FortiManager-7.0-New Features Guide
FortiManager-7.0-New Features Guide
FortiManager-7.0-New Features Guide
FortiManager 7.0.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
FEEDBACK
Email: [email protected]
May 6, 2021
FortiManager 7.0.0 New Features Guide
02-700-698018-20210506
TABLE OF CONTENTS
Change Log 5
FortiManager 7.0 New Features Guide 6
Device Manager 7
Device and Groups 7
Model HA Cluster Wizard Improvements 7
SD-WAN 9
New SD-WAN template 9
SD-WAN monitoring improvements 21
Templates 24
Interface template support for meta fields 25
Static route template with support for meta fields 30
Pre-defined IPsec template with recommended settings 35
Un-assign IPsec template to remove VPN-related configuration 37
Central Management 39
FortiSwitch Manager 39
FortiSwitch Manager central management improvements 39
Extender Manager 46
Extender Manager for central managed FortiExtender devices 46
FortiExtender Template for ZTP 50
Policy and Objects 52
Policy 52
Policy revision history 52
Objects 55
New IPS signatures monitoring page 55
Object revision history 60
System 63
High Availability (HA) 63
FortiManager verifies if FortiAnalyzer features are disabled before forming HA cluster 63
Administrators 65
Theme mode 66
Admin Permission to enable/disable script tab access 67
Admins can use a SAML SSO FortiCloud account to log in to FortiManager 68
ADOM 72
ADOM health check tool reports warnings on devices, configurations, and policy
package status 73
Management Extensions 76
CPU and RAM maximum values for Management Extension Applications can be
configured in CLI 76
New management extension - FortiSOAR 76
Other 80
FortiManager Setup wizard 80
FortiManager VM licenses 85
Requesting and activating a trial license 85
2021-05-06 Added Extender Manager for central managed FortiExtender devices on page 46 and
FortiExtender Template for ZTP on page 50.
This document describes the new features added to FortiManager 7.0. The FortiManager new features are organized
into the following categories:
l Device Manager on page 7
l Central Management on page 39
l Policy and Objects on page 52
l System on page 63
l Management Extensions on page 76
l Other on page 80
Device Manager
This section lists the new features added to FortiManager for the device manager:
l Device and Groups on page 7
l SD-WAN on page 9
l Templates on page 24
This section lists the new features added to FortiManager for devices and groups:
l Model HA Cluster Wizard Improvements on page 7
You can configure the member devices in an HA Cluster with the HA Status widget in the Device Manager.
3. Configure the member Host Name, Management Interface Reservation, Session Pickup, and Session Pickup
Connectionless settings.
4. When Management Interface Reservation enabled, you can create new management interface.
5. Select another device in the cluster, and repeat the steps above.
SD-WAN
This section lists the new features added to FortiManager for SD-WAN:
l New SD-WAN template on page 9
l SD-WAN monitoring improvements on page 21
With the new SD-WAN template, you can use Device VDOM meta fields in the member interface/ interface gateway,
neighbor IP, and health-check server definitions.
In addition, how you enable and configure SD-WAN per-device management and central management has changed.
You now use the following methods to enable and configure each:
l For per-device management, use the device database to configure SD-WAN settings on each device.
l For central management, use SD-WAN templates to configure SD-WAN settings on one or more devices. SD-WAN
templates have moved in Device Manager to Provisioning Templates.
When you assign an SD-WAN template to a device, you have enabled SD-WAN central management for the
device.
Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and add
interface members to the SD-WAN zones. You must bind the interface members by name to physical interfaces or
VPN interfaces.
When using SD-WAN templates with other types of provisioning templates, such as interface templates and IPsec
templates, you should execute the templates in the following order:
l Interface template
l IPsec template
l SD-WAN template
This topic contains the following sections:
l SD-WAN per-device management on page 10
l SD-WAN central management on page 11
l SD-WAN template support for meta fields on page 18
For SD-WAN per-device management, you can create, edit, and delete interface members, performance SLA, SD-WAN
rules, Neighbor, and duplication. After configuring SD-WAN settings, install the configuration to the device.
4. Configure the following sections for the device, and click Apply:
l Interface Members
l Performance SLA
l SD-WAN Rules
l Neighbor
l Duplication
For SD-WAN central management, you can create an SD-WAN template, and assign the template to one or more
devices.
