Help
FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
shikhakolekar
Staff
Staff

Created on ‎02-25-2025 12:59 AM Edited on ‎03-18-2025 05:06 AM By Moderator

Article Id 376679

Technical Tip: Troubleshooting license validation in air-gapped environment

Description

 

This article describes on validation of licenses in air-gapped networks from FortiManager and the requirements to be followed for necessary communication.

 

Scope

 

FortiPAM.

 

Solution

 

For FortiPAM to work in the air-gapped network, the licenses can be updated from FortiManager and the antivirus database update.

 

In this case, the FortiManager is used as a FortiGuard License server, from which the FortiPAM will try to verify the license. This is available starting from FortiManager version 7.4.2.

 

Case 1: If FortiManager does have internet access FortiManager contacts the Fortiguard servers and downloads the FortiPAM contacts

Case 2: If FortiManager does not have internet access FortiManager should have the entitlement file uploaded as per Enable Entitlement File Download.

 

The license updated and the successful attempt will be as below.

 

Fort iPAM-KVM # get system status
Version: FortiPĀM-KVM v1.4.1,build1138,240822 (GA)

License: Active, seat 10, active seat 10, expiry date 2026-02-14

...

Serial-Number: FPAVXXXXXXXXXXX
License Status: Valid

 

If the license is not applied, the status will be as below.

 

Fort iPAM-KVM # get system status
Version: FortiPĀM-KVM v1.4.1,build1138,240822 (GA)
License: VM Eval, seat 0, active seat 2, expiry date 2025-02-14

...

Serial-Number: FPAVXXXXXXXXXXX
License Status: Invalid

 

Step 1: Ensure that on FortiManager, the contract information is present:

 

diagnose fmupdate dbcontract <serial number>

FPAVULTM********* 

AccountID: ********* 

....

Contract: 10

 

Step 2: FortiManager should be listening for FortiGuard queries via TCP/8890.

Ensure that is this not blocked by any firewall policy 

To verify run the capture on FortiPAM

 

diag sniffer packet any "port 8890" 6 0 l

 

Debugs of unsuccessful results on port '8890' will show results as:

 

2025-02-14 16:30:58 upd_comm_connect_fds[458]-Trying FMG 10.10.10.10:8890
2025-02-14 16:30:58 tcp_connect_fds[269]-Failed connecting after sock writable
2025-02-14 16:30:58 upd_comm_connect_fds[473]-Failed TCP connect

 

After following the steps above, the license will be validated.

 

The output of the following debug commands can also be collected to view in detail:

  • diag debug reset
  • diag debug console timestamp enable
  • get sys stat
  • diag debug app update -1
  • diag debug enable
  • exec update-now

 

Related document:

License Validation via FortiManager 

Labels:
76
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.