- In the FortiGate GUI, all the devices of the HA cluster, licenses will show 'valid' and the same.
- All devices in the HA cluster should have a valid license and identical licensing, otherwise, the whole cluster will use the 'lower' license it finds from the pair.
Technical Tip: The HA Cluster requirements
- The difference for the licenses at the HA cluster will be for the Objects that are part of the license.
- Take the last updates for the FortiGuard servers and check which object is expired.
diag debug application update -1
diag debug enable
execute update-now
- From the output, the Secondary FortiGate has the below license expired.
upd_status_set_ha_expiry[1511]-Serial Number: FG3H0E1234567YYY.- contract processed
upd_status_set_ha_expiry[1477]-Extracting contract...(SupportLevelDesc=05:Advanced HW*06:Web/Online*20:Premium)
upd_status_set_ha_expiry[1477]-Extracting contract...(SupportTypeDesc=AVDB:Advanced Malware Protection*COMP:*ENHN:*FMWR:Firmware & General Updates*FRVS:Vulnerability Management*FURL:FortiGuard URL, DNS & Video Filtering Serv
ice*HDWR:Hardware*NIDS:FortiGuard IPS Service*SPAM:AntiSpam*SPRT:*ZHVO:FortiGuard Virus Outbreak Protection Service)
__update_upd_comp_by_contract[432]-ISDB license expired. <--
__update_upd_comp_by_contract[452]-IOTD license expired. <--
__update_upd_comp_by_contract[460]-SFSA license expired. <--
- The above licenses are part of the UTM and Industrial Database packets.
FortiGuard Distribution Network
- The details for the difference between the HA cluster devices licenses can be checked using the below commands:
diag autoupdate versions
diagnose test update info
Primary - FG3H0E1234567XXX.
Object versions:
07002000SFAS00000-00000.00000-0101010000
07002000MADB00200-00001.00242-2410301100
Secondary - FG3H0E1234567YYY
Object versions:
07002000SFAS00000-00004.00065-2409311616
07002000MADB00200-00001.00236-2409240900
- The above example shows the difference between the Object versions SFAS and MADB:
- The ISBD entry can not be changed if the ISDB license of one of the HA cluster members is expired.
- In this case, further steps are :
- Break the HA cluster and change the ISDB entry on the devices where the ISDB license is valid.
Note: The new port can be added in the ISBD entry only if the new port is not part of the default ISDB range port.
The default ISDB range ports can not deleted or changed for the ISDB entry.
If the new port is part of the ISDB range it is not possible to add that port.
The new port 1111 has been added to the ISDB ID 393481 in the below example.
config firewall internet-service-addition
edit 393481
set comment "Only web traffic for ISDB entry Amazon-AWS.CloudFront"
config entry
edit 1
set protocol 6
config port-range
edit 1
set start-port 443
set end-port 443
next
edit 2
set start-port 80
set end-port 80
next
edit 3
set protocol 6
config port-range
edit 3
set start-port 1111
set end-port 1111
next
end
execute internet-service4 refresh
Internet Service is refreshed.
diag internet-service id 3604638
Internet Service: 3604638(GitHub-GitHub)
Version: 00007.03919
Timestamp: 202410301605
Number of Entries: 746
1.3.4.5-1.3.4.5 country(156) region(628) city(9028) blocklist(0x0) reputation(5), popularity(5) domain(1916) botnet(0) proto(6) port(443
80 1111) <---
1.3.4.5-1.3.4.5 country(156) region(628) city(9028) blocklist(0x0) reputation(5), popularity(5) domain(1916) botnet(0) proto(17) port(12
3 161 1194
3.161.231.51-3.161.231.51 country(840) region(1874) city(5654) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(6)
port(443 80 1111) <---
3.161.231.110-3.161.231.110 country(840) region(1874) city(5654) blocklist(0x0) reputation(5), popularity(5) domain(0) botnet(0) proto(6
) port(443 80 1111) <---
-
Contact the Customer Service Team to renew the expired licenses in the HA cluster device.
|
