Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
CarlosColombini
Staff
Staff

Created on ‎09-05-2023 09:31 PM

Article Id 272175

Technical Tip: Updating FortiGate-VM configurations/resources of instances licensed via FortiFlex entitlement

Description

 

This article explains how to update FortiGate-VM resources, such as a number of vCPUs and VDOMs that have been deployed via FortiFlex subscription.

 

Scope

 

FortiGate-VM with license deployed via FortiFlex entitlement, FortiFlex Portal.

 

Solution

 

Configurations can be created from the FortiFlex Portal and applied to a Flex Entitlement as per the documentation below:
Creating VM configurations
Managing VM Entitlements 

 

The 'Form Factor' and 'Product Type" cannot be modified after a configuration is created. A new FortiFlex configuration must be created.

However, it is possible to update the Number of CPUs, Virtual Domains (VDOMs), Service Package (if 'Service Bundle' type was selected), and FortiGuard/Cloud/Support Services (if 'A La Carte Services' was selected).


Changes applied to the Flex Entitlement may take up to 60 minutes to sync to FortiCare and FortiGuard. Once that is done, FortiGate will retrieve the new license from FortiGuard.
A manual sync from FortiGate to FortiGuard may be triggered by running the command 'execute update-now' from CLI in a Global context. However, there is no need to re-inject the license again.

Note:
For VDOM licenses, 'Perpetual' and 'FortiFlex' licenses can coexist in the same FortiGate instance. Additionally, if instances are deployed in High-Availability Cluster, all nodes must have the same entitlements, that is, the same FortiFlex configurations applied.
For CPU licenses, a reboot is recommended when adding more vCPU, but a reboot is required if lowering the vCPU size.

The steps below may be followed to edit configurations in the FortiFlex Portal to be applied to instances licensed through a subscription:

  1. Edit a configuration previously created:

 

flex-1.png

 

  1.  Redefine the configuration Name if desired and select Next:

 

flex-2.png

 

  1. Edit the license settings as needed.

 

flex-3.png

 

  1. Review the changes and select Submit and Confirm them.

 

flex-5.png

 

  1. Verify changes were applied to Flex Entitlement.

 

flex-6.png

 

  1. Verify the changes committed to the FortiGate VM instance after being retrieved from FortiGuard with the commands below.


The output of the command 'get system status' will show the License Status, number of CPUs allocated, and number of maximum and used VDOMs.

 

Flex-FGT1 (global) # get system status
---output omitted---
License Status: Valid
License Expiration Date: 2024-08-19
VM Resources: 4 CPU/4 allowed, 8002 MB RAM
---output omitted---

Current virtual domain: root
Max number of virtual domains: 6
Virtual domains status: 5 in NAT mode, 0 in TP mode
Virtual domain configuration: multiple

---output omitted---


The output of the command 'diagnose debug vm-print-license' will show license details, including VDOM  license information.


Note.
'permanent' is the 'perpetual' VDOM license, and 'subscription' is the FortiFlex VDOM license.

Flex-FGT1 (global) # diagnose debug vm-print-license
SerialNumber: FGVMELTM23006182
CreateDate: Sat Aug 19 05:01:59 2023
License expires: Mon Aug 19 17:00:00 2024
---output omitted---
CPU: 4 (subscription:4)
MEM: 2147483647
VDOM license:
permanent: 5
subscription: 6
expires: Mon Aug 19 17:00:00 2024


The output of the command 'diagnose test update info contract' displays the contracts retrieved from FortiGuard.

 

Flex-FGT1 (global) # diagnose test update info contract

SerialNumber=FGVMELTM23006182|Contract=AVDB-1-06-20240820:0:1:1:0*AVEN-1-06-20240820:0:1:1:0*NIDS-1-06-20240820:0:1:1:0*FURL-1-06-20240820:0:1:1:0*IOTH-1-06-20240820:0:1:1:0*ISSS-1-06-20240820:0:1:1:0*SPAM-1-06-20240820:0:1:1:0*SPRT-1-20-20240820:0:1:1:0*ZHVO-1-06-20240820:0:1:1:0*FRVS-1-06-20240820:0:1:1:0*FMWR-1-06-20240820:0:1:1:0*FGSA-1-06-20240820:0:1:1:0*VMLS-1-06-20240820:0:4:4:0*COMP-1-20-20240820:0:1:1:0*ENHN-1-20-20240820:0:1:1:0*FCSS-1-10-20240820:0:1:1:0*VDOM-1-06-20240820:0:6:6:0|


The output of the command 'diagnose hardware sysinfo vm full' displays the license information retrieved from FortiGuard.

 

diagnose hardware sysinfo vm full
UUID: abbe****************************
valid: 1
status: 1
code: 200
warn: 0
copy: 0
received: 4604955037
warning: 4600905081
recv: 202009152207
dup:

 

Fields, values, and their descriptions from the output of the commands above.


Validity:

0 = Invalid.
1 = Valid.

 

Status:

0 = Startup.
1 = Success.
2 = Warning.
3 = Error.
4 = Invalid Copy.
5 = Eval Expired.
6 = Grace Period. For FortiFlex, there is a two-hour grace period before traffic is passed upon retrieving the license from FortiCare.

 

Code:
2xx, 3xx = Success.
200 = Valid.
202 = Accepted (treated as correct response code).
4xx = Error.
400 = Expired.
401 = Duplicate.
5xx = Warning.
500 = Warning.
502 = Invalid. Cannot connect to FortiGuard Distribution Servers.
6xx = Evaluation license expired.


All other codes are errors.

1105
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.