Fortinet Document Library

Version:


Table of Contents

FortiWeb-VM on OpenStack

  • Select version:
  • 6.1
6.1.1
Download PDF
Copy Link

Uploading the license

When you purchase a license for FortiWeb-VM, Fortinet Customer Service & Support (https://support.fortinet.com) provides a license file that you can use to convert the 15-day trial license to a permanent, paid license.

(Licensing for FortiWeb Manager virtual machine is different. See the FortiWeb Manager Handbook.)

You can upload the license via a web browser connection to the web UI or the CLI. No maintenance period scheduling is required. The uploading process does not interrupt traffic or trigger an appliance reboot.

As your organization grows, you can simply either allocate more resources or migrate your virtual appliance to a physical server with more power, then upgrade your FortiWeb-VM license to support your needs.

License Validation

FortiWeb-VM requires an Internet connection to periodically re-validate its license. If FortiWeb-VM cannot contact Fortinet’s FDN for 24 hours, access to the web UI and CLI are locked.

If FortiWeb-VM is deployed in a closed network environment, license validation can be done in the following way.

License validation with FDS proxy

You can validate your FortiWeb-VM license through an FDS proxy. FortiManager's built-in FDS (FortiGuard Distribution Servers) feature can serve this purpose. This requires FortiManager to have Internet connection. To configure FortiWeb-VM to validate its license using FortiManager, before you upload the license, enter the following command:

config system autoupdate override

set status enable

set address <fortimanager_ip>:8890

set fail-over disable

end

where <fortimanager_ip> is the IP address of the FortiManager. (TCP port 8890 is the port where the built-in FDS feature listens for requests.)

For more information on the FortiManager built-in FDS feature, see the FortiManager Administration Guide.

Although FortiManager can provide FortiGuard security service updates to some Fortinet devices, for FortiWeb, its FDS features can provide license validation only.

Uploading the license

To upload the license via the web UI
  1. On your management computer, start a web browser.

    For hypervisor installations, your computer must be connected to the same network as the hypervisor.

  2. Do one of the following:
    • For hypervisor deployments, in your browser’s URL or location field, enter the IP address of port1 of the virtual appliance, such as:

      https://192.168.1.99/

      (Remember to include the “s” in https://.)
    Initially, you must access the web UI via HTTPS. By default, HTTP is not enabled. After uploading the license, you can configure the administrative access protocols. For details, see the FortiWeb Administration Guide.
    • For FortiWeb-VM deployed on AWS, access the web UI using the public DNS address displayed in the instance information for the appliance in your AWS console.

      For example, if the public DNS address is ec2-54-234-142-136.compute-1.amazonaws.com, you connect to the web UI using the following URL:

      https://ec2-54-234-142-136.compute-1.amazonaws.com/

    Your browser connects the appliance. The web UI’s login page should appear.

    If you do not see the login page due to an SSL cipher error during the connection, and you are connecting to the trial license of FortiWeb-VM or a LENC version of FortiWeb, then your browser must be configured to accept encryption of 64-bit strength or less during the handshake. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.) Otherwise SSL v3 and TLS v1.0 are supported.

    For example, in Mozilla Firefox, if you receive this error message:

    ssl_error_no_cypher_overlap

    you may need to enter about:config in the URL bar, then set security.ssl3.rsa.rc4_40_md5 to true.

    To support HTTPS authentication, the FortiWeb appliance ships with a self-signed X.509 certificate, which it presents to clients whenever they initiate an HTTPS connection to the FortiWeb appliance. When you connect, depending on your web browser and prior access of the FortiWeb appliance, your browser might display two security warnings related to this certificate:

    • The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be fraudulent. You must manually indicate whether or not to trust the certificate.
    • The certificate might belong to another website. The common name (CN) field in the certificate, which usually contains the host name of the website, does not exactly match the URL you requested. This could indicate server identity theft, but could also simply indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not.

    Both warnings are normal for the default certificate.

  3. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate.
  4. For details on accepting the certificate, see the documentation for your web browser.
  5. In the Name field, type admin. Do one of the following:
    • For hypervisor deployments, do not enter a password.
    • For AWS deployments, for Password, enter the AWS instance ID.
  6. Click Login.

    The web UI appears.

    The web UI initially displays its dashboard, System > Status > Status. The FortiGuard Information widget displays the current license status and contains a link where you can upload a license file.

