FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
In the FortiOS firmware version 5.0, the Carrier features license activation process has changed, compared to the FortiOS version 4.00 MR3 or earlier versions.
The new process is as follows:
When a Carrier license is purchased, a "scratch card" license will be provided. - Each scratch card comes in an envelope named "FortiCarrier Upgrade Activation Code Certificate". - Each scratch card has a serial number (for example: FCRLIC471200xxxx); this serial number does not help to activate FortiOS Carrier features, and should not be used for that purpose.
To activate the Carrier feature license on your FortiGate unit: - Scratch each card in order to reveal the activation code; these are the digits that must be entered into the FortiGate unit management CLI. - The back of the scratch card includes instructions on how to type the activation code into the FortiGate management interface. - All activation codes are case sensitive.
Important notes: - After the activation code is entered, the modified FortiGate unit will reboot with a Factory-reset configuration, and will require an Internet connectivity to access the Fortinet license validation server to confirm the license.
- The activation process will fail if any of the following conditions are true: - The FortiGate does not have Internet access to FortiGuard. - The FortiGate is not connected to a FortiManager with access to Fortiguard. - The same activation license key cannot be used for 2 different FortiGate units. - Once activated, a license is assigned to a single FortiGate serial number; it is possible to change this assignment by contacting Fortinet Customer Service.
Successful and unsuccessful activation examples:
1. FortiGate unit is off-line (no internet access): Unsuccessful registration: license check cannot be done
3. FortiGate unit is on-line (internet access available): Successful registration with an unused license key
FGT # execute forticarrier-license 8882-B20F-5072-XXXX-YYYY This operation will reset the system to the factory default. Do you want to continue? (y/n)y
FGT # get system status Version: FortiCarrier-3950B v5.0,build0208,130603 (GA Patch 3) Virus-DB: 16.00560(2012-10-19 08:31) Extended DB: 1.00000(2012-10-17 15:46) Extreme DB: 1.00000(2012-10-17 15:47) IPS-DB: 4.00345(2013-05-23 00:39) IPS-ETDB: 0.00000(2000-00-00 00:00) Serial-Number: FG3K9B3EXXXXYYYY Botnet DB: 1.00000(2012-05-28 22:51) BIOS version: 04000011 System Part-Number: P10462-02 Log hard disk: Available Hostname: FGT Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone License Status: Carrier Branch point: 208 Release Version Information: GA Patch 3 FortiOS x86-64: Yes System time: Tue Jun 4 08:28:34 2013
In a cluster environnment, you should:
Backup the existing MASTER configuration file
Remove the MASTER from the HA cluster (Unplug the cables)
Activate the FortiCarrier licence on the MASTER ==> This will reboot the unit and factoryreset
Reload the saved configuration
Backup the configuration of the other unit which is now MASTER
Activate the FortiCarrier licence ==> This will reboot the unit and factoryreset
Unplug the cables of this unit (which becomes SLAVE) and replug them on the other unit (which becomes MASTER)
Reload the configuration on the SLAVE when reboot is finished
Plug the cable on the SLAVE device
Refer to the following FortiVision article for complementary INTERNAL details:
- Workaround to activate a license when the FortiGate unit is "off-line", i.e. not connected to the Internet. - De-activating the "Carrier" mode on a FortiGate unit that had been upgraded to "Carrier mode" previously.