Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Nur
Staff
Staff

Created on ‎04-24-2025 12:13 AM

Article Id 388998

Technical Tip: FortiGate license activation fails with response code 401 when FortiManager acts as local FortiGuard

Description This article describes the issue when FortiGate Auto-Scalling gets error 401 when it is necessary to validate the license from FortiManager (FortiManager acts as a local FDS).
Scope FortiGate, AWS, FortiManager.
Solution

FortiGate -> (local FDS) FortiManager -> FortiGuard.

 

When FortiGate is in Auto-Scaling, if one goes down for whatever reason, the auto-scaling mechanism will automatically build a brand new FortiGate, using the same license that was being used by the one that went down. 

 

However, when FortiGate 1 is down and FortiGate 2 is up, FortiManager acts as a Local FDS and fails to validate the license.

 

diagnose fmupdate view-linkd-log fds

[FMG-->FDS] Request: Protocol=3.0|Command=VMSetup|Firmware=FGVMA6-FW-7.02-1688|SerialNumber=FGVM01TMXXXXXXX|Connection=Internet|Address=XX.XX.1.41:0|Language=en-US|TimeZone=8|UpdateMethod=1|Uid=ec23382ab2273e8f28a14XXXXXXXXXXXX|VMPlatform=AWS^M ^M

[FDS-->FMG] Response: Protocol=3.0|Response=200|Firmware=FPT033-FW-6.9-0233|SerialNumber=FPT-FDS-PLA1-005|Server=FDSG|Persistent=false|PEER_IP=XX.XX.56.45^M ^M

FCP_CONN:: received package ready

check_vmlic: Received a new instance but current one is valid. serial:FGVM01TM25XXXXXX old_uid:ec23834ff0d573fd6a58ed31XXXXXXX, new_uid:ec23382ab2273e8f28a14bbdXXXXXXXX
2025/04/13_20:41:47.184 info fds_svrd[28385]: __devobj_set_vmlic_status,648: for FGVM01TMXXXXXXXX, set vmlic_status=401

 

The 401 error is likely due to a duplicated license from deploying the FortiGate on VM#1 and then VM#2 shortly after.

This scenario results in the FortiGuard server having records of both VM UUIDs.

 

Related document: Validating the FortiGate-VM license with FortiManager on an air-gapped environment.

Example: 


FortiGate is deployed in VM#1, and the UUID is updated in the FortiGuard server.
FortiGate VM#1 was destroyed, and FortiGate was redeployed in VM#2 with the same license (Serial number).
FortiGate- VM#2 will have a different UUID, however, this will be marked as duplicated (code: 401) since the FortiGuard server still has both VM UUIDs present.
Once the OLD UUID is removed from the FortiGuard server, the status code will change to 200.

Generally, the FortiGuard server will update/remove the older UUID, which typically takes around 24 hours.
Reference: Technical Tip: VM shows 'License status: Invalid Copy'.

 

This behavior occurs if FortiManager acts as local FortiGuard.

 

Two workarounds can be performed to avoid the license error 401.

 

  1. Make FortiManager act as local FortiGuard in the Close Network (Does not reach FortiGuard).
  2. Point FortiGate directly to FortiGuard.
279
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.