    FortiGuard Information widget on System > Status > Status in the web UI before license upload

  7. In the VM License row of the FortiGuard Information widget, click the Update link.

  8. Depending on your browser, you may see either a Browse or Choose File button. Locate the license file (.lic) you downloaded earlier from Fortinet, then click OK.

    Your browser uploads the license file. Time required varies by the size of the file and the speed of the network connection. If you have uploaded a file that is not a license file, an error message will appear:

    Uploaded file is not a license. Please upload a valid license.

    If you upload the right file type, FortiWeb will then connect to Fortinet to validate its license. Time required varies, but is usually only a few seconds. A message appears:

    License has been uploaded. Please wait for authentication with registration servers.

  9. Click Refresh on the message box.

    If you uploaded a valid license, a second message should appear, informing you that your license authenticated successfully:

    License has been successfully authenticated with registration servers.

    The web UI logs you out. The login dialog reappears.

  10. Log in again.
  11. To verify that the license was uploaded successfully, log in to the web UI again, then view the FortiGuard Information widget. The VM License row should say Valid.

    Also view the System Information widget. The Serial Number row should have a number that indicates the maximum number of vCPUs that can be allocated according to the FortiWeb-VM software license, such as FVVM020000003619 (where “VM02” indicates a limit of 2 vCPUs).

    FortiGuard Information widget on System > Status > Status in the web UI after license validation

    GUI item Description
    VM License

    Indicates whether or not this FortiWeb-VM appliance has a paid software license. The license affects the maximum number of allocatable vCPUs.

    Possible states are:

    • Valid — The appliance has a valid, non-trial license. Serial Number in the System Information widget indicates the maximum number of vCPUs that can be allocated according to this license.

      To increase the number of vCPUs that this appliance can utilize, invalidate the current license by allocating more vCPUs in your virtual machine environment (e.g. VMware), then upload a new license. See Updating the license for more vCPUs.

    • Invalid — The FortiWeb-VM appliance license either was not valid, or is currently a trial license.

      To upload a purchased license, click Update.

    This appears only in FortiWeb-VM.

    Registration

    Indicates which account registered this appliance with Fortinet Technical Support. Possible states are:

    • Unregistered — Not registered with Fortinet Technical Support.
    • <registration_email> — Registered with Fortinet Technical Support.

    To manage technical support or FortiGuard service contracts for this device, go to the Fortinet Technical Support website.

    If logging is enabled, this log message will be recorded in the event log:

    License status changed to VALID

    If you are still connected to the CLI when license authentication succeeds, it should print this message:

    *ATTENTION*: license registration status changed to 'VALID',please logout and re-login

    If FortiWeb was also able to contact FortiGuard, its FortiWeb Update Service row should also indicate that the FortiGuard service contract is valid. (This second license validation may occur a minute or two after the first, and so may not appear immediately.)

    If there was a connectivity interruption, you can either wait up to 30 minutes for the next license query, reboot, or enter the CLI command:

    exec update-now

    This command also contacts FortiGuard for FortiWeb Security Service contract validation and update availability.

    If the connection did not succeed:

    • On FortiWeb, verify the:
      • time zone & time
      • DNS settings
      • network interface up/down status & IP
      • static routes
    • On your computer, use nslookup to verify that FortiGuard domain names are resolving (VM license queries are sent to update.fortiguard.net).

     

    C:\Users\cschwartz>nslookup update.fortiguard.net

    Server: google-public-dns-a.google.com

    Address: 8.8.8.8

     

    Non-authoritative answer:

    Name: fds1.fortinet.com

    Addresses: 209.66.81.150

    209.66.81.151

    208.91.112.66

    Aliases: update.fortiguard.net

     

    • On FortiWeb, use execute ping and execute traceroute to verify that connectivity from FortiWeb to the Internet and FortiGuard is possible. Check the configuration of any NAT or firewall devices that exist between the FortiWeb appliance and the FDN or FDS server override.

     

    FortiWeb # exec traceroute update.fortiguard.net

    traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets

    1 192.0.2.2 0 ms 0 ms 0 ms

    2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms

    3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms

    4 67.69.228.161 3 ms 4 ms 3 ms

    5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms

    6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms

    7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms

    8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms

    9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms

    10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms

    11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms

    12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms

    13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms

    14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms

    15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms

    16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms

     

    If after 4 hours FortiWeb still cannot validate its license, a warning message will be printed to the local console:

    *WARNING*: Unable to validate license for over 4 hours

  12. Continue with What’s next?.
To upload the license via the CLI
  1. Using an SSH client, log in to the CLI using the IP address of the network interface you configured earlier.
  2. For example, if you configured port1 with the IP address 192.168.1.1, connect to 192.168.1.1 on port 22.

