Skip to main content
adarwish
Staff
adarwish
Staff
March 25, 2026

Technical Tip: Understanding FortiProxy license sharing: Key concepts, configuring license sharing settings, and CLI verification commands

  • March 25, 2026
  • 0 replies
  • 161 views
Description

This article describes the FortiProxy license-sharing feature, including key terminology and essential CLI commands to verify the license-sharing status on both root and downstream devices within a Security Fabric group.
Scope

FortiProxy v7.4.x and later (hardware and VM). All models that support Security Fabric with license sharing are enabled.
Solution

The following CLI commands are essential for verifying the license-sharing configuration, status, and health on both root and downstream devices (security fabric).

 

  1. Verify Fabric Group configuration.

Command: get system csf.

Run on: Root or downstream.

Displays the Security Fabric group settings, including fabric name, license-sharing status, trusted member list, and configuration-sync mode. Verify that license-sharing is set to enable and the downstream devices are listed in the trusted-list.

 

get system csf

status              : enable

upstream            :

group-name          : my_fabric_grp

group-password      : *

downstream-access   : enable

license-sharing     : enable

configuration-sync  : local

trusted-list:

  == [ 1 ]

  name: 1  serial: FPX*************

 

  1. Verify License Status on a Device (downstream or root).

Command: diagnose wad license.

Run on: Any device in the fabric group.

Shows the local license sharing mode, seat counts, and session utilization for the device where the command is run. This is the primary command to confirm whether a device is connected to the fabric and whether its local license can sustain the current workload independently.

 

diagnose wad license

Lic Sharing mode: fabric

Lic type furl:

  Model Max Seat: 25000

  Active Seat: 1373

  Available Purchased Seat: 5500

  Available Fabric Seat: 1373

  Available HA Seat: 8500

  License Seats Registered:

    FPX1************: 5500

    FPX2************: 3000

  Max Licensed Session: 34325

  Current Licensed Sessions: 29028

  Max bypassed Sessions: 0

 

Key fields to check:

 

Field

Description

Lic Sharing mode

fabric = connected and sharing. fabric-disconn = lost root connectivity. HA = HA sharing only. None = disabled.

Active Seat

Current number of seats allocated to this device by the fabric pool.

Available Purchased Seat

Local license seats owned by this device (excluding HA peers).

Available HA Seat

Total seats from this device plus all HA peers (local HA pool).

Available Fabric Seat

Total seats granted to this device from the entire fabric pool.

Current Licensed Sessions

Active proxied sessions using licensed seats.

Max Licensed Sessions

Maximum sessions allowed (Active Seat x 25).

Max bypassed Sessions

Sessions exceeding the license limit. 0 = all traffic is within license capacity.

 

  1. Verify Fabric-Wide License Allocation (root only).

Command: diagnose test app csfd 140.

Run on: Root device only.

This is the most comprehensive view of the entire fabric license pool. It shows purchased, used, and allocated seats for every authorized and connected device in the group, along with device health indicators (stale, conserve, sharing status). The root device entry also displays the fabric-wide totals.

 

diagnose test app csfd 140

dev: FPX*************(0x61abe40), stale: n, root: n, sharing: y, last ping: 1773221050

        lic    purchased/      used/ allocated/  reserved/guaranteed/ preferred/ model_max/grant?/conserve

        furl        8500/      1141/      1373/         2/         0/         0/     25000/ no   / no

        fnbi           0/         0/        15/        15/         0/         0/    625000/ no   / no

        fcas           0/         0/         2/         2/         0/         0/    625000/ no   / no

 

dev: FPX*************(0x61abd70), stale: n, root: y, sharing: y, last ping: 1773221035

        lic    purchased/      used/ allocated/  reserved/guaranteed/ preferred/ model_max/grant?/conserve

        furl         501/         0/         2/         2/         0/         0/      6000/ no   / no

 

Total:

  lic    purchased/      used/ allocated/ conserve

  furl       17501/      2140/      2516/ no

 

Key fields to check per device:

 

Field

Description

stale: n/y

n = device is connected and healthy. y = device has lost connection for a period of time.

root: y/n

y = this is the fabric root. n = this is a downstream member.

sharing: y/n

y = device is participating in license sharing. n = sharing is disabled on this device.

purchased

Number of seats from the local license of the device (includes HA peers if applicable).

used

Number of seats actively consumed by the device.

allocated

Number of seats currently granted to the device from the fabric pool.

reserved

Minimum seats kept available for this device at all times.

guaranteed

Minimum of purchased seats and preferred-seats setting.

conserve

no = normal. yes = device is at 90% or more of allocated capacity.

Total

Fabric-wide totals of purchased, used, and allocated seats across all members.

 

  1. Verify Fabric Connectivity.

Command: diagnose system csf downstream.

Run on: Root device.

Lists all connected downstream member devices regardless of authorization status. Use this to confirm that downstream devices are visible to the root.

 

Command: diagnose system csf upstream.

Run on: Downstream device.

Shows the connection status to the fabric root from the downstream perspective. The status should show Authorized. If it shows Authorization Rejected, verify that the device serial is added to the trusted-list on the root.

 

  1. View License Usage History.

Command: diagnose wad license usage [seconds | minutes | hour | day | week | year].

Run on: Any device.

Displays the local license usage history at the specified interval. Useful for identifying peak usage patterns before planning maintenance or upgrades.

 

Command: diagnose wad license glob-usage [seconds | minutes | hour | day | week | year].

Displays the global (fabric-wide) license usage history. Run this on the root to understand overall pool utilization trends.

 

Command: diagnose wad license clear.

Clears all license usage history data. Can be used to reset usage tracking after changes.

 

CLI Quick Reference summary.

The following table provides a quick reference of all key commands and where to run them:

 

Command

Run On

Purpose

get system csf

Root / Downstream

View fabric group configuration and trusted-list

diagnose wad license

Root / Downstream

View local license sharing mode, seat counts, and session utilization

diagnose test app csfd 140

Root only

View fabric-wide license pool allocation, per-device health, and totals

diagnose system csf downstream

Root only

List all connected downstream members

diagnose system csf upstream

Downstream only

Verify authorization and connection status to root

diagnose wad license usage [interval]

Root / Downstream

View local license usage history at specified intervals

diagnose wad license glob-usage [interval]

Root only

View fabric-wide license usage history

diagnose wad license clear

Root / Downstream

Clear all license usage history data

 

Related document:

License Sharing Deployment
Terms & ConditionsAccessibility statement