Technical Tip: How to check FortiGuard contract validity for each HA cluster individual unit?

Background:

On a standalone unit, it is possible to check FortiGuard contracts validity from GUI or CLI as per the below KB article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-view-license-details-via-CLI/ta-p/1...

However once HA Cluster is formed, FortiOS update process will compare all cluster unit's contract information, and if the contracts are valid, then it will select the earliest expiry date to be used as the cluster’s contract expiry date. Also if only one unit has an invalid/expired contract, then even if the same contract is still valid on the other HA units, the cluster will show it as invalid, this is by design.

For Example, below are two standalone units with different AV contract expiry:

Unit 1:

AV Engine

---------

Version: 6.00285 signed

Contract Expiry Date: Sat Mar 23 2024

Unit 2:

AV Engine

---------

Version: 6.00285 signed

Contract Expiry Date: Wed Mar 27 2024

After both units form the HA cluster, the cluster will use the earliest contract expiry as its AntiVirus contract expiry.

In this example it will be:

AV Engine

---------

Version: 6.00285 signed

Contract Expiry Date: Sat Mar 23 2024

Hence, the HA cluster will not show the actual contract expiry of each individual unit as a standalone. This is an expected behavior, because if one contract expires on one unit then on the Cluster it should show as invalid until it is renewed.

Solution:

There are two ways to check individual unit FortiGuard Contract Validity in HA Cluster.

The first one is to check the product’s serial number contract information under the support portal.

The second method, is to check the update process debug directly on FortiGate CLI by running the updated debug commands below:

# diagnose debug application update -1

# diagnose debug enable <----- Use 'diagnose debug disable' to stop the debug.

# execute update-now

The update process will download and extract each unit’s contract information, which will be displayed by the debug as per below:

upd_status_set_ha_expiry[1459]-Extracting contract...(SerialNumber= FG3H0E39179004xx |Contract=SPAM-1-06-20240329:0:1:1:0*FURL-1-06-20240329:0:1:1:0*AVDB-1-06-20240329:0:1:1:0*AVEN-1-06-20240329:0:1:1:0*NIDS-1-06-20240329:0:1:1:0*FMWR-1-06-20240329:0:1:1:0*ZHVO-1-06-20240329:0:1:1:0*SPRT-1-20-20240329:0:1:1:0*SBCL-1-06-20240329:0:1:1:0*FRVS-1-06-20240329:0:1:1:0*ENHN-1-20-20240329:0:1:1:0*COMP-1-20-20240329:0:1:1:0*HDWR-1-05-20240329:0:1:1:0|AccountID=xxx@fortinet.com|Company=fortinet|UserID=156905)

update_status_obj[738]-SBCL contract expiry=Thu Mar 28 17:00:00 2024

 level(6) alert(0)

update_status_obj[738]-AVDB contract expiry=Thu Mar 28 17:00:00 2024

 level(6) alert(0)

.

.

upd_status_set_ha_expiry[1459]-Extracting contract...(SerialNumber=FG3H0E39179005xx|Contract=AVDB-1-06-20240325:0:1:1:0*AVEN-1-06-20240325:0:1:1:0*NIDS-1-06-20240325:0:1:1:0*FURL-1-06-20240325:0:1:1:0*SPAM-1-06-20240325:0:1:1:0*HDWR-1-05-20240325:0:1:1:0*SBCL-1-06-20240325:0:1:1:0*SPRT-1-20-20240325:0:1:1:0*ZHVO-1-06-20240325:0:1:1:0*FRVS-1-06-20240325:0:1:1:0*FMWR-1-06-20240325:0:1:1:0*ENHN-1-20-20240325:0:1:1:0*COMP-1-20-20240325:0:1:1:0|AccountID=xxx@fortinet.com|Company=fortinet|UserID=156905)

update_status_obj[738]-SBCL contract expiry=Sun Mar 24 17:00:00 2024

 level(6) alert(0)

update_status_obj[738]-AVDB contract expiry=Sun Mar 24 17:00:00 2024

 level(6) alert(0)