    For details, see Configuring access to FortiWeb’s web UI & CLI.

  3. Enter the following command:
  4. execute restore vmlicense {ftp | tftp} <license-file_str> {<ftp_ipv4> | <user_str>:<password_str>@<ftp_ipv4> | <tftp_ipv4>}

    where:

    {ftp | tftp} specifies whether to connect to the server using file transfer protocol (FTP) or trivial file transfer protocol (TFTP).

    <license-file_str> is the name of the license file.

    {<ftp_ipv4> is the IP address of the FTP server.

    <user_str> is the user name that FortiWeb uses to authenticate with the server.

    <password_str> is the password for the account specified by <user_str>.

    <tftp_ipv4> is the IP address of the TFTP server.

  5. Confirm that you want to perform the license upload.
  6. After the license is authenticated successfully, the following message is displayed:

    “*ATTENTION*: license registration status changed to 'VALID', please logout and re-login”

    For information on troubleshooting a license upload, see To upload the license via the web UI.

  7. Continue with What’s next?.

Uploading the license

When you purchase a license for FortiWeb-VM, Fortinet Customer Service & Support (https://support.fortinet.com) provides a license file that you can use to convert the 15-day trial license to a permanent, paid license.

(Licensing for FortiWeb Manager virtual machine is different. See the FortiWeb Manager Handbook.)

You can upload the license via a web browser connection to the web UI or the CLI. No maintenance period scheduling is required. The uploading process does not interrupt traffic or trigger an appliance reboot.

As your organization grows, you can simply either allocate more resources or migrate your virtual appliance to a physical server with more power, then upgrade your FortiWeb-VM license to support your needs.

License Validation

FortiWeb-VM requires an Internet connection to periodically re-validate its license. If FortiWeb-VM cannot contact Fortinet’s FDN for 24 hours, access to the web UI and CLI are locked.

If FortiWeb-VM is deployed in a closed network environment, license validation can be done in the following way.

License validation with FDS proxy

You can validate your FortiWeb-VM license through an FDS proxy. FortiManager's built-in FDS (FortiGuard Distribution Servers) feature can serve this purpose. This requires FortiManager to have Internet connection. To configure FortiWeb-VM to validate its license using FortiManager, before you upload the license, enter the following command:

config system autoupdate override

set status enable

set address <fortimanager_ip>:8890

set fail-over disable

end

where <fortimanager_ip> is the IP address of the FortiManager. (TCP port 8890 is the port where the built-in FDS feature listens for requests.)

For more information on the FortiManager built-in FDS feature, see the FortiManager Administration Guide.

Although FortiManager can provide FortiGuard security service updates to some Fortinet devices, for FortiWeb, its FDS features can provide license validation only.

Uploading the license

To upload the license via the web UI
  1. On your management computer, start a web browser.

    For hypervisor installations, your computer must be connected to the same network as the hypervisor.

  2. Do one of the following:
    • For hypervisor deployments, in your browser’s URL or location field, enter the IP address of port1 of the virtual appliance, such as:

      https://192.168.1.99/

      (Remember to include the “s” in https://.)
    Initially, you must access the web UI via HTTPS. By default, HTTP is not enabled. After uploading the license, you can configure the administrative access protocols. For details, see the FortiWeb Administration Guide.
    • For FortiWeb-VM deployed on AWS, access the web UI using the public DNS address displayed in the instance information for the appliance in your AWS console.

      For example, if the public DNS address is ec2-54-234-142-136.compute-1.amazonaws.com, you connect to the web UI using the following URL:

      https://ec2-54-234-142-136.compute-1.amazonaws.com/

    Your browser connects the appliance. The web UI’s login page should appear.

    If you do not see the login page due to an SSL cipher error during the connection, and you are connecting to the trial license of FortiWeb-VM or a LENC version of FortiWeb, then your browser must be configured to accept encryption of 64-bit strength or less during the handshake. (RC2, RC4, and DES with less than 64-bit strength is supported. AES and 3DES is not supported in these versions.) Otherwise SSL v3 and TLS v1.0 are supported.

    For example, in Mozilla Firefox, if you receive this error message:

    ssl_error_no_cypher_overlap

    you may need to enter about:config in the URL bar, then set security.ssl3.rsa.rc4_40_md5 to true.

