FortiNAC is a s a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
Entitlements are not applied after installing a subscription license key. 

  • License Information Dashboard panel displays BASE level license
  • "licensetool -key EFFECTIVE" CLI command displays BASE level license

Version:  8.x, 9.x

Verify whether or not the appliance can successfully reach FortiCloud for entitlement information.  Login to the appliance CLI as root and type
entitlementstool -poll

The resulting output should display the appropriate entitlements.


> entitlementstool -poll
description supportLevelDescription expirationDate
__________________________ _______________________ ______________
Telephone Support 24x7 2027-04-08
FortiNAC VM FortiNAC Pro 2024-04-08
IoT Detection Web/Online 2027-04-08
Vulnerability Management Web/Online 2027-04-08
Firmware & General Updates Web/Online 2027-04-08
Enhanced Support 24x7 2027-04-08
COMP 24x7 2027-04-08
Effective Count=500
Effective Level=PRO

Polling returns with incorrect entitlements:  Login to the Customer Portal and verify License entitlements.  For assistance, contact Customer Service.

No entitlements are displayed or the prompt is never returned:  This suggests the appliance cannot reach FortiCloud. 

1. FortiNAC polls using TCP port 443.  Ensure this port is allowed outbound to the internet from eth0.  Refer to the Open Ports section of the Deployment Guide.

2.  Verify entitlements are applied once the poll is successful.  Type
licensetool -key EFFECTIVE

The entitlements should now display. 

Results still show BASE level entitlements (Virtual Appliance)


> licensetool -key EFFECTIVE
serial = FNVMCATMxxxxxxxxx
type = NetworkControlApplicationServer
level = BASE
count = 0
expiration = 0
expired = false
mac = <MAC address>
uuid = <UUID>
certificates = [xxxxxxxxxxxxxxxxxxx, xxxxxxxxxxxxxxxxxxxxx]

The poll function uses the serial number to look up entitlements. To apply the entitlements, there is a certificate included in the key that must be present.  If the certificate is missing from the key or not complete, the certificate will not be validated and entitlements will not be applied.

Possible cause: The license key content may have been truncated during license installation. 

Solution: Re-download the key from the customer portal and re-install using the Administration UI.  For instructions, see License management in the Administration Guide.  If copying and pasting the key content, ensure all characters have been copied.  To avoid the risk of truncation, upload the text file itself.   

Results still show BASE level entitlements (Hardware Appliance)

Possible cause: The shipped key file is missing certificates. 

To verify, type:
licensetool -key FILE -file /bsc/campusMgr/.licenseKeyHW

Example of a key file missing certificates:
serial = FN5HCATAxxxxxxxx
type = NetworkControlApplicationServer
level = BASE
count = 0
expiration = 0
expired = false
mac = xx:xx:xx:xx:xx:xx
uuid = 00000000-0000-0000-0000-000000000000

                       <------   there should be a certificate line here         

Solution:  If certificates are missing from the .licenseKeyHW file or if .licenseKeyHW is missing entirely, then the unit must be RMA'ed.

Internal Notes
/bsc/campusMgr/.licenseKeyHW  is shipped with the unit.  There is no way to re-generate a key containing certificates to download to the appliance.  FortiCare can't issue certs for hardware appliances.  See FortiCare ticket 5233728.

Related Articles

Technical Note: UI does not list serial number or license entitlements

Technical Tip: Endpoint licensing and license upgrades


Hey @cmaheu,


maybe a note adding that "entitlementstool" (without the -"poll" parameter) returns information on the support entitlements, and "-poll" is only required if the information FortiNAC has on its support entitlements needs to be updated?