session refresh one by one till the count becomes equal or less. Similarly, if the 'Named' user count exceeds the new license count, then only the 'Super Admin' user will be able to log into system. For more information about named users, see the User Seat Support in FortiSOAR section. For more information about a 'Super Admin' user, see the Security Management chapter in the "Administration Guide."

Serial Number: The serial number is a unique ID that is created by the FortiCare portal when you register your FortiSOAR product.

The FortiSOAR license can be of the following types:

• Perpetual: This type of license provides you with a license for an unlimited time for FortiSOAR.
• Perpetual (Trial): This type of license provides you with a free trial license for FortiSOAR, allowing unlimited time usage but with restrictions on the number of users and actions that can be performed in a day. From release 7.6.0 onwards, his license limits FortiSOAR usage to 2 users for a maximum of 1000 actions per day, and you can choose the edition for this license to either "Enterprise" or "Multi-Tenant".
  
  For more information on the trial license, see the Activating the FortiCare Trial license for FortiSOAR topic.
• Subscription: This type of license is a regular license that gives you subscription to FortiSOAR for a particular number of users and a specific timeframe.
  You can renew your subscription and change the number of users as per your requirements. FortiSOAR will synchronize with the FDN server and retrieve the latest subscription.
• Subscription (Starter): Release 7.6.0 introduces this edition to offer small to medium-sized enterprises or teams within larger organizations a more accessible entry point into advanced security orchestration, automation, and response functionality. This edition supports scaling security operations efficiently in growing organizations, enabling them to handle an increased volume of alerts and incidents with a robust yet cost-effective toolset. This edition is priced lower than the full-fledged "Enterprise" edition, allowing growing organizations to experience the FortiGuard Outbreak and Threat Intel Management features fully. It also enables users to use FortiSOAR as a dev/staging instance without the need to pay for a full FortiSOAR edition. The Starter edition's license type is "Subscription" and edition is "Enterprise". By default, it limits FortiSOAR usage to 2 users for a maximum of '10000' actions per day.
• Evaluation: This type of license allows you to evaluate FortiSOAR. The evaluation license is shipped with a predefined user count and expiry date.

Once the daily limit of action counts is reached based on the type of license such as Starter or Trial licenses, deployed on your FortiSOAR instance, appropriate messages such as "Daily limit for action count has been exceeded. You cannot execute any more actions." will be displayed on your FortiSOAR UI.

The FortiSOAR license can have the following editions and roles:

• Enterprise: This edition enables a regular "enterprise" production license.
• Multi-Tenant: This edition enables multi-tenancy; both shared and distributed multi-tenancy are supported. The edition along with the 'Role' determines whether the instance acts as a "manager" or "tenant" node of a Managed Security Services Provider (MSSP):
  • If the 'Role' is set as "Manager" then the instance where this license is deployed serves as a “master” node in a distributed deployment.
    NOTE: Prior to release 7.6.0, this role was referred to as "MT (Master)".
  • If the 'Role' is set as "Tenant (Single user locked)", then the instance where this license is deployed serves as a "dedicated tenant" to the MSSP server for syncing data and actions to and from the MSSP "master" server.
    NOTE: Prior to release 7.6.0, this role was referred to as "MT_Tenant".
  • If the 'Role' is set as "Tenant (Multiple user capable)", then the instance is enabled as a "Tenant (Multiple user capable)" deployment at an organization that has a distributed SOC, and which is a complete SOAR platform. At the same time, it can be configured as a "tenant" to the global SOC where the "Multi-Tenant (Manager)" license is deployed and sync data and actions from the Global SOC FortiSOAR server.
    NOTE: Prior to release 7.6.0, this role was referred to as "MT_RegionalSOC".
    For more information of what multi-tenancy is and what master nodes are, see the "Multi-tenancy support in FortiSOAR Guide."
• HA: Release 7.6.0 introduces this edition, to allow an instance to act as a High Availability (HA) node in a clustered setup.
  NOTE: Using this edition a FortiSOAR system can function as a standalone instance with 2 users and 1000 actions per day if it is not added as a cluster node:
  