    To support HTTPS authentication, the FortiWeb appliance ships with a self-signed X.509 certificate, which it presents to clients whenever they initiate an HTTPS connection to the FortiWeb appliance. When you connect, depending on your web browser and prior access of the FortiWeb appliance, your browser might display two security warnings related to this certificate:

    • The certificate is not automatically trusted because it is self-signed, rather than being signed by a valid certificate authority (CA). Self-signed certificates cannot be verified with a proper CA, and therefore might be fraudulent. You must manually indicate whether or not to trust the certificate.
    • The certificate might belong to another website. The common name (CN) field in the certificate, which usually contains the host name of the website, does not exactly match the URL you requested. This could indicate server identity theft, but could also simply indicate that the certificate contains a domain name while you have entered an IP address. You must manually indicate whether this mismatch is normal or not.

    Both warnings are normal for the default certificate.

  3. Verify and accept the certificate, either permanently (the web browser will not display the self-signing warning again) or temporarily. You cannot log in until you accept the certificate.
  4. For details on accepting the certificate, see the documentation for your web browser.
  5. In the Name field, type admin. Do one of the following:
    • For hypervisor deployments, do not enter a password.
    • For AWS deployments, for Password, enter the AWS instance ID.
  6. Click Login.

    The web UI appears.

    The web UI initially displays its dashboard, System > Status > Status. The FortiGuard Information widget displays the current license status and contains a link where you can upload a license file.

    FortiGuard Information widget on System > Status > Status in the web UI before license upload

  7. In the VM License row of the FortiGuard Information widget, click the Update link.

  8. Depending on your browser, you may see either a Browse or Choose File button. Locate the license file (.lic) you downloaded earlier from Fortinet, then click OK.

    Your browser uploads the license file. Time required varies by the size of the file and the speed of the network connection. If you have uploaded a file that is not a license file, an error message will appear:

    Uploaded file is not a license. Please upload a valid license.

    If you upload the right file type, FortiWeb will then connect to Fortinet to validate its license. Time required varies, but is usually only a few seconds. A message appears:

    License has been uploaded. Please wait for authentication with registration servers.

  9. Click Refresh on the message box.

    If you uploaded a valid license, a second message should appear, informing you that your license authenticated successfully:

    License has been successfully authenticated with registration servers.

    The web UI logs you out. The login dialog reappears.

  10. Log in again.
  11. To verify that the license was uploaded successfully, log in to the web UI again, then view the FortiGuard Information widget. The VM License row should say Valid.

    Also view the System Information widget. The Serial Number row should have a number that indicates the maximum number of vCPUs that can be allocated according to the FortiWeb-VM software license, such as FVVM020000003619 (where “VM02” indicates a limit of 2 vCPUs).

    FortiGuard Information widget on System > Status > Status in the web UI after license validation

    GUI item Description
    VM License

    Indicates whether or not this FortiWeb-VM appliance has a paid software license. The license affects the maximum number of allocatable vCPUs.

    Possible states are:

    • Valid — The appliance has a valid, non-trial license. Serial Number in the System Information widget indicates the maximum number of vCPUs that can be allocated according to this license.

      To increase the number of vCPUs that this appliance can utilize, invalidate the current license by allocating more vCPUs in your virtual machine environment (e.g. VMware), then upload a new license. See Updating the license for more vCPUs.

    • Invalid — The FortiWeb-VM appliance license either was not valid, or is currently a trial license.

      To upload a purchased license, click Update.

    This appears only in FortiWeb-VM.

    Registration

    Indicates which account registered this appliance with Fortinet Technical Support. Possible states are:

    • Unregistered — Not registered with Fortinet Technical Support.
    • <registration_email> — Registered with Fortinet Technical Support.

    To manage technical support or FortiGuard service contracts for this device, go to the Fortinet Technical Support website.

    If logging is enabled, this log message will be recorded in the event log:

    License status changed to VALID

    If you are still connected to the CLI when license authentication succeeds, it should print this message:

    *ATTENTION*: license registration status changed to 'VALID',please logout and re-login

    If FortiWeb was also able to contact FortiGuard, its FortiWeb Update Service row should also indicate that the FortiGuard service contract is valid. (This second license validation may occur a minute or two after the first, and so may not appear immediately.)

    If there was a connectivity interruption, you can either wait up to 30 minutes for the next license query, reboot, or enter the CLI command:

    exec update-now

    This command also contacts FortiGuard for FortiWeb Security Service contract validation and update availability.

