Dec 16, 2024 · Virtual Machines with usage entitlements require a per-VM unique token to be installed on every VM. These tokens can be injected into the VM ...
Administration Guide
FortiFlex (Formerly Flex-VM) 24.4.1
FORTINET DOCUMENT LIBRARY https://docs.fortinet.com FORTINET VIDEO LIBRARY https://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER SERVICE & SUPPORT https://support.fortinet.com FORTINET TRAINING & CERTIFICATION PROGRAM https://www.fortinet.com/training-certification FORTINET TRAINING INSTITUTE https://training.fortinet.com FORTIGUARD LABS https://www.fortiguard.com END USER LICENSE AGREEMENT https://www.fortinet.com/doc/legal/EULA.pdf FEEDBACK Email: techdoc@fortinet.com
December 16, 2024 FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide 82-244-1092569-20241216
TABLE OF CONTENTS
Change Log Introduction FortiFlex v24.4.1 release information
New features and updates in v24.4.1 API endpoint for points balance Hardware restrictions FortiRecon updates FortiSOAR VM FortiMail VM
Getting started Program requirements Version and feature support Registering FortiFlex FortiFlex Portal Accessing the portal Adding a secondary user Dashboard
Program guide Program renewal Points Prepaid points Postpaid points Point calculation Roll-Over points Service offerings Virtual Machines Hardware Appliances Cloud Services Email notifications Reports Grace periods Program Expiration Negative Points
Deploying FortiFlex Flex Entitlements My Assets Decommissioned units Creating entitlements Injecting the FortiFlex license Confirming the license token is injected Configuring web proxy tunneling for FDN Managing Flex Entitlements Creating a license pool group
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
Fortinet Inc.
5
6
7 7 7 7 7 7 7
8 8 8 10 10 10 11 11
13 13 14 14 15 15 15 16 16 20 21 25 26 28 28 28
29 29 30 31 32 37 41 42 43 47
3
Configurations
47
Creating configurations
48
Configuration details
53
Deployment examples and scripts
66
Manual deployment on KVM
66
Automatic deployments
73
Automation
74
FortiFlex API
74
FortiFlexVM Terraform provider
76
Ansible Collection
76
Tools
77
Points calculator
77
Daily points
78
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
4
Fortinet Inc.
Change Log
Date 2024-12-03 2024-12-06
2024-12-16
Change Description
Initial release.
Updated FortiFlex v24.4.1 release information on page 7, Configuration details on page 53, Service offerings on page 16, Creating VM entitlements on page 32, and Creating a VM configuration on page 48.
Updated FortiFlex v24.4.1 release information on page 7, Configuration details on page 53, Service offerings on page 16, Creating VM entitlements on page 32, Version and feature support on page 8, and Creating a VM configuration on page 48.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
5
Fortinet Inc.
Introduction
FortiFlex allows you to easily manage usage entitlements. You can use the FortiFlex portal to create configurations, generate licensing tokens, and monitor resource consumption in the form of points.
FortiFlex provides a simplified and flexible licensing model for Fortinet products, including hardware, VM, and cloud services:
l VMs and associated services for core solutions, such as FortiGate, FortiManager, FortiAnalyzer, FortiWeb, and FortiADC
l FortiGate hardware services for multiple supported models l SaaS and add-ons, such as FortiWeb Cloud, FortiGate Cloud, FortiSASE, and so on l Endpoint security solutions, such as FortiClient EMS and FortiEDR Cloud
FortiFlex subscribers can create multiple sets of a single entitlement that corresponds to a licensed asset. Resource consumption is based upon predefined points that are calculated on a daily basis (PST/PDT time zone).
Configurations are reusable and can be modified as needed, affecting all entitlements using the given configuration. For example, a customer has a FortiGate-VM configuration with four vCPUs enabled and 10 FortiGate VMs entitled using said configuration. The customer then increases the number of vCPUs in the configuration to eight. Once the changes are applied and pushed to entitlements and licensing servers, the next time the 10 VMs perform a license and entitlement update against the servers, they will receive updated information and apply them locally to enable support to the increased number of vCPUs.
Virtual Machines with usage entitlements require a per-VM unique token to be installed on every VM. These tokens can be injected into the VM once the configurations and vCPU quantities are defined in the FortiFlex portal, and the VMs are deployed on the customer-managed platform in supported clouds and hypervisors.
See the FortiFlex Concept Guide for more information.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
6
Fortinet Inc.