Normalized interfaces are not supported for SD-WAN templates. You can create multiple SD-WAN zones and add
interface members to the SD-WAN zones. You must bind the interface members by name to physical interfaces or
VPN interfaces.
Create performance SLA and SD-WAN rules. You can also configure BGP neighbors and packet duplication. Advanced
configuration options are also available.
After configuring an SD-WAN template, assign the template to one or more devices, and then install the configuration to
the devices.
d. Click OK.
The SD-WAN zone is created.
5. In the Interface Members section, create SD-WAN interface members:
a. Click Create New > SD-WAN Member.
The Create New SD-WAN Interface Member dialog box is displayed.
b. In the Interface Members box, type the name of the interface.
Bind the interfaces by name to physical or VPN interfaces.
c. Click OK.
The SD-WAN interface member is created.
6. Create Performance SLA:
a. In the Performance SLA section, click Create New.
The Performance SLA dialog box is displayed.
12. Go to Device Manager > Device & Groups, and view the assigned provisioning templates in the Template Status
column.
SD-WAN templates support Device VDOM meta fields. You can use meta fields in SD-WAN templates for the following
options:
l SD-WAN interface member
l Interface member option
l Gateway IP option
l Neighbor
l IP option
l Performance SLA
l Health-Check Server option
In the following SD-WAN template example, meta fields are used for the following interface member options: Interface
Member and Gateway IP:
In the following SD-WAN template example, a meta field is used for the Health-Check Server option in Performance
SLA:
In the following SD-WAN template example, a meta field is used for the IP option in Neighbor:
SD-WAN Monitor now includes information about ADVPN shortcut interfaces for monitoring SD-WAN networks. When
device history monitoring is enabled for SD-WAN Monitor, the device history also includes information about
ADVPN shortcut interfaces.
When an SD-WAN network is configured without ADVPN shortcuts, no shortcut information is displayed on VPN Monitor
and on the graphs on SD-WAN Monitor.
In this example, device history monitoring is disabled for SD-WAN Monitor.
Scroll down to view SLA information, such as latency, jitter, and packet loss.
When an SD-WAN network is configured to use ADVPN shortcuts, you can view information about the shortcuts on
VPN Monitor and in graphs on SD-WAN Monitor.
In this example, device history monitoring is enabled for SD-WAN Monitor.
Scroll down to view SLA information, such as latency, jitter, and packet loss, for each interface. The SLA graphs
include information for dynamic interfaces.
Templates
This section lists the new features added to FortiManager for templates:
l Interface template support for meta fields on page 25
l Static route template with support for meta fields on page 30
l Pre-defined IPsec template with recommended settings on page 35
l Un-assign IPsec template to remove VPN-related configuration on page 37
When you create a meta field for a device object, a variable name is automatically created, and you can use the variable
in interface templates when provisioning FortiGates.
When you create a meta field, you can specify whether it is required or optional. When the meta field is required for
device objects, you must define a value for all FortiGate devices. A column is automatically displayed on the Device
Manager pane to indicate required meta fields and to help you identify when values are missing.
After you assign interface templates to devices, you can view the post action values before you install the configuration
to devices.
This topic includes the following sections:
l Creating meta field variables on page 25
l Using meta field variables in interface templates on page 26
l Viewing required meta fields in Device Manager on page 27
l Assigning interface templates to devices on page 28
l Overriding meta field values in interface templates on page 29
When you create a meta field, a variable name is automatically created, and you can set a value for the variable for each
device.
This example describes how to create a meta field named storenumber for a device object. The storenumber meta field
is set to Required. When a meta field is set to Required, a value must be defined for all devices. Set the meta field to
Optional to avoid this requirement.
The name identifies the meta field, and a variable name is automatically created for the
meta field. View the Variable option to see the variable name that you can use in interface
templates. For example, $(storenumber) is the variable name for the storenumber meta
field.
6. Click OK.
The meta field is created.
You can use meta field variables in interface templates. When you create a meta field, a variable is automatically created
for you. You can use the variable in interface templates.
e. In the IP/Netmask box, type the variable with the IP/netmask, such as 192.162.$(storenumber).254/25,
and click OK.
Note that $(storenumber) is the variable name for the meta field.
When a meta field is required for devices, you must assign an interface template to devices. If a device lacks a meta field
value, a conflict symbol is displayed, and you cannot assign an interface template to it. You must define a value for the
meta field for the device before you can assign an interface template to it.
