I create and destroy FortiGate VMs all the time in my lab and a lot of our customers do the same thing in their private cloud and public cloud environments. Having a static license to a static FortiGate doesn’t work in these scenarios so Fortinet created the FortiFlex program to accommodate. The FortiFlex program is a pool of credits that are consumed daily based around services and size of the FortiGate. It has been expanded to many hardware FortiGates as well as other Fortinet solutions like FortiManager, FortiAnalyzer, FortiWeb and FortiADC:
In this blog post, we’ll walk through the process to configure the FortiFlex entitlements and apply to an HA pair of FortiGate VMs.
Activation and Setup
After you’ve purchased and activated the FortiFlex program and points, login to FortiCare and you’ll see FortiFlex listed under the Services drop-down (it can take up to 4 hours for this to appear after activation):
Prepaid points are available for Enterprise customers. Points are purchased in units of 10,000 and 50,000 points and are deducted on a daily basis based on resource consumption. Unused points can be rolled over upon the program registration anniversary date. (https://docs.fortinet.com/document/flex-vm/24.1.1/administration-guide/667344/points)
If you have FortiPoints from that program, you can convert them to FortiFlex points. FortiPoints allows you to spend points on services for Fortinet solutions, but the key difference is that it’s statically allocated for 1 or more years and assigned to a static asset. It isn’t as flexible as FortiFlex, but is often an easier procurement vehicle than buying individual contracts for individual assets. We can convert our FortiPoints to FortiFlex points within FortiCare Asset Management.
Creating Configurations
If you plan to deploy similarly spec’d FortiGates, you can create a Configuration to speed up the deployment process. I typically run FortiGate VMs with 1 CPU and Unified Threat Protection (UTP) plus OT signatures in my lab, so I created a configuration of those settings:
Creating Entitlements
Our next step is to create Flex Entitlements for specific product types and configurations. This step pre-provisions a FortiGate to consume the points; it will generate a serial number and setup FortiFlex to be consumed once the FortiGate is created and deployed. Go to Flex Entitlements, and click New Flex Entitlement. The Add Flex Entitlement(s) page opens. I selected a FortiGate with Service Bundle and my newly-created Configuration on this page. I also selected the number of entitlements (2 since I’ll create 2 FortiGate VMs) and when to allow the license to terminate (either 1 year or a specific date):
More details on all the options are available here: https://docs.fortinet.com/document/flex-vm/24.1.1/administration-guide/091804/creating-vm-entitlements. We’ll click next to review our entitlement and how many points would be consumed each day:
Finally, click Submit and you’ll see the serial numbers for the 2 newly-entitled FortiGate VMs:
After this, click List at the bottom right and you’ll see the tokens you’ll use as well as the status:
PENDING means the FortiFlex entitlement has been created, the FortiGate VM pre-provisioned, but no FortiFlex points have been consumed since we haven’t entitled the FortiGate VMs yet — that’s our next step!
Injecting FortiFlex License
In this step, we can inject the FortiFlex license either via CLI or during the VM bootstrap process. I’m going to deploy FortiGate VMs from an OVF template, but will use the CLI method to register them to FortiFlex. I wanted to note that there are better, more streamlined methods to inject the FortiFlex license detailed here: https://docs.fortinet.com/document/flex-vm/24.1.1/administration-guide/256339/injecting-the-fortiflex-license. After I deploy my FortiGate VM, I run this command to register it to its FortiFlex entitlement since I’m using the CLI method:
After this, the FortiGate will phone home to FortiFlex to confirm the token. At this step, you’ll be prompted to reboot the FortiGate VM. When it comes back up, it will have the Serial Number mapped to that token in FortiFlex. And the status changes to ACTIVE:
After the FortiGate reboots, it’s licensed!
Reviewing FortiFlex Consumption
Fast forward a few days and I can see the point consumption in FortiFlex:
My 1 CPU FortiGate VM with UTP and OT signatures consumes 3.26 points / day. Something I noticed, as of this writing, is that even if my FortiGate VM is powered off, it still consumes points in FortiFlex. This is because I need to stop the entitlement too and I can either manually do this in FortiFlex or leverage the FortiFlex API to automate it; for now, I do the manual method but I owe you a future blog post on using the API. John McDonough has an amazing GitHub repository with Python scripts to achieve this: https://github.com/movinalot/fortinet-flexvm.
Conclusion
FortiFlex is a great solution to flexibly consume entitlements down to daily increments allowing you to create/destroy/resize FortiGate VMs as needed. And you can extend that functionality to hardware Fortinet devices too. It’ll make my life easier with the ten or so FortiGate VMs that I only need alive for demos and hopefully it’ll make your lives easier too. Thanks for reading!