FortiFlex v24.4.1 release information
FortiFlex v24.4.1 release information
New features and updates in v24.4.1
API endpoint for points balance
A new API endpoint has been included to return the point balance for the program.
Hardware restrictions
The hardware restrictions for FortiGate, FortiAP, and FortiSwitch have been removed for existing prepaid accounts. FortiGate, FortiAP, and FortiSwitch hardware is visible by default on the prepaid program. New configurations can then be created for FortiGate, FortiAP, and FortiSwitch hardware in the FortiFlex portal and API. See Points on page 14 and Creating a hardware appliance configuration on page 50.
FortiRecon updates
Restrictions have been added to FortiRecon entitlements pertaining to the number of entitlements allowed and the expiration date. See Service offerings on page 16.
FortiSOAR VM
FortiSOAR Virtual Machine is now available in FortiFlex. See Service offerings on page 16, Version and feature support on page 8, and Configuration details on page 53.
FortiMail VM
FortiMail Virtual Machine is now available in FortiFlex. See Service offerings on page 16 and Configuration details on page 53.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
7
Fortinet Inc.
Getting started
Getting started
Review the following content when getting started with FortiFlex: l Program requirements on page 8 l Registering FortiFlex on page 10 l FortiFlex Portal on page 10
For more information, see the Getting Started guide.
Program requirements
The FortiFlex program requires the following items: l A primary FortiCloud account or IAM user account. l FortiFlex Program SKU (either Enterprise/prepaid or MSSP/postpaid) purchased from Fortinet's resellers and distributors. l FortiFlex Point Pack SKU (only applicable to Enterprise/prepaid) purchased from Fortinet's resellers and distributors.
For more information, see the Getting Started guide.
Version and feature support
FortiFlex is supported in the following Fortinet solutions.
Product support
FortiFlex can be used to create usage entitlements for the following products: l FortiGate-VM 6.4.3 and higher l FortiWeb 7.0.1 and higher l FortiManager 7.2.1 and higher l FortiAnalyzer 7.2.2 and higher l FortiPortal-VM 7.0.3 and higher l FortiADC 7.4.0 and higher l FortiClient EMS 7.2.2 and higher l FortiWeb Cloud 23.3.a and higher l FortiAP (All versions) l FortiSwitch (All versions) l FortiGate-HW (All versions) l FortiSOAR-VM 7.6.1 and above l FortiMail-VM 7.6.2 and above
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
8
Fortinet Inc.
Getting started
Version support
FortiFlex licensed devices are supported in the physical and virtual versions of FortiManager and FortiAnalyzer. l FortiManager 6.4.3 and higher l FortiAnalyzer 6.4.3 and higher
VDOMs
FortiFlex natively supports VDOMs and no longer requires perpetual licenses. FortiFlex supported VDOMs in the following products:
l FortiOS 6.4.9 and higher
VDOM limits
The following includes the maximum VDOM for the Service Bundle depending on the size of the VM:
VM size VM01 VM02 VM04 VM08 VM16 VM32 VMUL
Maximum VDOMs 10 25 50 500 500 500 500
The following includes the maximum VDOM for the A La Carte Service depending on the size of the VM:
VM size VM01 VM02 - VM03 VM04 - VM07 VM08+
Maximum VDOMs 10 25 50 500
FortiToken
FortiToken is supported on FortiFlex FortiGate-VMs.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
9
Fortinet Inc.
Getting started
Registering FortiFlex
FortiFlex is an annual or multi-year contracted program that can be registered through the FortiCloud Asset Management portal. FortiFlex program-related SKUs are available for purchase from Fortinet's resellers and distributors. There may be certain conditions to be eligible to join the program. Consult your Fortinet sales representatives.
To register FortiFlex: 1. Log into your FortiCare account. The Asset Management portal opens. 2. Go to Products > Product List. 3. Click Register More and follow the steps in the registration wizard. 4. Log out of your account after the registration is complete. For information about product registration, see Registering products in Asset Management Administration Guide.
The program begins on the date of registration. It may take up to four hours for the registration to validate in FortiCloud.
To access the FortiFlex portal: 1. Log in to your FortiCare account. The Asset Management portal opens. 2. In the banner, click Services > Assets & Accounts > FortiFlex. To view your FortiFlex license: 1. Log into your FortiCare account. The Asset Management portal opens. 2. Click Account Services.
FortiFlex Portal
The FortiFlex portal allows you to monitor point consumption, configure entitlements, create licensing tokens, and run reports.