You must assign an interface template to devices when Required is enabled for certain meta fields.
You can also preview the meta field value.
5. In the Interface widget, select the action, and click Post Action View.
The Post Action Preview is displayed. The meta field displays the expected value.
6. Click Cancel.
You can enable Allow Override in interface templates for some options. After you assign the interface template to a
device, you can edit the interface action to override the option.
You can provision static routes to FortiGate devices by using a static route template. Both IPv4 and IPv6 are supported.
After creating the static route template, you can assign the template to one or more devices, and install the configuration
to devices.
For IPv4, you can create static routes for the following destinations:
l Subnet
l Internet service
l Custom Internet service
You can use meta field variables created for an object type of Device VDOM when creating IPv4 static routes for
subnets.
You can create meta field variables for an object type of Device VDOM, and then use the variable in static route
templates.
When you create a meta field, a variable name is automatically created, and you can set a value for the variable for each
device.
This example describes how to create a meta field named vdom-ip for a Device VDOM object.
The name identifies the meta field, and a variable name is automatically created for the
meta field. View the Variable option to see the variable name that you can use in interface
templates. For example, $(vdom-ip) is the variable name for the vdom-ip meta field.
6. Click OK.
The meta field is created.
You can use meta field variables created for an object type of Device VDOM when creating IPv4 static routes for
subnets.
b. In the toolbar, click Create New. The Create New Static Route pane is displayed.
For IPv4 subnets, you can use a meta field variable created for an object type of Device VDOM instead of
typing an IP address. For example:
FortiManager includes a default IPsec template called IPSec_Fortinet_Recommended. The default template contains
recommended VPN tunnel settings and best practices. You can clone the template and customize settings in the clone
to create new IPsec templates.
After editing the cloned template, assign the template to devices. When you install the settings to devices,
phase1/phase2 interface settings are installed to devices.
b. In the Name box, type a name for the cloned template, and click OK.
The cloned template is displayed in the content pane.
c. Select the cloned template, and click Edit.
The cloned template opens for editing. The cloned template includes default tunnel settings named default.
3. Select default, and click Edit.
c. In the Available Entries list, select devices, and click > to move them to the Selected Entries list, and click OK.
The template is assigned to the devices in the Selected Entries list and ready for use.
6. Install device settings to install phase1/phase2 interface configuration to devices.
When you un-assing an IPsec template from a device, FortiManager modifies the configuration for affected devices.
When you install the modified configuration to devices, FortiManager automatically uninstalls the configuration
(phase1/phase2 interfaces) generated by the IPsec template from devices.
This topic describes how you can view the changes in the FortiManager GUI.
Central Management
This section lists the new features added to FortiManager for central management:
l FortiSwitch Manager on page 39
l Extender Manager on page 46
FortiSwitch Manager
This section lists the new features added to FortiManager for FortiSwitch manager:
l FortiSwitch Manager central management improvements on page 39
FortiSwitch Manager central management includes new improvements for MCLAG, QSFP split-port, switch custom
commands and importing switch/AP configuration settings from FortiGate.
l Importing FortiSwitch and FortiAP settings from FortiGate on page 39
l Split port configuration and display on page 41
l FortiSwitch custom commands in central management mode on page 44
l FortiSwitch custom commands in per-device management mode on page 45
1. In Device Manager, right-click the FortiGate, click Import Configuration, then click Import FortiAP Profiles and
FortiSwitch Templates.
2. In the access point profile list and FortiSwitch template list, you can change or keep the default name.
1. Before adding the FortiSwitch to FortiGate, you must enable phy-mode on the FortiSwitch. Once the FortiSwitch
has been authorized by FortiGate, you can add the FortiGate to FortiManager.
2. In central management mode, import the template from the managed FortiSwitch, and the split port configuration
will be retained.
You can edit the template including the split ports, and the changes can be installed to FortiGate when the template
is assigned to the managed FortiSwitch.
3. In the managed FortiSwitch, you can right-click on the FortiSwitch and click View Ports. The split ports are visible.
While mousing over the split ports, the port status is displayed.
4. In per-device management mode, users can edit split ports in the Port Configuration page.
While mousing over the split ports, the port status is displayed.
1. Go to FortiSwitch Manager > FortiSwitch Templates > Custom Command, and create a new custom command
entry.
2. In FortiSwitch Template, edit or create a new template. Select Create New under Custom Command Entry to create
a new command entry. Select your previously configured custom command, and click OK.
