Obtaining FortiCare-generated license and certificates for GCP PAYG instances
GCP PAYG instances can obtain FortiCare-generated licenses upon a new deployment, or in the CLI (execute vm-license
) when upgrading from previous firmware. The process generates Fortinet_Factory and Fortinet_Factory_Backup certificates that contain the common name (CN) of the FortiGate serial number to uniquely identify this FortiGate.
Installing a new deployment
A newly deployed instance automatically retrieves the signed certificate from FortiCare. Appropriately 30 seconds after booting the instance, it gets the certificate and reboot once to install the new certificate.
To verify the installation in a new deployment:
- Enable debugging and check the update status:
# diagnose debug enable # diagnose debug update -1 Debug messages will be on for 30 minutes. VM license install succeeded. Rebooting firewall.
- After the reboot, verify the license information:
# diagnose debug vm-print-license SerialNumber: FGVM04TM******** CreateDate: Tue Jun 8 02:30:19 2021 Key: yes Cert: yes Key2: yes Cert2: yes Model: PG (22) CPU: 2147483647 MEM: 2147483647
- Verify the Fortinet_Factory certificate information (the CN is the serial number):
config vpn certificate local # get Fortinet_Factory name : Fortinet_Factory password : * private-key : * certificate : Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGVM04TM********, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com Valid from: 2021-06-08 02:30:19 GMT Valid to: 2056-01-19 03:14:07 GMT ...
Upgrading the firmware
To obtain a FortiCare-generated license during an upgrade:
- Before upgrading, verify the Fortinet_Factory certificate information (the CN is
FortiGate
):config vpn certificate local # get Fortinet_Factory name : Fortinet_Factory password : * private-key : * certificate : Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FortiGate, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com Valid from: 2016-11-30 19:58:17 GMT Valid to: 2056-11-20 19:58:07 GMT ...
- Verify the license information:
# diagnose debug vm-print-license SerialNumber: FGTMCGPH******** CreateDate: 1623112103 Model: PG (22) CPU: 2147483647 MEM: 2147483647
Since there is no unique certificate from FortiCare, there are no
Key
,Cert
,Key2
, orCert2
fields. - Upgrade the firmware and update the license:
# execute vm-license This operation will reboot the system ! Do you want to continue? (y/n)y Get instance JWT token Requesting FortiCare license: FGTMCGPH******** VM license install succeeded. Rebooting firewall.
- Verify the new Fortinet_Factory certificate information (the CN is the serial number):
config vpn certificate local # get Fortinet_Factory name : Fortinet_Factory password : * private-key : * certificate : Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FGTMCGPH********, emailAddress = support@fortinet.com Issuer: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Certificate Authority, CN = fortinet-subca2001, emailAddress = support@fortinet.com Valid from: 2021-06-08 02:30:19 GMT Valid to: 2056-01-19 03:14:07 GMT ...
- Verify the license information (
Key
,Cert
,Key2
, orCert2
fields are now available):# diagnose debug vm-print-license SerialNumber: FGTMCGPH******** CreateDate: Tue Jun 8 02:30:19 2021 Key: yes Cert: yes Key2: yes Cert2: yes Model: PG (22) CPU: 2147483647 MEM: 2147483647