Accessing the portal
You can access the FortiFlex portal from the Services menu in Asset Management. The FortiFlex option appears in the Asset & Accounts section when there is a valid FortiFlex license.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
10
Fortinet Inc.
Getting started
Adding a secondary user
The FortiFlex portal supports the Master account in FortiCloud. To add secondary accounts, create an IAM user. For information, see Adding IAM users.
The FortiFlex portal does not support FortiCloud sub user accounts. To grant access to a FortiCloud sub user, migrate the user in the IAM portal. See Migrating sub users.
Dashboard
The Dashboard view provides an overview of activity in your FortiFlex account. Use the dashboard to quickly monitor active and expired virtual machines, as well points consumed.
The Dashboard contains the following monitors:
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
11
Fortinet Inc.
Getting started
Monitor FortiFlex Program Flex Entitlements Summary Points Summary
Point Usage History for Past 30 Days
Description
Displays the program serial number and the program start and end dates.
Displays the number of Active, Stopped and Expired virtual machines.
For Prepaid programs, this field displays the Total Remaining Points and Average Daily Point Usage for Past 30 Days. For Postpaid and Evaluation programs, this field displays the Current Period month and a positive value for the Total Consumed Points in the Period.
Displays the daily point usage for the past thirty days as a chart. Hover over a bar in the chart to see the points used for a specific day.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
12
Fortinet Inc.
Program guide
Program guide
The topics in this section provide information about the FortiFlex program. l Program renewal on page 13 l Points on page 14 l Service offerings on page 16 l Email notifications on page 25 l Reports on page 26 l Grace periods on page 28
Program renewal
When you register a new FortiFlex contract for renewal, you have the option of selecting Auto-extend VM configuration.
This tells FortiFlex to update the expiration date of all VM entitlements that have the Termination Mode set to Follow Program, to the expiration date of the new contract that is being registered.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
13
Fortinet Inc.
Program guide
Points
Resource consumption is based upon predefined points that are calculated on a daily basis (PST/PDT time zone). Points can be purchased in advance or billed on a month basis based on the number of CPUs and service package.
Prepaid points
Prepaid points are available for Enterprise customers. Points are purchased in units of 10,000 and 50,000 points and are deducted on a daily basis based on resource consumption. Unused points can be rolled over upon the program registration anniversary date. See Roll-over points. One account can have only one Prepaid FortiFlex program. Multiple registrations can be performed to extend the existing program period.
FortiFlex Points can also be converted from FortiCloud FortiPoints in the Asset Management portal's Marketplace. This is only available for Prepaid programs at the root account level. See FortiFlex in the FortiCloud Asset Management guide.
New points can be registered at any time during the program contract as long as there is a valid, active FortiFlex prepaid program. If the FortiFlex program is expired, new points cannot be added and all unconsumed points are forfeited after 90 days following the expiration date.
Grace Period for negative points
The negative points grace period is applicable only to Prepaid accounts and is activated whenever the points balances becomes negative. Customers have 90 days to bring the balance back to positive otherwise the account may be
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
14
Fortinet Inc.
Program guide
suspended.
Postpaid points
Points are calculated based on resource consumption and billed on a monthly basis. The detailed payment terms may be specified in your individual purchase agreements. One account can have only one Postpaid FortiFlex program. Multiple registrations can be performed to extend the existing program period.
A FortiFlex account can only accommodate one prepaid program and one postpaid program at the same time.
Point calculation
Points are calculated daily based on PST/PDT time zones. Calculations are based on the number of CPUs and service package. You can change the per-VM entitlements as many time as you like in a day. The largest CPU size and service package for the day will be charged based on the PST/PDT time zone day count. It may take up to three hours for the change to be updated in FortiCloud.
Points are not calculated during a VM entitlement stoppage, even though the VM may still be running on the customermanaged environment.
Roll-Over points
Pre-paid points can be rolled-over on the service registration anniversary date. Unused points will be rolled over to the next year with the following conditions:
Program 12 months
36 months 60 months
Description
l Unused points that existed and were added before the 180th day in the year will be rolled over in half to the next year.
l Unused points that were added on or after the 180th day in the year will be rolled over as the full amount.
l Unused points will be rolled over as the full amount.
l Unused points will be rolled over as the full amount.
Roll-over points do not apply to the post-paid program.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
15
Fortinet Inc.