3. When the template is assigned to the FortiSwitch, the Install Wizard will install the custom command entry to
FortiGate.
1. A custom command entry can be created/edited in FortiSwitch Profiles > Custom Command page for each FortiGate.
2. In Managed Switches, select and edit a FortiSwitch device, and in the custom command entry, select Create New to
create a new command entry. Select your previously configured custom command, and click OK.
Extender Manager
This section lists the new features added to FortiManager for Extender manager:
l Extender Manager for central managed FortiExtender devices on page 46
l FortiExtender Template for ZTP on page 50
The Extender Manager allows you to create FortiExtender templates, SIM profiles, and Data plans. After a template is
created, you can assign it to a managed device and install the profiles and plans on FortiExtender.
The FortiExtender module is always displayed in Central Management mode regardless of whether there is connection
to a FortiExtender device.
1. Go to Extender Manager.
b. In the toolbar, click Create New. The Create New FortiExtender Template page opens.
c. Enter the template Name and click OK.
After importing the template, the template will be assigned to the FortiExtender where the template was
imported from.
4. After creating a new template, the template can be assigned to an existing FortiExtender.
7. Link the SIM profile and Data Plan profile to the FortiExtender template.
8. After the template is assigned to a FortiExtender, the changes to the SIM profiles and Data plans can be installed to
the FortiGate and FortiExtender.
Use FortiExtender templates to configure SIM Profiles and Data Plans. After the template is created, you can assign it to
a managed device.
c. From the FortiExtender Template dropdown, select the template you created and click OK.
This section lists the new features added to FortiManager for policy and objects:
l Policy on page 52
l Objects on page 55
Policy
This section lists the new features added to FortiManager for policies:
l Policy revision history on page 52
You are now required to enter a change note when you create or edit a policy. Policy revisions can be viewed in the
Revision History table.
4. Click OK. The number of revisions are displayed in the Revision History column.
5. Click the link in the Revision History column to view the version history.
6. Double-click a policy in the list. The Revision History table displays the changes to the policy.
Objects
This section lists the new features added to FortiManager for objects:
l New IPS signatures monitoring page on page 55
l Object revision history on page 60
The new IPS Signatures page allows you to quickly view and manage IPS signatures.
Restricted Admin users can view the page by going to Policy & Objects > Object Configurations > Intrusion
Prevention > IPS Signatures.
4. Click a predefined signature ID. The FortiGuard signature page opens in a new tab.
5. Right-click the signature row. The context menu displays, Edit,Clone and Delete actions for custom signatures.
6. From the context menu, select Where Used. The Where Used dialog displays where the IPS profile signature is
used. Clicking an IPS profile will open the IPS profile Edit window.
7. Click Close.
8. From the context menu, select Add to IPS Profile. the Create New IPS Profile and Add to Existing IPS Profile(s)
options are displayed.
9. Click Cancel.
10. Type a search term in the in the Search field. The search results are highlighted in the signatures list.
12. To clear search terms and filters, click Rest Search and Reset Filters buttons.
You are now required to provide a Change Note when you create or edit an object. You can also use the new Revision
History table to revert a change or compare versions of an object.
4. Click OK. The number of revisions are displayed in the Revision History column. Click the link in the column to view
the revision history.
5. Double-click the object you edited. The Revision History table appears at the bottom of the page.
6. Select a revision, and click View Diff. The Difference between Revision <#> and <#> page is displayed.
System
This section lists the new features added to FortiManager for system settings:
l High Availability (HA) on page 63
l Administrators on page 65
l ADOM on page 72
This section lists the new features added to FortiManager for high availability (HA):
l FortiManager verifies if FortiAnalyzer features are disabled before forming HA cluster on page 63
With FortiManager 7.0.0, you cannot enable FortiAnalyzer features on FortiManager nodes that are part of an
HA cluster.
If FortiAnalyzer features are enabled on FortiManager nodes in an HA cluster before you upgrade to FortiManager 7.0.0,
FortiAnalyzer features are automatically disabled on each FortiManager in the HA cluster during upgrade.
After upgrading to FortiManager 7.0.0, you cannot enable FortiAnalyzer features on any FortiManager nodes that are
part of an HA cluster, and the FortiAnalyzer Features option is hidden in the GUI.