  Previously, to establish an HA setup, all nodes within the cluster needed to have identical licenses, which meant users required to acquire additional licenses for secondary/backup nodes of the same type and edition as the primary node, increasing the overall cost of the cluster setup. The HA edition is available at a lower cost than the current 'Enterprise' node license due to its specialized and restricted capabilities. This makes it cost-effective for creating an HA cluster, as setting up an n-node cluster requires n-1 HA licenses. For example, for a configuration with 1 active and 1 passive node (totaling 2 nodes), you will need 1 HA license. Similarly, for a setup with 2 active nodes and 1 passive node (totaling 3 nodes), you will need 2 HA licenses. These HA licenses should be applied to the non-primary nodes of the cluster.
  The HA edition is available for both 'Perpetual' and 'Subscription' licenses and can be used in all environments supporting HA configurations. The 'HA' license should be applied to the node designated as the 'Secondary' node of the cluster, not the 'Primary' node. Additionally, all existing licenses installed on secondary nodes can be converted to the HA license, except for the Dedicated Tenant (Single User Locked), and vice versa.
  IMPORTANT: HA License can only be used in conjunction with the FortiSOAR base license. Other licenses, such as TIM or additional users, do not need to be duplicated, and therefore are not applicable to the HA edition.
  The following table illustrates the combination of license type of primary and secondary nodes that can be used for HA formation:
  

  Primary Node		Secondary Node		HA Formation
  Type	Edition	Type	Edition
  Perpetual	Enterprise	Perpetual	Enterprise	Allowed
  Perpetual	Enterprise	Perpetual	HA	Allowed
  Perpetual	Multi-Tenant (Manager)	Perpetual	Multi-Tenant (Manager)	Allowed
  Perpetual	Multi-Tenant (Manager)	Perpetual	HA	Allowed
  Perpetual	Multi-Tenant - Tenant (Multiple user capable)	Perpetual	Multi-Tenant - Tenant (Multiple user capable)	Allowed
  Perpetual	Multi-Tenant - Tenant (Multiple user capable)	Perpetual	HA	Allowed
  Perpetual	Multi-Tenant - Tenant (Single user locked)	Perpetual	Multi-Tenant - Tenant (Single user locked)	Not Allowed
  Perpetual	Multi-Tenant - Tenant (Single user locked)	Perpetual	HA	Not Allowed
  Perpetual (Trial)	Enterprise	Perpetual (Trial)	Enterprise	Not Allowed
  Perpetual (Trial)	Multi-Tenant (Manager)	Perpetual (Trial)	Multi-Tenant (Manager)	Not Allowed
  Subscription	Enterprise	Subscription	Enterprise	Allowed
  Subscription	Enterprise	Subscription	HA	Allowed
  Subscription	Multi-Tenant (Manager)	Subscription	Multi-Tenant (Manager)	Allowed
  Subscription	Multi-Tenant (Manager)	Subscription	HA	Allowed
  Subscription	Multi-Tenant - Tenant (Multiple user capable)	Subscription	Multi-Tenant - Tenant (Multiple user capable)	Allowed
  Subscription	Multi-Tenant - Tenant (Multiple user capable)	Subscription	HA	Allowed
  Subscription	Multi-Tenant - Tenant (Single user locked)	Subscription	Multi-Tenant -Tenant (Single user locked)	Not Allowed
  Subscription	Multi-Tenant - Tenant (Single user locked)	Subscription	HA	Not Allowed
  Subscription (Starter)	Enterprise	Subscription (Starter)	Enterprise	Allowed
  Subscription (Starter)	Enterprise	Subscription	Enterprise	Allowed
  Evaluation	Enterprise	Evaluation	Enterprise	Allowed
  Evaluation	Multi-Tenant (Manager)	Evaluation	Multi-Tenant (Manager)	Allowed
  Evaluation	Multi-Tenant - Tenant (Multiple user capable)	Evaluation	Multi-Tenant - Tenant (Multiple user capable)	Allowed
  Evaluation	Multi-Tenant - Tenant (Single user locked)	Evaluation	Multi-Tenant -Tenant (Single user locked)	Not Allowed

Threat Intel Management Service Subscription displays whether unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features are enabled or disabled. For more information, see the Licensing option to enable unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features topic.

User Seat Entitlements displays the number of user seats that you have purchased for FortiSOAR. You cannot create more named active users, in your FortiSOAR environment, than the value specified as in this field. For example, if the User Seat Entitlements field is set to five, then you can create a maximum of five named users, and an unlimited number of concurrent users; however, if all five named users are active, then no concurrent user will be able to log into FortiSOAR. Also, note that if a user is logging in from multiple places, then it is counted as a single user. For more information, see the User Seat Support in FortiSOAR section.

