Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home 8.0.1 Administration Guide

    Licensing

    Licensing

    FortiAuthenticator-VM supports two licensing models:

    • Perpetual

      A one-time purchase license that does not expire. It is based on the VM and allows stacking user capacity starting from 100 users (FAC-VM-Base).

      Additional user capacity can be added by stacking licenses.

      Support services such as firmware updates and technical support are purchased separately.

      Use Case: Ideal for organizations that prefer a capital expenditure (CapEx) model with fixed, long‑term licensing and no recurring subscription fees.

    • Subscription license

      A term-based license billed per user and includes support services as part of the subscription.

      The subscription license requires internet access to update.fortiguard.net. If the system cannot connect to this address for 30 days, the license is disabled and services stop working. When connectivity is lost, the following error is displayed in Logging > Log Access > Logs:

      Log 1 Example

       License could not be validated for over 4 hours, you have 30 days left to validate the license!

      Log 2 Example

       License could not be validated for over 2 days, you have 28 days left to validate the license!

      Log 3 Example

       License could not be validated for 30 days.

      If the subscription expires, authentication services stop, but the administrator can still access the GUI for troubleshooting.

      In HA environments, both active and passive units require separate subscription licenses, and mixing perpetual and subscription licenses is not supported.

      See Subscription VM license.

      Use Case: Best for organizations that prefer an operational expenditure (OpEx) model with bundled support and the flexibility to scale per user.

    For detailed ordering information, see the FortiAuthenticator Ordering Guide.

    FortiAuthenticator-VM works in evaluation mode until it is licensed. In evaluation mode, only a limited number of users can be configured on the system. To expand this capability, a stackable license can be applied to the system to increase both the user count, and all other metrics associated with the user count.

    When a license is purchased, a registration code is provided. Go to support.fortinet.com and register your device by entering the registration code. You are asked for the IP address of your FortiAuthenticator device, and are then provided with a license key.

    Ensure that the IP address specified while registering your unit is configured on one of the device’s network interfaces, then upload the license key to your FortiAuthenticator-VM.

    The License Information widget shows the current state of the device license.

    See License information widget.

    To license FortiAuthenticator:
    1. Register your device at the Fortinet Support website.
    2. Ensure that one of your device’s network interfaces is configured to the IP address specified during registration.
    3. Go to System > Administration > Licensing.
    4. Select Upload a File and locate the license file you received from Fortinet.
    5. Select Upload.

    FortiAuthenticator licenses

    FortiAuthenticator licenses include the following components:

    • Maximum number of users (FortiAuthenticator-VM models only).
    • Maximum number of SSO Mobility Agent clients (all models).
    • Expiry date (trial licenses only; full licenses are perpetual).
    FortiAuthenticator-VM licenses with user limits:

    FortiAuthenticator-VM licenses include a user limit which applies to:

    • The number of user accounts configured on the FortiAuthenticator (local and remote users combined).
    • The number of concurrent FSSO sessions.
    • The maximum limits on all other configuration objects are derived as a ratio to the maximum number of users.
    SSO Mobility Agent (SSOMA) client limits:

    The SSOMA client component is only required for scenarios where you are doing FSSO with SSOMA clients. It determines how many SSOMA clients can concurrently have active FSSO sessions on the FortiAuthenticator.

    The FortiAuthenticator sets the maximum number of SSOMA clients to the lowest of these values from its onboard license:

    • Maximum FortiClient SSO
    • Maximum users

    SSOMA, FTM, and SMS licenses are purchased separately, and these limits do not scale with the FortiAuthenticator license user limit.

    Licensing FortiAuthenticator HA units

    Primary HA cluster: Each FortiAuthenticator unit is required to have its own license. Both units must have the same license size (users and SSOMA clients).

    HA load-balancer: The HA load-balancer needs to have a user license size big enough to be able to replicate the configuration from the primary. While this means a load-balancer could have a smaller license than the primary, administrators must be careful to not undersize load-balancer licenses. The size of the SSOMA license can be different from the primary, depending on which FortiAuthenticator node the SSOMA clients will be connecting to.

