FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nmoore
Staff
Staff
Article Id 198781

Description

 

This article describes the procedure to apply the FortiGate firewall licenses offline or in an air-gapped environment. 

 

Scope

 

FortiOS.

Solution

 

FortiOS 7.0 and below:

Licenses are downloaded from public FortiGuard servers to the FortiGate, which means the FortiGate must have an internet connection.
If the FortiGate does not have an internet connection, FortiManager can act as a FortiGuard proxy to validate licenses.
FortiManager itself still requires an internet connection and the FortiGates will need a connection to the FortiManager.


To operate FortiGate and FortiManager in a closed network with no internet connection for either unit, follow the instructions in Operating as an FDS in a closed network - FortiManager administration guide.

 

FortiOS 7.2:

FortiGate operating in transparent mode may be licensed manually (only available for hardware models). Follow the process here:

Technical Tip: How to update the license for FortiGate in Transparent mode without internet (offline...

 

FortiOS 7.4

The manual offline license upload in 7.2 was limited to hardware, but with FortiOS 7.4, this is also possible for VM licenses. 

Uploading the FortiGate-VM license


To use FortiManager as a FortiGuard proxy, follow the steps below.

From the FortiGate CLI.

 

  1. Configure central management settings:

config system central-management
    set type fortimanager
        config server-list
            edit 1
                set server-type update rating
                set server-address <fortimanager_ip>
            next
        end
    set include-default-servers disable

end

 

  1. Upload the license using TFTP (not applicable if a hardware bundle is present):

execute restore vmlicense tftp <filename>.lic <tftp_ip>

 

The FortiGate will reboot.

 

  1. Complete the central management configuration:

config system central-management

    set fmg <fortimanager_ip>
end

 

From the FortiManager CLI:

 

  1. Open up the necessary port for FortiManager to service FortiGate:

config system interface
    edit <mgmt.port>
        set serviceaccess fgtupdates

 

From the FortiManager GUI:

 

  1. Add units to the FortiManager unit using the Discover wizard.

As a result of the CLI commands entered on the FortiGate, the unit is displayed on the FortiManager GUI in the Unregistered units list located in the Device Manager window for the root ADOM.


Warning:

Do not authorize the FortiGates from the Unregistered Devices list as the connection process will stall. If this has already been done, wait for the authorization process to timeout and continue with the below process.

When ADOMs are enabled, the following process must be carried out from within the ADOM for the unit to be assigned.

To add a device with Discover mode:

  • Go to Device Manager -> Device & Groups.
  • In the toolbar, select 'Add Device'. The Add Device window will open.
  • Select Discover and follow the prompts to configure the device settings.

The units will then be added and receive their updates from FortiManager.
For information about adding devices, go to the FortiManager Document Library -> FortiManager Administration Guide -> Firewall Devices -> Adding Devices.

To manually upload FortiGate licenses in the GUI:

 

  1. Register the FortiGuard license on FortiCloud. See Registration in the FortiOS Administration Guide for more information.

  2. Download the product entitlement file in FortiCloud:

    • Go to Products -> Product List.

    • Select the serial number of the FortiGate. The product page opens.

    • In the License & Key section, select Get The License File. The file will download to the device in the following format:  FG201E*********ProductEntitlement.lic

  3. In FortiOS, go to System -> FortiGuard. The status for all services will be Pending.

  4. Select Upload License File. The file explorer will open.

  5. Navigate to the product entitlement file and select Open.

    The license file will be uploaded to the FortiGate. Once the upload is complete, the FortiGate will show that it is registered and licensed.

  6. Select Apply.

Note:

Manual licensing for air-gap environments is supported only on FortiGate hardware appliances, for both rugged and non-rugged models running FortiOS 7.2.0 or later. Manual licensing is currently not supported on FortiGate virtual machine (VM) appliances (the license can be applied, but not valid until validated by FDN or FortiManager).

 

Related article:

Technical Tip: How to configure FortiAnalyzer/FortiManager to use FortiManager as a FortiGuard serve...