    If the connection did not succeed:

    • On FortiWeb, verify the:
      • time zone & time
      • DNS settings
      • network interface up/down status & IP
      • static routes
    • On your computer, use nslookup to verify that FortiGuard domain names are resolving (VM license queries are sent to update.fortiguard.net).

     

    C:\Users\cschwartz>nslookup update.fortiguard.net

    Server: google-public-dns-a.google.com

    Address: 8.8.8.8

     

    Non-authoritative answer:

    Name: fds1.fortinet.com

    Addresses: 209.66.81.150

    209.66.81.151

    208.91.112.66

    Aliases: update.fortiguard.net

     

    • On FortiWeb, use execute ping and execute traceroute to verify that connectivity from FortiWeb to the Internet and FortiGuard is possible. Check the configuration of any NAT or firewall devices that exist between the FortiWeb appliance and the FDN or FDS server override.

     

    FortiWeb # exec traceroute update.fortiguard.net

    traceroute to update.fortiguard.net (209.66.81.150), 32 hops max, 84 byte packets

    1 192.0.2.2 0 ms 0 ms 0 ms

    2 209.87.254.221 <static-209-87-254-221.storm.ca> 4 ms 2 ms 3 ms

    3 209.87.239.161 <core-2-g0-3.storm.ca> 2 ms 3 ms 3 ms

    4 67.69.228.161 3 ms 4 ms 3 ms

    5 64.230.164.17 <core2-ottawa23_POS13-1-0.net.bell.ca> 3 ms 5 ms 3 ms

    6 64.230.99.250 <tcore4-ottawa23_0-4-2-0.net.bell.ca> 16 ms 17 ms 15 ms

    7 64.230.79.222 <tcore3-montreal01_pos0-14-0-0.net.bell.ca> 14 ms 14 ms 15 ms

    8 64.230.187.238 <newcore2-newyork83_so6-0-0_0> 63 ms 15 ms 14 ms

    9 64.230.187.42 <bxX5-newyork83_POS9-0-0.net.bell.ca> 21 ms 64.230.187.93 <BX5-NEWYORK83_POS12-0-0_core.net.bell.ca> 17 ms 16 ms

    10 67.69.246.78 <Abovenet_NY.net.bell.ca> 28 ms 28 ms 28 ms

    11 64.125.21.86 <xe-1-3-0.cr2.lga5.us.above.net> 29 ms 29 ms 30 ms

    12 64.125.27.33 <xe-0-2-0.cr2.ord2.us.above.net> 31 ms 31 ms 33 ms

    13 64.125.25.6 <xe-4-1-0.cr2.sjc2.us.above.net> 82 ms 82 ms 100 ms

    14 64.125.26.202 <xe-1-1-0.er2.sjc2.us.above.net> 80 ms 79 ms 82 ms

    15 209.66.64.93 <209.66.64.93.t01015-01.above.net> 80 ms 80 ms 79 ms

    16 209.66.81.150 <209.66.81.150.available.above.net> 83 ms 82 ms 81 ms

     

    If after 4 hours FortiWeb still cannot validate its license, a warning message will be printed to the local console:

    *WARNING*: Unable to validate license for over 4 hours

  12. Continue with What’s next?.
To upload the license via the CLI
  1. Using an SSH client, log in to the CLI using the IP address of the network interface you configured earlier.
  2. For example, if you configured port1 with the IP address 192.168.1.1, connect to 192.168.1.1 on port 22.

    For details, see Configuring access to FortiWeb’s web UI & CLI.

  3. Enter the following command:
  4. execute restore vmlicense {ftp | tftp} <license-file_str> {<ftp_ipv4> | <user_str>:<password_str>@<ftp_ipv4> | <tftp_ipv4>}

    where:

    {ftp | tftp} specifies whether to connect to the server using file transfer protocol (FTP) or trivial file transfer protocol (TFTP).

    <license-file_str> is the name of the license file.

    {<ftp_ipv4> is the IP address of the FTP server.

    <user_str> is the user name that FortiWeb uses to authenticate with the server.

    <password_str> is the password for the account specified by <user_str>.

    <tftp_ipv4> is the IP address of the TFTP server.

  5. Confirm that you want to perform the license upload.
  6. After the license is authenticated successfully, the following message is displayed:

    “*ATTENTION*: license registration status changed to 'VALID', please logout and re-login”

    For information on troubleshooting a license upload, see To upload the license via the web UI.

  7. Continue with What’s next?.