Created on 08-27-2024 04:02 AM Edited on 10-29-2024 03:23 AM By Jean-Philippe_P
Description |
This article describes a scenario when FortiGate appears without a License or Expired License in FortiManager, while locally in FortiGate status is shown as Registered and has a valid License. |
Scope |
FortiManager. |
Solution |
This issue happens when one of the devices, FortiGate or FortiManager, has connectivity issues with FortiGuard.
Additional security measures have been added to FortiOS and FortiGuard to control which FortiGate units a FortiManager device is permitted to request contract information for. When the FortiGate unit contacts FortiGuard, it informs FortiGuard which FortiManager devices are authorized to manage them using the AuthList field, which is a list of FortiManager serial numbers, in the FDNSetup message.
Once FortiGuard has the information which FortiGate [SN] is managed by which FortiManager [SN], then FortiGuard will share the FortiGate License information only with the FortiManager that is part of AuthList that FortiGate has already sent to FortiGuard.
diagnose debug application update -1 diagnose debug enable execute update-now exe send-fmg-list
Check in the debug logs to see if the FortiManager Serial Number is part of AuthList. It should look like the following:
pack_obj[185]-Packing obj=Protocol=3.4|Command=FDNSetup|Firmware=FGVM64-FW-7.02-1639|SerialNumber=FGVM01TM22000759|Language=enUS|TimeZone=2|Sequence=0|HAList=FGVM01TM22000759|AuthList=FMGVMSTM22000476
Now that FortiGate has sent AuthList [including FortiManager SN] to FortiGuard, FortiManager is eligible to get the FortiGate License Information from FortiGuard: Check if the FortiGate Contract is shown in the list and if contains the correct Information:
diagnose fmupdate dbcontract
If not then there is an issue with FortiManager - FortiGuard communication. Use the following command FortiManager CLI to troubleshoot it:
show sys route
After FortiManager - FortiGuard communication is set, then FortiManager dbcontract and FortiManager GUI should show the correct FortiGate contract :
FMG-VM64# diagnose fmupdate dbcontract FGVM01TM22000759 [SERIAL_NO] AccountID: xxxx Industry: Company: xxxx Contract: 11 AVDB-1-06-20250217 AVEN-1-06-20250217 COMP-1-20-20250217 ENHN-1-20-20250217 FMWR-1-06-20250217 FRVS-1-06-2025021 Contract Raw Data: Contract=AVDB-1-06-20250217:0:1:1:0*AVEN-1-06-20250217:0:1:1:0*
Note: When FortiManager does not have correct FortiGate License information might lead to another issue like FortiGate can not be Upgraded from FortiManager with the error 'no valid FMWR license', or FortiGuard updates issues for FortiGate when FortiManager is acting as Local FortiGuard servers. Always make sure that License information is aligned in FortiManager and FortiGate.
Related articles: Technical Tip: Verifying FortiGuard connectivity on FortiManager Troubleshooting Tip: Unable to connect to FortiGuard servers Technical Tip: Check the License Status and FortiGuard Updates of Managed FortiGate on FortiManager Technical Tip: FortiGuard server IP list for FortiManager/FortiAnalyzer |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.