For standalone FortiManager units with FortiAnalyzer features enabled, you must disable FortiAnalyzer features before
you can form a FortiManager HA cluster after upgrading to FortiManager 7.0.0.
This topic contains the following sections:
l FortiAnalyzer features disabled during upgrade on page 63
l FortiAnalyzer features disabled when HA enabled on page 64
l FortiAnalyzer features disabled before forming HA on page 64
If FortiAnalyzer features are enabled before you upgrade to FortiManager 7.0.0, FortiAnalyzer features will be
automatically disabled during upgrade to FortiManager 7.0.0.
For example, FortiAnalyzer features are enabled on FortiManager before upgrading to FortiManager 7.0.0. On the
System Settings > Dashboard pane, the System Information widget shows FortiAnalyzer Features toggled ON.
After the upgrade to FortiManager 7.0.0 completes, FortiAnalyzer features are disabled, and the FortiAnalyzer Features
option is hidden from the GUI.
After upgrading to FortiManager 7.0.0, you cannot enable FortiAnalyzer features on any FortiManager nodes that are
part of an HA cluster.
In the GUI, the FortiAnalyzer Features option is hidden:
In the CLI, an error message is displayed if you try to enable FortiAnalyzer features:
FMG-VM64 # config system global
(global)# set faz-status enable
(global)# end
Please disable HA before enabling FortiAnalyzer feature.
object set operator error, -7 discard the setting
Command fail. Return code -7
When FortiAnalyzer features are enabled on FortiManager in stand-alone mode, you cannot form an HA cluster.
When you try to form an HA cluster, FortiManager checks each FortiManager node for enabled FortiAnalyzer features.
In the GUI, when enabled FortiAnalyzer features are found, a message is displayed, asking you to disable FortiAnalyzer
features first:
In the CLI, when you try to enable HA mode, an error message is displayed, asking you to disable FortiAnalyzer features
first:
FMG-VM64 # config system ha
(ha)# set mode primary
(ha)# end
Please disable FortiAnalyzer feature before enabling HA.
object set operator error, -7 discard the setting
Command fail. Return code -7
FMG-VM64 #
FMG-VM64 # config system ha
(ha)# set mode secondary
(ha)# end
Please disable FortiAnalyzer feature before enabling HA.
object set operator error, -7 discard the setting
Command fail. Return code -7
FMG-VM64 #
When FortiManager detects disabled FortiAnalyzer features on each FortiManager node, you can form a FortiManager
HA cluster by using the GUI or the CLI.
Administrators
This section lists the new features added to FortiManager for administrators:
l Theme mode on page 66
l Admin Permission to enable/disable script tab access on page 67
l Admins can use a SAML SSO FortiCloud account to log in to FortiManager on page 68
Theme mode
When you create a new user, you can to apply a theme to all the administrator accounts, or allow admins to choose their
own theme
5. Click OK.
When a user logs into their account, they can change the theme by clicking their username, and selecting Change
Profile.
User profiles now contain a Script Access setting to allow administrators to create, edit, or delete a script. Users with
read-write and read-only privileges will see the Scripts tab in the tree-menu at the left side of the page.
1. Go to System Settings > Admin > Profile. The Script Access setting is located in the Device Manager section.
2. Set Script Access to Read-Write, and click OK. The Scripts module is displayed in the tree-menu.
3. When the setting is set it to Read-Only, the user can see scripts but cannot create, edit, or delete a script. The
Return button is displayed.
4. When the setting is set to None, the Script tab does not appear in the tree-menu.
Admins can use SAML SSO through their FortiCloud account to log in to FortiManager.
1. By default, administrators can only log in using a local or remote user account configured on FortiManager.
2. To enable SAML SSO using FortiCloud, you must first register your FortiManager on FortiCloud. You can confirm
the FortiCloud registration status in System Settings > Dashboard under License Information.
3. Go to System Settings > Admin > SAML SSO, and set the Allow admins to login with FortiCloud toggle to the ON
position. Click Apply.
5. Click Login with FortiCloud and you are redirected to the FortiCloud login portal. Enter your FortiCloud credentials,
and click LOGIN.
By default, only the account ID which the FortiManager is registered to can be used to log in to FortiManager. To
enable login for additional user accounts using FortiCloud, you can configure multiple IAM users in FortiCloud.
6. Go to FortiCloud and create one or more IAM users. For more information on creating an IAM user, see Identity
& Access Management (IAM).
