FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to fix an issue where the license/subscription of FortiGate in HA cluster is not updating.
Scope
FortiGate.
Solution
Verify that the FortiGates are in an HA cluster.
get system ha status
Confirm that the cluster member licenses/subscriptions were renewed.
Ensure that both devices can reach FortiGuard.
exec ping update.fortiguard.net
exec ping service.fortiguard.net
exec update-now
View the Dashboard and confirm whether the license was updated. If necessary, fail-over to the secondary device and execute update-now.
exec ha manage 1 <username>.
exec update-now
Note:
If the above command didn't work, use exec ha manage 0 <username>.
Make sure both FortiGates are running the same FortiOS firmware version.
All FortiGates in the cluster must have the same level of licensing for FortiGuard, FortiCloud, FortiClient, and VDOMs. FortiToken licenses can be added at any time because they are synchronized with all cluster members.
Ensure that not only the FortiGates have an Internet connection but public hostnames especially the FortiGuard FQDN can also be resolved by the DNS servers configured.
If FortiGate is in air-gap environment, the solution is to manually upload the entitlement file on each FortiGate unit before initiating the upgrade.
