FortiGate VM License Transfer: Procedures, Pitfalls, and Platform Mobility
.
Navigate FortiGate VM license transfers between serial numbers, evaluation to production, and permanent to subscription models with precision.
The Hidden Mechanics of Virtual Firewall Licensing
FortiGate virtual machines operate under a licensing architecture that binds entitlements to specific serial numbers and cloud instances. Administrators migrating workloads, upgrading from trial deployments, or transitioning licensing models encounter a system designed for security—not convenience. Understanding the precise sequence of operations, timing constraints, and platform-specific behaviors determines whether a license transfer succeeds or triggers FortiGuard's duplicate-detection safeguards.
Serial Number Transfers: The 90-Minute Rule
The Core Procedure
Transferring a FortiGate-VM license between instances with different serial numbers follows a strict protocol. Administrators must first download the license file from the support portal for the source instance. After shutting down the original virtual machine, a mandatory 90-minute waiting period begins. This interval allows FortiGuard servers to deregister the instance's license claim. Attempting to activate the same license file on a new VM before this window expires triggers a "Duplicate license detected" error.
HA Configurations Demand Synchronization
High Availability deployments introduce additional complexity. Both cluster nodes require identical license files. Uploading the license solely to the primary unit creates a configuration mismatch: the secondary node disappears from HA management views. When the reserved management interface remains unconfigured, administrators must access the secondary unit via CLI using the execute ha manage command and upload the license through FTP or TFTP. Simultaneous application to both nodes prevents synchronization failures.
Evaluation to Production: Preserving Identity During Migration
Serial Number Continuity
Migrating from evaluation or trial licenses to production entitlements maintains serial number continuity within the asset portal. The new production VM inherits the original evaluation instance's serial identifier. This behavior simplifies asset tracking but requires careful planning: the 90-minute shutdown rule still applies to evaluation instances before their licenses become available for reassignment.
Cross-Region Flexibility
License migration operates independently of deployment regions, availability zones, or resource groups. An evaluation instance running in one cloud region can yield its license to a production VM deployed elsewhere, provided the shutdown and waiting protocol is observed. Configuration data remains unaffected during the license upload process, though the VM reboots automatically upon successful validation.
Permanent to Subscription: Two Paths, Distinct Trade-offs
Device Migration: Flexibility Through Duplication
The Device Migration method deploys a new VM instance with the subscription license while preserving the original. Administrators backup the configuration from the permanent-licensed device, deploy a fresh VM with the subscription SKU, shut down the legacy instance, reassign network resources, and restore the configuration. This approach permits rollback by simply reactivating the original VM. However, it requires temporary resource duplication and coordinated IP address reassignment.
License Migration: Direct Conversion With Recovery Safeguards
License Migration applies the new subscription license directly to the existing VM instance. This method demands a pre-migration VM snapshot or checkpoint—reversal becomes difficult without this safety net. The process involves downloading the new license file from the support portal, uploading it via the dashboard or CLI, and allowing two reboots: the first activates a single CPU core, the second (after FortiGuard validation) enables the subscribed CPU count. Built-in certificates regenerate with new private keys, and the device serial number changes permanently.
Critical Compatibility Constraints
Subscription (S-series) and permanent license types cannot coexist in the same FGCP HA cluster. Migrating an HA pair requires isolating or shutting down nodes sequentially to prevent split-brain conditions. Additionally, S-series devices include only root VDOM licensing by default; any additional VDOMs configured under the permanent license become inactive until a corresponding subscription entitlement is applied.
Evaluation License Mobility: Account-Based Activation
FortiCloud as the Licensing Authority
Evaluation licenses operate under a different paradigm: activation ties to a FortiCloud account rather than a static license file. Moving an evaluation license to a new machine can occur automatically when the same FortiCloud credentials are entered on the new instance—the original deployment deactivates implicitly. For manual control, administrators decommission the old instance via FortiCloud Asset Management, then execute three CLI commands on the new VM: execute vm-license-options account-id, execute vm-license-options account-password, and execute vm-license.
Single-License Enforcement
FortiCloud enforces a one-evaluation-license-per-account policy. Creating a second FortiCloud account enables parallel evaluation deployments, but this approach complicates asset management and support interactions.
Cross-Platform Mobility and Licensing Boundaries
BYOL Portability Across Clouds
Bring-Your-Own-License (BYOL) entitlements permit movement between cloud platforms—AWS to Azure, private cloud to public infrastructure—provided the license file remains active on only one instance at any moment. FortiGuard's duplicate-detection system flags simultaneous activations, potentially disabling service entitlements until resolution.
PAYG and BYOL: Incompatible Models
Pay-As-You-Go (on-demand) licensing, available on major public clouds, bundles instance and service costs. These deployments cannot convert to BYOL subscription models, nor can BYOL instances migrate to PAYG billing. The licensing architectures remain mutually exclusive; migration requires deploying a fresh instance under the target model.
Frequently Asked Questions
What happens if I upload a FortiGate VM license before the 90-minute waiting period expires?
FortiGuard servers will detect the license as still active on the previous instance, returning a "Duplicate license detected" error. The new VM will fail to validate service entitlements until the original instance's claim expires or is manually decommissioned.
Can I migrate a FortiGate VM license between different cloud providers?
Yes, BYOL licenses support cross-platform mobility. The critical requirement: ensure the license is active on only one instance at a time. Download the license file, shut down the source VM, wait 90 minutes, then upload to the destination instance regardless of cloud provider.
Why does my HA cluster lose synchronization after a license transfer?
Uploading a license to only the primary HA node creates a configuration mismatch. Both nodes require identical license files. Upload simultaneously to both units, or use CLI access to apply the license to the secondary node if GUI access is unavailable.
What changes when migrating from a permanent to a subscription license?
The device serial number changes, built-in certificates regenerate with new private keys, and the subscription period begins upon FortiCloud registration. Entitlements tied to the old serial number do not transfer automatically. Additionally, S-series licenses include only root VDOM support by default.
How do I recover if a license migration fails?
For License Migration, restore from a pre-migration VM snapshot. For Device Migration, reactivate the original instance and reassign network resources. Always maintain configuration backups and snapshots before initiating any license transfer operation.