User Seats Consumed displays the number of active users, named and concurrent, who have consumed the FortiSOAR user seats. To view the number of users, named and concurrent, who are currently logged into FortiSOAR, you can hover over the tooltip.

Expiry Date displays the date at which your FortiSOAR license will expire and Remaining Days displays the number of days left for your license to expire.

FortiSOAR does not mandate 'Additional Users' entitlement to be the same across all cluster nodes. User count entitlement is validated from the primary node. The secondary nodes can have the basic two-user entitlement. The HA cluster shares the user count details from primary node of the cluster. Hence, all 'Concurrent Users' count restrictions apply as per the primary node. If a node leaves the cluster, the restriction will apply as per its own original license.

In the case of an HA environment, you only need to buy one Threat Intelligence Management (TIM) subscription that can be used across your HA cluster. The primary node subscription gets cascaded to the secondary nodes.

In case your FortiSOAR instance is part of a High Availability (HA) cluster, then the License Manager page also displays information about the nodes in the cluster, if you have added secondary node(s) as shown in the following image:

As shown in the above image, the primary node is Node 1 and that node is licensed with 7 users, therefore the User Seat Entitlements count displays as 7 users. For more information on licensing of nodes in an HA cluster, see the High Availability and Disaster Recovery support in FortiSOAR chapter in the "Administration Guide."

You can update the license for each node by clicking Update License and uploading the license for that node as described in the following section.

If you deploy a license that does not match the system UUID, you will receive a warning on the CLI during deployment. If you deploy the same license in multiple environments, it will be detected as a duplicate and you will be required to correct the license. Otherwise, your FortiSOAR UI will be blocked as follows: Once a license is identified as a duplicate, it is checked using FDN sync every hour to verify if the duplicate license issue has been resolved. After two such warnings, with a one-hour gap between them, the FortiSOAR UI will be blocked for users. The FortiSOAR UI will remain blocked until a new license is deployed or the system with the duplicate license is shut down.

User Seat Support in FortiSOAR

FortiSOAR supports 'Named' and 'Concurrent ' users for licensing. User access details are used to calculate the number of concurrent users that can simultaneously log onto FortiSOAR.

Named Users

'Named' users are users for whom a seat is permanently reserved, i.e., such a user can always log onto FortiSOAR except in case of a license violation.

Concurrent Users

The ability to designate a user seat as a 'concurrent user seat' allows system administrators to create a floating seat that can be shared by unlimited users (only limited by the user seat limit). A 'Named' user has a FortiSOAR seat permanently reserved, i.e., such a user can always log onto FortiSOAR except in case of a license violation. However, a concurrent user can log in only when there is a concurrent seat available. Note that if a user is logging in from multiple places, it is counted as a single user.

For example, if you have purchased a five-user license, then a maximum of 5 named active users can be present in the system at a given time. However, there is no limit to concurrent user creation, i.e., you can create as many concurrent users as you want. Therefore, if out of five user seats that you have purchased, you have created two Named users, then those users can log into FortiSOAR at any time, and the other three seats are reserved for Concurrent users, who can log into FortiSOAR when concurrent seats are available. However, if the you create five Named users, then only those users will be able to log into FortiSOAR and Concurrent users will not be able to log into the system.

Administrators, i.e., users with Security and People Update access, can selectively change users' access type, i.e., Concurrent users to Named users, and vice-versa, at any time, or they can also bulk change users access type from Named to Concurrent. For more information, see the Security Management chapter in the "Administration Guide." They also have the privilege to forcefully log out selective 'Concurrent' users. When the administrators logs out a user from any instance, that user is notified before being logged out.

The default access type set for all SSO and MSSP users is 'Concurrent'. You can change the access type for the user later, if needed.

Updating your license using the FortiSOAR UI

You can update your license using your FortiSOAR UI. Click Settings > License Manager to open the License Manager page.

You can use the License Manager page to view your license details and to update your license. FortiSOAR displays a message about the expiration of your license 15 days prior to the date your license is going to expire. If you license type is Evaluation, then you must update your license within 15 days, if you want to keep using FortiSOAR. To update your license, click Update License and either drag-and-drop your updated license or click and browse to the location where your license file is located, then select the file and click Open. If your license type is Subscription, you must renew your subscription.