7. Go to the FortiManager sign in page and click Login with FortiCloud, and click the option to Sign in as IAM user
(BETA) at the bottom of the login portal.
8. Enter your IAM user credentials, and you will be logged in to FortiManager as the IAM user.
ADOM
This section lists the new features added to FortiManager for ADOMs:
l ADOM health check tool reports warnings on devices, configurations, and policy package status on page 73
ADOM health check tool reports warnings on devices, configurations, and policy
package status
From the System Settings > All ADOMs pane, you can check the status of all devices in all ADOMs. You can check the
status of the following criteria for all devices in all ADOMs:
l Device connection is down.
l Device configuration status is not synchronized.
l Device policy package status is not synchronized.
You can also choose whether to exclude model devices from the health check.
When the health check status is displayed, you can view what ADOMs contain problematic devices, and go directly to
the Device Manager pane in the ADOM with problematic devices. You can also return to the ADOM Health Check dialog
box, and continue checking ADOM statuses.
3. In the Health Check Criteria section, select what criteria to check, and click Check Now.
The results of the check are displayed. In the following example, Warning ADOMs <number> is selected, and the
list of ADOMs with warnings are displayed. The root ADOM has a warning.
4. Under Warning ADOMs <number>, click root <number> to display the Device Manager pane, and view details
about the warning.
The Device Manager pane is displayed for the ADOM with the warning. The ADOM Health Check button remains at
the bottom of the pane.
5. At the bottom-right of the Device Manager pane, click the ADOM Health Check button to return to the ADOM Health
Check dialog box, and continue checking ADOMs.
The ADOM Health Check dialog box is displayed.
Management Extensions
This section lists the other new features added to FortiManager for management extensions:
l CPU and RAM maximum values for Management Extension Applications can be configured in CLI on page 76
l New management extension - FortiSOAR on page 76
You can allocate up to 50% (between 10% and 50 %) of the total FortiManager resource to management extension
applications. This ensures that there are no performance issues in the host FortiManager.
l The CLI commands allow you to set the resource limit globally for all management
extensions.
l If management extensions reach the limit of allocated FortiManager resource, a warning
appears in the Alert Message Console widget in System Settings > Dashboard.
This feature adds the FortiSOAR application as a management extension application (MEA). FortiSOAR is an
enterprise-built security orchestration and security automation workbench that empowers security operation teams.
By default, FortiSOAR MEA is disabled. You can enable FortiSOAR MEA by using the GUI or the CLI.
There are minimum system resources recommended for FortiManager when using FortiSOAR MEA. See the
FortiManager Release Notes for additional information.
The following CLI commands are available for FortiSOAR MEA:
l config system docker
l diagnose docker status
l diagnose docker upgrade fortisoar
The version and build information for FortiSOAR can be found on the bottom-left corner of the Dashboard. Clicking
on this information displays the version and build dialog.
The FortiManager Setup wizard lets you register with FortiCare as well as perform the following actions:
l Registering with FortiCare
l Changing your password
l Setting the time zone
l Specifying a hostname
When an action is complete, a green checkmark displays it in the wizard, and the wizard no longer displays after you log
in to FortiManager.
1. Log in to FortiManager.
The FortiManager Setup dialog box is displayed.
FortiManager VM licenses
For FortiManager virtual machines (VMs), you can use the FortiManager GUI to:
l Request and activate a trial license
l Activate a perpetual or VM-S license
l Activate an add-on perpetual or VM-S license
FortiManager must be able to access the Internet to communicate with FortiCloud to complete the licensing process.
The licensing process requires you to log in to FortiCloud. If you do not have a FortiCloud account, you can create one to
complete the licensing process.
This topic contains the following sections:
l Requesting and activating a trial license on page 85
l Activating a new license on page 88
l Activating an add-on license on page 90
Some of the screen shots in the following examples are for FortiManager, but the process applies to both FortiManager
and FortiAnalyzer.
You can use the FortiManager GUI to request and activate a trial license for a FortiManager VM.
You can use the FortiManager GUI to activate a new license for virtual machines. Licenses for VM-S subscriptions and
perpetual subscriptions are supported.
2. Select Activate License, enter your license key, and click Login with FortiCloud.
The License Agreement is displayed.
You can use the FortiManager GUI to activate an add-on license for a VM-S subscription or a perpetual subscription.
In the following example, the FortiManager VM has a base license, and you want to apply an add-on perpetual license
named 1000UG.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.