FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


In the FortiOS firmware version 5.0, the Carrier features license activation process has changed, compared to the FortiOS version 4.00 MR3 or earlier versions.

The new process is as follows:

When a Carrier license is purchased, a "scratch card" license will be provided.
- Each scratch card comes in an envelope named "FortiCarrier Upgrade Activation Code Certificate".
- Each scratch card has a serial number (for example: FCRLIC471200xxxx); this serial number does not help to activate FortiOS Carrier features, and should not be used for that purpose.

To activate the Carrier feature license on your FortiGate unit:
- Scratch each card in order to reveal the activation code; these are the digits that must be entered into the FortiGate unit management CLI.
- The back of the scratch card includes instructions on how to type the activation code into the FortiGate management interface.
- All activation codes are case sensitive.

Important notes:
- After the activation code is entered, the modified FortiGate unit will reboot with a Factory-reset configuration, and will require an Internet connectivity to access the Fortinet license validation server to confirm the license.
- The activation process will fail if any of the following conditions are true:
   - The FortiGate does not have Internet access to FortiGuard.

   - The FortiGate is not connected to a FortiManager with access to Fortiguard.
- The same activation license key cannot be used for 2 different FortiGate units.
- Once activated, a license is assigned to a single FortiGate serial number; it is possible to change this assignment by contacting Fortinet Customer Service.
Successful and unsuccessful activation examples:
1. FortiGate unit is off-line (no internet access):
Unsuccessful registration: license check cannot be done

FGT # execute forticarrier-license 9882-908F-74F2-XXXX-YYYY
License activation failed
2. FortiGate unit is on-line (internet access available):
Unsuccessful registration: the license is already used

FGT # execute forticarrier-license 9882-908F-74F2-XXXX-YYYY
11:License is already activated
License activation failed
3. FortiGate unit is on-line (internet access available):
Successful registration with an unused license key

FGT # execute forticarrier-license 8882-B20F-5072-XXXX-YYYY
This operation will reset the system to the factory default.
Do you want to continue? (y/n)y


FGT # get system status
Version: FortiCarrier-3950B v5.0,build0208,130603 (GA Patch 3)
Virus-DB: 16.00560(2012-10-19 08:31)
Extended DB: 1.00000(2012-10-17 15:46)
Extreme DB: 1.00000(2012-10-17 15:47)
IPS-DB: 4.00345(2013-05-23 00:39)
IPS-ETDB: 0.00000(2000-00-00 00:00)
Serial-Number: FG3K9B3EXXXXYYYY
Botnet DB: 1.00000(2012-05-28 22:51)
BIOS version: 04000011
System Part-Number: P10462-02
Log hard disk: Available
Hostname: FGT
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
License Status: Carrier
Branch point: 208
Release Version Information: GA Patch 3
FortiOS x86-64: Yes
System time: Tue Jun 4 08:28:34 2013


In a cluster environnment, you should:

  • Backup the existing MASTER configuration file
  • Remove the MASTER from the HA cluster (Unplug the cables)
  • Activate the FortiCarrier licence on the MASTER ==> This will reboot the unit and factoryreset
  • Reload the saved configuration

  • Backup the configuration of the other unit which is now MASTER
  • Activate the FortiCarrier licence ==> This will reboot the unit and factoryreset
  • Unplug the cables of this unit (which becomes SLAVE) and replug them on the other unit (which becomes MASTER)
  • Reload the configuration on the SLAVE when reboot is finished
  • Plug the cable on the SLAVE device