Licensing option to enable unrestricted FortiGuard threat feeds and premium Threat Intelligence Management features

FortiSOAR supports a licensing option that provides full access to the best-in-class FortiGuard threat intel feeds. This service allows you to use the Threat Intel Management service to its fullest extent, and includes unrestricted consumption of FortiGuard feeds. The feed is an extensive dataset, comprising of IPs, URLs, Domain and malicious hashes carefully curated by our team of experts. The entire feeds database is labeled with the relevant threat types, and associated LockHeed Martin Kill Chain Phases, that enables user with contextual information to understand the nature of threat. In addition to these feeds, the new SKU option also enables the following features in the FortiSOAR Threat Intel Management experience:

• Provide 'Contextual Sighting' Information: For every indicator that is created, FortiSOAR automatically looks up a match in its feeds database and links these matched indicators automatically to the extracted indicator. The advantage of this is two-fold:
  • Getting good contextual information even when information about these suspicious targets is not yet available with the standard enrichment sources.
  • Providing users with a dashboard displaying the relevance of various intelligence sources based on the number of actual sightings in their environment.
• No limit on the feed volume that can be ingested per day in the 'Threat Intel Management' module using the FortiSOAR Feeds API.
  If the Threat Intel Management Service Subscription is 'Disabled', then the 'Ingest Feed' step can insert only 1000 records per day in the 'Threat Intel Management' module. Once this limit is exceeded, further feed ingestion playbooks start failing with the: 'Daily Feed Ingestion Limit reached' error till the counter is reset at midnight (UTC).
  An example of how this works: If you have 100 records left from the 1000 records per day limit, and you send 200 records as part of the ingestion feed, only 100 records are saved, and the remaining 100 are ignored.
• No limit on the number of feeds that be exported using the FortiSOAR 'TAXII API' for sharing processed threat intelligence to SIEMs, Firewalls etc. If this SKU is not enabled, the TAXII-compatible API provides only 100 records as part of the API response.

For any SKU-related information, contact Fortinet Support.
To know if you have this licensing option enabled, check the Threat Intel Management Service Subscription option on your License Manager page in the FortiSOAR UI. The section shows if the option is Enabled or Disabled. For more information on TIM, see the Threat Intel Management Solution Pack documentation in the FortiSOAR Content Hub.

Troubleshooting licensing issues

FortiSOAR displays meaningful messages and troubleshooting tips during the license deployment process, and validates your FortiSOAR license, making it easier for you to debug licensing issues.

If your connection to FDN is via a proxy, you must update the proxy settings.

If any error occurs while deploying your license, following are some troubleshooting steps:

• If the license type is "Subscription", then the number of users and expiry date are not present inside the license. They require to be synced from FDN after the installation. The "License has expired issue after installation" issue occurs due to the following two reasons:
  • Sync with FDN failed
  • Sync was successful but we got wrong contract information.
    To verify the above-mentioned cases run the following command: java -jar <jar_path> <serial_no> <device_uuid> <globaupdate_url>
    For example, java -jar /opt/cyops-auth/bin/fdnclient.jar <serial_no> <device_uuid> https://globalupdate.fortinet.net
• If the license type is "Evaluation" or "Perpetual", then the number of users and expiry date are present inside the license. If a license deployment failure occurs for these types of licenses, then check the license information using the csadm license —show-details <lic_file> command.
• After deploying the license if the system is yet not reachable, restart the cyops-auth service and then the monitor the fdn.log and das.log files. If you continue to face issues, contact FortiSOAR support.

Troubleshooting issues while deploying the FortiSOAR license in a proxy environment

You might get the following error, when you are deploying your FortiSOAR license in a proxy environment:

FSR-Auth-003: License Entitlement Sync Failed. Ensure that [https://globalupdate.fort](https://globalupdate.fort/) is accessible from your environment. If the issue still persists, contact support."

This issue might occur due to some proxies doing the SSL decryption, which means that these proxies can intercept the https connection by modifying the peer certificate and changing the issuer of the certificate to itself. This can cause the license deployment or synchronization to fail as the new issuer is not trusted.

To identify this issue, check the PKIX path building failed error message in the fdn.log file:
# /var/log/cyops/cyops-auth/fdn.log file

Resolution

You can use the following two solutions to solve this issue.

Method 1: Do not use SSL decryption for globalupdate.fortinet.net.

Method 2: Import the proxy issuer certificate into truststore using the following command:
keytool -import -alias proxy_issuer_cert -keystore /opt/cyops-auth/certs/fdn_server_truststore.p12 -file<cert_file> -storepass MXakK2bj6vAteC47 -noprompt