FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes that when using the standard CLI procedure for FlexVM license injection where a FortiGate is a part of an HA environment with the dedicated management interface, it can happen that the traffic from the management interface is not routable or does not have internet access which is causing a license activation issue:
execute vm-license XXXXXXXXXXXXXXXXXXXX This operation will reboot the system ! Do you want to continue? (y/n)y
Requesting FortiCare license token:XXXXXXXXXXXXXXXXXXXX proxy:(null) dns resolve error Failed to request forticare license -1. Failed to download VM license.
Scope
FortiGate (FlexVM).
Solution
Be aware, when setting up the dedicated management interface even without using the 'ha-direct' setting the 'execute vm-license' command would use this interface for DNS resolution and license download:
config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface "port1" next end end
There are multiple approaches how to resolve this issue:
Add the gateway to 'ha-mgmt-interfaces' setting + make sure the routing from the HA management interface can access the FortiGuard network + run the 'exec vm-license <token>' command.
Remove the 'ha-mgmt-interfaces' setting + run the 'exec vm-license <token>' command.
