Fortigate High Availability with 1 License

Mr. Sonnie Ardhianto
2 min readAug 1, 2022

--

Background
This article was written on 01–Aug-22
I work for a small company but lucky enough to purchase 2x Fortigate.
Yet I still have to keep cost at minimum. So I am privileged to have hardware redundancy, but can I use only 1x license?

High Availability status

High Availability is running well

License status

HA Fortigate will take the oldest (expired) license

But actually my newest Fortigate still have a valid license.
Even when your active device has a valid license, a HA configured Fortigate will take the oldest license.

Smart ….

So, how to use the valid license?

Using Fortiguard valid license

Essentially:
- We need to turn off the older Fortigate (without a valid license)
- Let the newer Fortigate (with valid license) fully take over
- Wait for a while until license is recognize by Fortiguard server
- Once you confirm that protection definitions are updated, turn on the older Fortigate
- Let the HA system replicate the updated protection definitions to the older device
- Confirm that your HA system has the latest protection definitions (even though license is again expired)
- Repeat this step as required

Commands

Turn off the older Fortigate
From CLI console type:
execute ha manage 0 <admin username>

CLI must clearly show that you already on the old device

execute shutdown

Your old device is shutdown

Monitor Fortiguard license until they got updated.
This may take 15–30 minutes (or maybe more)

Valid license active and definitions updated

Turn on the old fortigate again.
Do this by unplugging power and re-plug again. This is the only way.

Verify that HA is active and protection definitions are still the latest even when license is expired.

License is expired but protection definition is the latest

Enjoy!!

--

--

Mr. Sonnie Ardhianto
Mr. Sonnie Ardhianto

Written by Mr. Sonnie Ardhianto

A stoned monkey randomly typing on keyboard

No responses yet