Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff & Editor
Staff & Editor

Created on ‎03-05-2025 09:51 PM Edited on ‎08-17-2025 09:27 PM By Community Manager

Article Id 380661

Technical Tip: Additional Info regarding Single FortiGuard license for FortiGate A-P HA cluster feature

Description

 

This article discusses the 'Single FortiGuard license for FortiGate A-P HA cluster' feature detailed in the FortiOS Administration Guide, with the aim being to demystify when the feature can be used and what it affects from a licensing perspective.

 

Scope

 

FortiGate v7.2.9, v7.4.6, v7.6.1 and above.

 

Solution

 

Traditionally, FortiGate HA clusters have required each cluster member to be individually licensed for a given set of features.

If those HA members have differences in their licensing, then the cluster will negotiate down to the lowest common-denominator (for example, if one FortiGate has FortiGuard Web Filtering service and the other does not, then the cluster as a whole will not be able to use FortiGuard-based Web Filtering features).

 

The new 'Single FortiGuard license for FortiGate A-P HA cluster' feature (supported in v7.2.9, v7.4.6, v7.6,.1, and later) allows administrators to purchase HA-specific FortiGate SKUs that can be registered to FortiCare and associated with a Virtual Serial Number (vSN).

 

This vSN can then have a singular license applied to it, which then is usable for both members of the HA cluster (as opposed to needing licensing for each FortiGate individually). For reference, check out the following documentation on the Fortinet Docs Library:

 

 

There are some key caveats to this new feature that administrators should take into consideration. This is covered in the section below.

 

Caveats and Other Considerations:

This feature is only supported for new HA-specific FortiGate SKUs (and only for a specific selection of FortiGate models at this time). Notably, this means that it is not possible to enable this vSN/single license HA feature for existing HA clusters made up of standard FortiGates (i.e., this feature is only supported for new deployments and HA SKU FortiGates only).

 

For example, to utilize this feature, an administrator would need to purchase a pair of HA-SKU FortiGates (such as 2x of the FG-40F-HA SKU for the FortiGate-40F), register them to FortiCare, and then follow the setup steps as detailed in the Administration Guide (see links above). In particular, the enabling of the logical-sn option under 'config system ha' will result in the FortiGates registering and receiving a Virtual SN, after which the single set of licenses can be registered to the vSN in FortiCare.

 

Example of the ordering process for a 40F HA:

 

Ordering Process:

2x FortiGate-40F-HA.

1x FC-10-0040F-809-02-DD (Enterprise).

 

Important Note:

The logical-sn option does technically appear in the CLI for non-HA FortiGate SKUs, but it will not work when enabled (FortiCare/FortiGuard will not register a vSN for non-HA SKU FortiGates, so the feature cannot be used for existing FortiGates).

 

As per the documentation, only a subset of FortiCare/FortiGuard license SKUs support this Virtual SN feature, those currently being:

  • Enterprise Protection.

  • Unified Threat Protection (UTP).

  • Advanced Threat Protection (ATP).

 

For reference, these licenses largely govern onboard security inspection features/entitlements, such as IPS, Application Control, and Antivirus database updates, as well as FortiGuard Category-based Web and DNS Filtering (amongst other features).

 

However, this currently means that other licenses will still need to be purchased on a per-device basis. This includes (but is not limited to) licenses for FortiCare support (such as Premium and Elite Support licenses) and licenses for additional and/or external services (such as FortiGate Cloud and FortiAnalyzer Cloud subscriptions).

Some features are not yet available for devices that have Virtual SN enabled.

Features requiring individual device subscription:

  • FortiGate Cloud.
  • FortiAnalyzer Cloud.

 

Features are not currently supported for devices in a logical-sn cluster:

  • FortiToken Mobile (including 2x Trial FortiTokens).
  • FortiToken Cloud.

 

The vSN/single license HA feature only supports Active-Passive HA cluster configurations (no Active-Active support), and it also only supports clusters with two members. Changing a vSN-based cluster from Active-Passive to Active-Active will result in the FortiGate cluster losing its vSN, which in turn will result in service entitlements no longer being applied to the cluster members.

This could cause impacts on user traffic, depending on the security profiles being utilized (for example, Web and DNS Filtering in particular may be disrupted due to FortiGuard rating errors).

 

Note:

There is a known issue with ID 1137565 for 10xF models where the logical-sn command is missing and is fixed in v7.4.8, v7.6.3, as well as with upcoming v7.2.12. Refer to the release notes for further information.
The serial number for vSN should appear in the Product list on the support portal, with the prefix FGxxxFHAyyyyyyy, where 'x' stands for the type of unit and 'y' is part of the serial number.

 

Related articles

Technical Tip: The HA Cluster requirements

Technical Tip: FortiGate Models and FortiOS support for HA Licenses

4499
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.