Technical Tip: FortiGate-VM License management, validation, and troubleshooting

A permanent license must be installed on the FGT-VM before the trial/evaluation license expires and the FGT-VM ceases functioning.
Such type of license must be obtained from the Customer & Service Support website and installed on the FGT-VM either at the GUI or at the CLI.
A license file contains information on the FGT-VM model that has been purchased such as the minimum and maximum number of Virtual Domains, Virtual CPUs, Virtual Network Interfaces, Virtual Memory size, Virtual Storage size, etc. This information is also reflected in the Serial Number that is going to be assigned to the FGT-VM, in replacement of the default Serial Number (FGVM00UNLICENSED), at the time the permanent license file is installed. Indeed, a FGT-VM Serial Number is composed of 3 different parts which follow the “<FGVM><XX><KEY>” pattern wherein:

-FGVM : a string indicating the Serial Number pertains to a FGT-VM
-XX :     a number (00, 01, 02, 04, 08, etc.) which is defining the FGT-VM model. It has to be noted that ‘00’ corresponds to the default FGT-VM model, the one that is associated     with trial/evaluation licenses 
-KEY :   A 10 digit number uniquely identifying a FGT-VM Serial Number or ‘UNLICENSED’ for trial/evaluation licenses

Once installed, the permanent license needs to be validated by FortiGuard or by FortiManager in case the FGT-VM is installed in a closed environment without Internet access.
During that time, the license status is usually “Pending”. Once validated, the FGT-VM license status changes to “Valid” (4).

This can be verified using the “get system status” command:

FGT-VM (global) # get system status

Version: FortiGate-VM64-KVM v5.6.10,build1677,190716 (GA)
…
Serial-Number: FGVM010000******
…
License Status: Valid                                                <-----(4)
BIOS version : 04000002

Periodically, on an hourly basis, the FGT-VM needs to re-validate its license against FortiGuard or FortiManager. If the license re-validation is successful, the license status stays “Valid”. If not, for example because of a network connection issue, the license status changes to “Warning”. If the network connection is restored, the re-validation succeeds and the license status comes back to “Valid”, otherwise the license status becomes “Invalid” after the grace period of 30 days elapses and the FGT-VM ceases functioning.

In summary, the “License Status” field can be in state “Pending” or “Valid” if the licensing process is going fine, and “Warning” or “Invalid” if something wrong is detected.

-Pending: A temporary state wherein the VM is attempting to validate its license.
-Valid: The VM can connect and validate the license against a FMG or FDS server.
-Warning: The VM cannot connect and validate against a FortiGuard or FortiManager server. A check is made against how many days the warning status has been continuous. If the number is less the 30 days the status does not change.
-Invalid: The VM cannot connect and validate against a FortiGuard or FortiManager server. A check is made against how many days the warning status has been continuous. If the number is 30 days or more, the status changes to Invalid. The VM starts discarding all packets and effectively cease operation.

In case a license issue is suspected, the following commands can be used to gather more detailed information about the license creation date and type, validity, status, last refresh date and time, etc.

FGT-VM (global) # diag debug vm-print-license
VM License Info
Serial number: FGVM010000137200
License Allowance: 1 CPUs and 2048 MB RAM.
License created: Wed Jun 12 13:33:48 2019


FGT-VM (global) # diag hard sysinfo vm full
UUID:     43a25dd3c1026947bef4e1158935153f
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4305755316
warning:  0
recv:     201907311247
dup:     

Note: A code value outside of the 2xx-3xx range usually indicates a license issue is ongoing