FortiFlex (Flex-VM) licenses

FortiPoC supports the FortiFlex API to manage licenses.

Important

FortiPoC does not enforce any limitations or constraints in the FortiFlex API usage, but the FortiFlex API endpoint may do. Please refer to official FortiFlex API documentation.

Prerequisites

You must have created an API user for the FortiPoC.

See: https://fndn.fortinet.net/index.php?/fortiapi/954-fortiflex/

Credentials

To configure the fortiFlex API user credentials, on CLI:

flexvm set credentials <API User ID> <API Password>

FortiPoC uses these credentials to retrieve the enrolled Program and associated Configurations from the FortiFlex API endpoint.

When you update the user on https://support.fortinet.com/, it’s highly recommended to refresh program and configuration with:

flexvm program refresh
flexvm config refresh

If your FortiPoC is a client of a License Server, you don’t need to do it.

To remove the FortiFlex API user credentials, on CLI:

flexvm clear credentials

License Server

Important

This is the recommended way to use the FortiFlex API.

A FortiFlex API user can’t be shared safely between multiple FortiPoC instances, you should only have one orchestrator to manage the license with a given FortiFlex API user.

When a FortiPoC client needs a fresh FortiFlex License token, the client refreshes the token from the FortiPoC license server.

BYOL

You can upload FortiFlex licenses to a FortiPoC that has no FortiFlex API user configured.

Warning

Without access to the FortiFlex API, the FortiPoC will not be able to refresh the license token itself. You MUST do it yourself and re-import the license each time.

If you configure a FortiFlex API user credentials, it is highly recommended to use a ForitFlex API user dedicated to this FortiPoC. The FortiPoC will be able to refresh the license token itself when required.

Refreshing license

Important

A license token can only be used once.

Warning

A FortiPoC can only refresh the license token if a FortiFlex API user is configured or if it is connected to the server that has provided the FortiFlex license token.

As a license token can only be used once, each time you launch the PoC, do a “Reset Disk” or to do a “Reload license”, the FortiPoC must refresh the license token.

Configuration

License Server

You must activate the type of license (FTG, FWB, …) in a program as a pool of license:

flexvm pool set <TYPE> [<SERIALNUMBER>]|[--id <CONFIG_ID>]

The SERIALNUMBER is the program serial number to use. If you have more than one configuration for the corresponding Product Type TYPE in the enrolled programs for the API User you MUST use the Configuration ID (list ID with flexvm config ls).

Important

Only one license server must managed all the FortiFlex licenses in a program.

You can now retrieve all available FortiFlex licenses for the configured pools:

flexvm license refresh *

The license server can serves both classical licenses (.lic files) or FortiFlex licenses. If both are available on the server, FortiFlex licenses are used first, reserving the classical licenses to FortiPoC clients that do not support FortiFlex.

Note

The FortiPoC client announces which kind of FortiFlex license it supports (by default all).

By default FortiPoC automatically creates new FortiFlex license if the pool is exhausted. You can disable/enable this behavior with:

flexvm auto disable|enable

Important

Each time the FortiPoC client needs to push a FortiFlex license token to a device, it first requests the License Server to refresh the token: it ensures that the token is always valid even after a “Reset Disk” or to do a “Reload license”.

BYOL

Warning

When using a FortiPoC as standalone with some BYOL licenses, do NOT run flexvm license refresh with the --all option. If you do, all licenses are retrieved and will be used when a PoC is launched.

To prepare a FortiFlex license to upload to a FortiPoC, you must save the license information returned by the /vms/* FortiFlex API call to a JSON file with extension .flexvm, ex:

$ cat FGVMELTM20000020.flexvm
{
  "serialNumber": "FGVMELTM20000020",
  "description": "VMs created for department Z",
  "configId": 22,
  "startDate": "2020-08-01 10:12:25",
  "endDate": "2020-10-25 00:00:00",
  "status": "ACTIVE",
  "token": "!@#$C5CC99D32D3B!@#$",
  "tokenStatus": "NOTUSED"
}

You can also use the flexvm license refresh --save it will save licenses in the local repository home under flexvm directory.

When you upload a FortiFlex license:

  • the pool for this device type is automatically switched to use the config/program specified in the license

  • the auto allocation behavior is disabled

  • the BYOL mode for FortiFlex license is enabled

It is recommend to exit the CLI after license uploads to synchronize CLI configuration with the GUI configuration.

If you want to specify a specific VM UUID, add the "vm_uuid": UUID_STRING to the .flexvm file JSON content, but it’s not recommende as now VM UUID is automatically generated from the serial number.

Supported Devices

Default

If the firmware supports the execute vm-license <TOKEN> CLI command, FortiPoC may be able to install a FortiFlex license using the serial console.

As all devices behave differently, by default FortiPoC waits for 30 seconds.

Warning

FortiPoC will continue the configuration process after this delay. If the device doesn’t reboot in the 30 seconds timeframe, it will breaks the configuration process.

Some devices have specific reboot detection mechanism.

FortiGate

  • Installation sequence:

    execute vm-license xxxxxxxxxxxxxxxxxxxx
This operation will reboot the system !
Do you want to continue? (y/n)y
Requesting FortiCare license token: *******, proxy:(null)
VM license install succeeded. Rebooting firewall.
FGVMMLTM23008565 login:
The system is going down NOW !!
Please stand by while rebooting the system.
Restarting system
System is starting...
Serial number is FGVMMLTM23008565
FGVMMLTM23008565 login:

  • Watchdog: Rebooting firewall.

  • Wait: System is starting...

FortiAnalyzer

  • Installation sequence:

    execute vm-license xxxxxxxxxxxxxxxxxxxx
System will reboot to apply new vm license
The system is going down NOW !!
FAZVM64-KVM #
database server is shutting down.............FAILED
Please stand by while rebooting the system.
[  338.304829] reboot: Restarting system
Serial number:FZVMMLTM23000846
Initialize file systems...
Old version: v7.4.0-build2223 branchpt2223 230514 (GA)
New version: v7.4.0-build2223 branchpt2223 230514 (GA)
FAZVM64-KVM login:

  • Watchdog: The system is going down NOW !!

  • Wait: Serial number:

FortiManager

See FortiAnalyzer

FortiWeb

  • Installation sequence:

    execute vm-license xxxxxxxxxxxxxxxxxxxx
This operation will reboot the system !
Do you want to continue? (y/n)y
VM License installed
System is rebooting...
FortiWeb #
FortiWeb # exit
FortiWeb login:

  • Watchdog: System is rebooting...

  • Wait: # exit

FortiADC

  • Installation sequence:

    execute vm-license xxxxxxxxxxxxxxxxxxxx
This operation will reboot the system!
Do you want to continue? (y/n)y
VM License installed
System is rebooting...
FortiADC-KVM login:

  • Watchdog: System is rebooting

  • Wait: nothing as FAD don’t print CLI or login prompts during the reboot process.

FortiPortal

  • Installation sequence:

    execute vm-license xxxxxxxxxxxxxxxxxxxx
fortiportal #

FortiPortal (7.2.0) doesn’t seem to perform any reboot, so we only rely on the default wait time to let it complete the license installation.