FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nmoore
Staff
Staff
Description
This article describes the procedure to apply the FortiGate firewall licenses offline.

Solution
Licenses are uploaded from public FortiGuard servers to the FortiGate, therefore, the FortiGate needs to have an internet connection.
If the FortiGate does not have an internet connection, FortiManager can act as a FortiGuard proxy to validate licences.

FortiManager itself still requires an internet connection and the FortiGates will need a connection to the FortiManager.

To operate FortiGate and FortiManager in a closed network with no internet connection for either unit then follow this document:

https://docs2.fortinet.com/document/fortimanager/6.0.5/administration-guide/868901/operating-as-an-f...

Otherwise, to use FortiManager as a FortiGuard proxy, the solution is as follows:

From the FortiGate CLI.

1) Configure central management settings:
#config system central-management
    set type fortimanager
    # config server-list
        edit 1
            set server-type update rating
            set server-address <fortimanager_ip>
        next
    end
    set include-default-servers disable
end
2) Upload the license using TFTP (not applicable if a hardware bundle is present):
#execute restore vmlicense tftp <filename>.lic <tftp_ip>
The FortiGate will reboot.

3) Complete the central management configuration:
#config system central-management
    set fmg <fortimanager_ip>
end
From the FortiManager CLI:

4)    Open up the necessary port for FortiManager to service FortiGate:
#config system interface
edit <mgmt.port>
set serviceaccess fgtupdates
From the FortiManager GUI:

5) Add units to the FortiManager unit using the discover wizard.

As a result of the CLI commands entered on the FortiGate , the unit is displayed on the FortiManager GUI in the Unregistered unites list located in the Device Manager window for the root ADOM.
WARNING: Do not authorise the FortiGates from the Unregistered Devices list as the connection process will stall.
If it is already done, wait for the authorisation process to timeout continue with the below process.


When ADOMs are enabled, the below process must be carried out from within the ADOM for the unit to be assigned.

To add a device with Discover mode:
- Go to Device Manager -> Device & Groups.
- In the toolbar, select 'Add Device'.

The Add Device window opens.
- Select Discover, and then follow the prompts to configure the device settings.

The units will now be added and receive their updates from FortiManager.
For information about adding devices, go to the FortiManager Document Library -> FortiManager Administration Guide -> Firewall Devices -> Adding Devices.

Contributors