Description

This article explains about FortiAuthenticator VMs license requirement when in high-availability environments.

Scope

FortiAuthenticator VM.

Solution

• FortiAuthenticator VMs used in an HA cluster each require a license. Each license is tied to a specific IP address that has to be set in the support portal before the download. The IP can be changed afterward, but the license has to be downloaded and installed again on the FortiAuthenticator.
• In an HA cluster, all interface IP addresses are the same on the two units, except for the HA interface. 
• Request each license based on either the unique IP address of the unit’s HA interface or the IP address of a non-HA interface, which will be the same on both units. 
• When using A-A setup as a Load balancing HA (or LB-HA), that load-balancing secondary does not have a dedicated HA interface, so it is possible to use any interface setup on the load-balancing secondary for the license.
• License for the FortiToken Mobile can be tied only to one FortiAuthenticator, and make sure that is tied to the primary FortiAuthenticator when requesting the tokens or transferring tokens from another device.
• Installing a changed license on FortiAuthenticator will cause a reboot (FortiAuthenticator will also warn before doing so).

The following is an example from the Fortinet Support portal, which displays the IP address tied to the FortiAuthenticator Serial number and offers the license download: