Home

Fortinet License Management Guide: How to Check Status via CLI and GUI

.

In the world of Fortinet security ecosystems, license status monitoring isn't merely an administrative task—it's a fundamental component of maintaining robust network protection. Your FortiGate's firewall capabilities might be operational, but without valid subscriptions for services like FortiGuard Antivirus, IPS, and Web Filtering, your organization remains exposed to evolving threats. Regular license checks ensure that all subscribed security services are active and up-to-date, providing the comprehensive protection your network infrastructure requires.

This guide synthesizes official documentation and community expertise to provide a clear, actionable roadmap for checking license status across the entire Fortinet product portfolio, from FortiGate and FortiManager to FortiClient EMS and cloud services.

Checking License Status on FortiGate Devices

Graphical User Interface (GUI) Method

The primary dashboard of your FortiGate device provides immediate visibility into your license status. Navigate to System > FortiGuard to view the status of all your subscriptions. This page presents a clear summary, showing each service (Antivirus, IPS, Web Filtering, etc.) alongside its current status and expiration date.

For a more detailed breakdown, including contract specifics and support levels, administrators can navigate to System > Firmware & Config and select the "License Information" tab. Here you'll find comprehensive details including serial number, registration status, and individual service entitlements.

Command Line Interface (CLI) Method

For administrators who prefer terminal access or need to script status checks, the CLI offers powerful, granular commands.

  1. Basic License Overview: Execute the command get system status to view a broad summary, including the device's registration status and FortiGuard contract expiration details.
  2. Detailed License Information: Use exec query licenseinfo to generate a detailed output. This command lists all licensed features, their specific expiration dates, and whether they are currently in a valid, warning (expiring soon), or expired state.
  3. FortiGuard Service Status: Check the specific status of update services with diagnose debug rating. This is crucial for verifying that your device can successfully connect to FortiGuard servers to receive the latest threat intelligence updates.

Centralized Management with FortiManager

FortiManager excels at providing a single-pane-of-glass view for managing licenses across an entire fleet of FortiGate devices, vastly improving efficiency for large deployments.

GUI Method for Fleet Management

  1. Navigate to FortiGuard > Licensing Status. This centralized dashboard displays a table of all managed devices with columns for Device Name, Serial Number, and the status of each major service (Antivirus, IPS, Web Filtering, etc.).
  2. The interface uses an intuitive color-coded system: Green for valid licenses, Orange for licenses expiring soon (typically within 30 days), and Red for expired licenses. You can use the "Hide/Show license expired devices only" toggle to quickly filter for devices requiring immediate attention.
  3. From Device Manager > License, you can perform bulk actions. Hovering over the "FortiGuard Subscription" cell reveals the detailed status of each component, while the "Support Contract" column shows hardware and firmware support levels (e.g., 24/7, 8/5). This tab also allows you to push license updates to selected devices and export the entire license report to CSV or PDF for auditing purposes.

CLI Method on FortiManager

FortiManager's CLI provides direct queries for license data:

  • Use diagnose fmupdate dbcontract to check the FortiGate license contract information stored and synchronized on the FortiManager.
  • The command diagnose fmupdate fds-getobject checks the services received from FortiGuard, which is essential for troubleshooting update issues.

Pro Tip: FortiManager must itself have a valid entitlement file or an active FortiGuard connection to accurately pull and display the license status of the devices it manages.

License Checks for Other Fortinet Products

  • FortiClient EMS: License status is prominently displayed in the Dashboard > Status > License Information widget. EMS clearly differentiates between Unlicensed, Non-expired, and Expired states, with a critical note: a 10-day grace period follows license expiration before endpoints are deregistered.
  • FortiMail Cloud & Similar Services: For cloud-based services, license information is typically found under the Dashboard > Status section within the product's administrative portal. The view generally outlines tenant-specific licenses for features and FortiGuard services.
  • FortiAuthenticator & FortiWeb: These and other appliances follow a similar pattern. Check the System Information or Dashboard section of the GUI. The CLI command get system status is also commonly supported across the Fortinet portfolio for a quick license check.

Proactive License Management and Best Practices

  1. Schedule Regular Audits: Don't wait for expiration warnings. Monthly reviews of your FortiManager Licensing Status page or scheduled CLI script outputs can prevent lapses.
  2. Understand Grace Periods: Products like FortiClient EMS offer a brief grace period post-expiration, but FortiGuard services on FortiGate typically stop updating immediately upon expiration, creating a security gap.
  3. Use Export Features: Regularly use the Export function in FortiManager to generate historical records of your license estate for budgeting, compliance, and renewal planning.
  4. Monitor FortiGuard Connectivity: A valid license is useless if the device cannot reach FortiGuard servers. Periodically verify connectivity to ensure successful retrieval of updates.

Frequently Asked Questions (FAQ)

How often should I check my Fortinet license status?

For most organizations, a monthly check is sufficient for proactive management. However, you should configure email alerts within FortiManager for expiring licenses to receive automatic notifications, typically 30 days before expiration.

What is the difference between a Support Contract and a FortiGuard Subscription?

A Support Contract (displayed as "Support" or "Support Contract") covers technical support from Fortinet, hardware replacement (RMA), and access to firmware updates. A FortiGuard Subscription is a separate license for the dynamic threat intelligence services like Antivirus, IPS, and Web Filtering. Both are critical and have independent expiration dates.

My CLI command isn't returning license details. What should I do?

First, ensure you are using the correct command syntax for your specific FortiOS version. Commands can evolve. Second, verify your administrator account has sufficient privileges (read-write access is typically required). If problems persist, use the diagnose debug commands mentioned earlier to check FortiGuard connectivity, as the device may be unable to communicate with the licensing servers.

What happens immediately when a FortiGuard license expires?

While the core firewall functions continue to operate, the subscription-based security services stop receiving updates. This means your Antivirus will not get new virus definitions, your IPS will lack the latest threat signatures, and your web filtering database will become stale, significantly reducing your protection against new and evolving threats.

Can I check licenses without direct access to each device?

Yes, this is a primary advantage of FortiManager. Once devices are added to its management domain, FortiManager aggregates license status from all managed fortigate, allowing you to monitor your entire fleet from a single centralized console without logging into each unit individually.

Conclusion: Vigilance is Key to Security

Effectively managing your Fortinet licenses is a non-negotiable aspect of maintaining enterprise-grade security. By leveraging the centralized visibility of FortiManager, the scriptable power of the CLI, and the intuitive dashboards across individual products, you can transform license management from a reactive chore into a strategic, proactive process. Regular monitoring ensures that the advanced security you paid for is always active, guarding your network around the clock.