    Previous
    Next

    Licensing

    Licensing

    FortiAuthenticator-VM supports two licensing models:

    • Perpetual

      A one-time purchase license that does not expire. It is based on the VM and allows stacking user capacity starting from 100 users (FAC-VM-Base).

      Additional user capacity can be added by stacking licenses.

      Support services such as firmware updates and technical support are purchased separately.

      Use Case: Ideal for organizations that prefer a capital expenditure (CapEx) model with fixed, long‑term licensing and no recurring subscription fees.

    • Subscription license

      A term-based license billed per user and includes support services as part of the subscription.

      The subscription license requires internet access to update.fortiguard.net. If the system cannot connect to this address for 30 days, the license is disabled and services stop working. When connectivity is lost, the following error is displayed in Logging > Log Access > Logs:

      Log 1 Example

       License could not be validated for over 4 hours, you have 30 days left to validate the license!

      Log 2 Example

       License could not be validated for over 2 days, you have 28 days left to validate the license!

      Log 3 Example

       License could not be validated for 30 days.

      If the subscription expires, authentication services stop, but the administrator can still access the GUI for troubleshooting.

      In HA environments, both active and passive units require separate subscription licenses, and mixing perpetual and subscription licenses is not supported.

      See Subscription VM license.

      Use Case: Best for organizations that prefer an operational expenditure (OpEx) model with bundled support and the flexibility to scale per user.

    For detailed ordering information, see the FortiAuthenticator Ordering Guide.

    FortiAuthenticator-VM works in evaluation mode until it is licensed. In evaluation mode, only a limited number of users can be configured on the system. To expand this capability, a stackable license can be applied to the system to increase both the user count, and all other metrics associated with the user count.

    When a license is purchased, a registration code is provided. Go to support.fortinet.com and register your device by entering the registration code. You are asked for the IP address of your FortiAuthenticator device, and are then provided with a license key.

    Ensure that the IP address specified while registering your unit is configured on one of the device’s network interfaces, then upload the license key to your FortiAuthenticator-VM.

    The License Information widget shows the current state of the device license.

    See License information widget.

    To license FortiAuthenticator:
    1. Register your device at the Fortinet Support website.
    2. Ensure that one of your device’s network interfaces is configured to the IP address specified during registration.
    3. Go to System > Administration > Licensing.
    4. Select Upload a File and locate the license file you received from Fortinet.
    5. Select Upload.

    FortiAuthenticator licenses

    FortiAuthenticator licenses include the following components:

    • Maximum number of users (FortiAuthenticator-VM models only).
    • Maximum number of SSO Mobility Agent clients (all models).
    • Expiry date (trial licenses only; full licenses are perpetual).
    FortiAuthenticator-VM licenses with user limits:

    FortiAuthenticator-VM licenses include a user limit which applies to:

    • The number of user accounts configured on the FortiAuthenticator (local and remote users combined).
    • The number of concurrent FSSO sessions.
    • The maximum limits on all other configuration objects are derived as a ratio to the maximum number of users.
    SSO Mobility Agent (SSOMA) client limits:

    The SSOMA client component is only required for scenarios where you are doing FSSO with SSOMA clients. It determines how many SSOMA clients can concurrently have active FSSO sessions on the FortiAuthenticator.

    The FortiAuthenticator sets the maximum number of SSOMA clients to the lowest of these values from its onboard license:

    • Maximum FortiClient SSO
    • Maximum users

    SSOMA, FTM, and SMS licenses are purchased separately, and these limits do not scale with the FortiAuthenticator license user limit.

    Licensing FortiAuthenticator HA units

    Primary HA cluster: Each FortiAuthenticator unit is required to have its own license. Both units must have the same license size (users and SSOMA clients).

    HA load-balancer: The HA load-balancer needs to have a user license size big enough to be able to replicate the configuration from the primary. While this means a load-balancer could have a smaller license than the primary, administrators must be careful to not undersize load-balancer licenses. The size of the SSOMA license can be different from the primary, depending on which FortiAuthenticator node the SSOMA clients will be connecting to.

    Previous
    Next