Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎08-06-2019 05:10 AM Edited on ‎08-27-2025 11:28 PM By Moderator

Article Id 197019

Technical Tip: FortiGate-VM License management, validation, and troubleshooting

Description


This article describes some technical tips regarding FortiGate-VM (FGT-VM) License management, validation and troubleshooting.

 

Scope

 

FortiGate.

Solution


By default, a FortiGate-VM includes a limited 15-day trial/evaluation license that supports:

  • 1 VDOM only.
  • 1 CPU and 1024 MB of memory maximum.
  • Low encryption only (no HTTPS administrative access).
  • All features except FortiGuard updates.

 

Note: As of FortiOS v7.2.1 and later, the FortiGate-VM Trial license model has been changed from a 15-day term to a permanent trial license (e.g., no time limit). However, this also requires administrators to register the FortiGate-VM Trial to FortiCare, and there is a limit of one FortiGate-VM trial per account. See the following link for more information: Permanent trial mode for FortiGate-VM. The following information in this KB article has been left as-is since it accurately describes legacy trial license behavior as well as general VM licensing behavior.

 

When instantiated that way, the Serial Number of the FortiGate-VM is always set to FGVM00UNLICENSED (1), its license status is set to 'Invalid' (2), and the license expiration date is set 15 days ahead of the VM instantiation date (3).
This can be verified using the 'get system status' command.

 

FGT-VM (global) # get system status


Version: FortiGate-VM64-KVM v5.6.10,build1677,190716 (GA)            <- FortiGate-VM.

Serial-Number: FGVM00UNLICENSED                                      <- (1).

License Status: Invalid                                              <- (2).
Evaluation License Expires: Sat Sep 1 06:57:16 2019                  <-(3).
BIOS version : 04000002

 

A permanent license must be installed on the FortiGate-VM before the trial/evaluation license expires and the FortiGate-VM ceases functioning.

Such a type of license must be obtained from the Customer & Service Support website and installed on the FortiGate-VM either at the GUI or at the CLI.

 

A license file contains information on the FortiGate-VM model that has been purchased, such as the minimum and maximum number of Virtual Domains, Virtual CPUs, Virtual Network Interfaces, Virtual Memory size, Virtual Storage size, etc.

This information is also reflected in the Serial Number that is going to be assigned to the FortiGate-VM, in replacement of the default Serial Number (FGVM00UNLICENSED), at the time the permanent license file is installed. Indeed, a FortiGate-VM Serial Number is composed of 3 different parts which follow the '<FGVM><XX><KEY>' pattern wherein:

 

  • FGVM: a string indicating the Serial Number pertains to a FortiGate-VM.
  • XX: a number (00, 01, 02, 04, 08, etc.) that defines the FortiGate-VM model. It has to be noted that '00' corresponds to the default FortiGate-VM model, the one that is associated with trial/evaluation licenses. A string (SL), which means subscription licensing (S-series).
  • KEY: a 10-digit number uniquely identifying a FortiGate-VM Serial Number or 'UNLICENSED' for trial/evaluation licenses.

 

Once installed, the permanent license needs to be validated by FortiGuard or by FortiManager in case the FortiGate-VM is installed in a closed environment without Internet access.

During that time, the license status is usually 'Pending'. Once validated, the FortiGate-VM license status changes to 'Valid' (4).

 

This can be verified using the 'get system statuscommand:

 

FGT-VM (global) # get system status


Version: FortiGate-VM64-KVM v5.6.10,build1677,190716 (GA)

Serial-Number: FGVM010000******

License Status: Valid                                                <-----(4)
BIOS version : 0400000
 

Periodically, on an hourly basis, the FortiGate-VM needs to revalidate its license against FortiGuard or FortiManager. If the license re-validation is successful, the license status stays 'Valid'. If not, for example, because of a network connection issue, the license status changes to 'Warning'. If the network connection is restored, the re-validation succeeds and the license status comes back to 'Valid'; otherwise, the license status becomes 'Invalid' after the grace period of 30 days elapses and the FortiGate-VM ceases functioning.

In summary, the 'License Status' field can be in state 'Pending' or 'Valid' if the licensing process is going fine, and 'Warning' or 'Invalid' if something wrong is detected.

 

  • Pending: A temporary state wherein the VM is attempting to validate its license.
  • Valid: The VM can connect and validate the license against a FortiManager server or Fortinet Distribution Server (FDS).
  • Warning: The VM cannot connect and validate against a FortiGuard or FortiManager server. A check is made against how many days the warning status has been continuous. If the number is less the 30 days, the status does not change.

 

Invalid: The VM cannot connect and validate against a FortiGuard or FortiManager server. A check is made against how many days the warning status has been continuous. If the number is 30 days or more, the status changes to Invalid. The VM starts discarding all packets and effectively ceases operation.

In case a license issue is suspected, the following commands can be used to gather more detailed information about the license creation date and type, validity, status, last refresh date and time, etc.

diagnose debug vm-print-license
VM License Info
Serial number: FGVM010000137200
License Allowance: 1 CPUs and 2048 MB RAM.
License created: Wed Jun 12 13:33:48 2019

diagnose hard sysinfo vm full
UUID:     43a25dd3c1026947bef4e1158935153f
valid:    1
status:   1
code:     200
warn:     0
copy:     0
received: 4305755316
warning:  0
recv:     201907311247
dup:     

 

Note:

A code value outside of the 2xx-3xx range is typically indicative of a licensing issue. In cases where FortiFlex manages licensing, the code value ranges are different (1,57,58, etc.), and the following document can be used to check codes and troubleshoot further: VM License.

 

Network Validation & CLI-Based License Forcing.

Many license issues stem from connectivity problems between the VM and FortiGuard. Guidance should include:

  • DNS and Internet reachability checks (e.g., exec ping update.fortiguard.net).
  • Use the CLI command execute update-now to force a license validation attempt immediately.
  • If using FortiManager, include proxy override configuration for license validation.

 

These steps empower admins to restore license state even in restricted environments reliably.

 
Related documents:
69800
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.