Program guide
Service offerings
The following table provides an overview of the available service packages:
l Virtual Machines on page 16 l Hardware Appliances on page 20 l Cloud Services on page 21
Virtual Machines
FortiGate Virtual Machine - Service Bundle
For detailed information, see the FortiGateTM Virtual Appliances.
Bundles
FortiCare Premium FortiGuard App Control Service IPS Application Control Advanced Malware Protection URL, DNS, & Video Filtering Anti-spam Service DLP Inline CASB Database AI-based Inline Malware Prevention Attack Surface Security Converter Service
Enterprise Protection
24x7
Unified Threat Protection
24x7
Advanced Threat Protection
24x7
Entitlement Limits
vCPUS
Minimum
1
Maximum
96
Increments
1
VDOMs
VM01
10
VM02 - VM03
25
VM04 - VM07
50
VM08 - VM96
500
FortiCare Only
24x7
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
16
Fortinet Inc.
Program guide
FortiGate Virtual Machine - A La Carte Services
The A La Carte Service package allows you to pick and choose the services you want use.
Service Type FortiGuard Services
Cloud Services Support Services
Services Intrusion Prevention Advanced Malware Protection FortiGuard Attack Surface Security Service FortiGuard OT Security Service DLP AI-Based InLine Sandbox Web, DNS, & Video Filtering FortiConverter Service FortiGate Cloud SD-WAN Underlay FortiAnalyzer Cloud with SOCaaS FortiAnalyzer Cloud SD-WAN Connector for FortiSASE Cloud-based Overlay-as-a-Service FortiCare Premium FortiCare Elite
Entitlement Limits
vCPUS
Minimum
1
Maximum
96
Increments
1
VDOMs
VM01
10
VM02 - VM03
25
VM04 - VM07
50
VM08 - VM96
500
FortiWeb Virtual Machine - Service Bundle
Service type
FortiCare Premium + FortiWeb Security Service IP Reputation
Advanced Bundle Standard Bundle
Enterprise Bundle
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
17
Fortinet Inc.
Program guide
Service type Antivirus FortiSandbox Cloud Service Credential Stuffing Defense Service and Threat Analytics Advanced Bot Protection Data Loss Prevention Service
Advanced Bundle
Standard Bundle
Enterprise Bundle
FortiManager Virtual Machine
The FortiManager Virtual Machine allows you to set the number of managed devices and ADOMs.
Service Type FortiCare Premium support
Included in bundle
Entitlement Limits Devices Minimum Maximum Increments
1 100 000 1
ADOMs Minimum Maximum Increments
0 100 000 1
FortiClient EMS On-Prem
Service Type Support Services
Service Packages
Entitlement Limits All Endpoints Minimum Maximum Increments
25 25 000 1
Services FortiCare Premium FortiCare Best Practice ZTNA/VPN EPP/ATP + ZTNA/VPN Chromebook
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
18
Fortinet Inc.
Program guide
FortiAnalyzer Virtual Machine
The FortiAnalyzer Virtual Machine allows you to set the daily storage (GB) and ADOMs.
Service Type FortiCare Premium support FortiGuard IOC (Indicators Of Compromise) Security Automation Service FortiGuard Outbreak Detection Service
Included in bundle
Entitlement Limits Storage (GB) Minimum Maximum Increments
5 8 300 1
ADOMs Minimum Maximum Increments
0 1 200 1
FortiPortal Virtual Machine
Service Type FortiCare Premium support
Entitlement Limits Devices Minimum Maximum Increments
0 100 000 1
Included in bundle
FortiADC Virtual Machine
Service Package FortiCare Premium Network Security Application Security AI Security
Included in bundle
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
19
Fortinet Inc.
Program guide
FortiSOAR Virtual Machine
Entitlement Limits Prepaid and Postpaid Minimum Maximum
0 (disabled) 1 000
FortiMail Virtual Machine
Entitlement Limits
Quantity of entitlements per
1
account
CPUs
Minimum
1
Maximum
2
Evaluation Minimum Maximum
0 (disabled) 5
Hardware Appliances
FortiGate Hardware
The hardware device is purchased and owned by customers. However, only hardware that does not have any services already attached can be added to FortiFlex. If the hardware has any services attached, contact customer service to detach the services before configuring on FortiFlex.
The Continuous Service Policy is not applicable to FortiFlex entitlements.
Service Type Support Services
Services FortiCare Premium FortiCare Elite FortiCare Elite Upgrade ATP UTP Enterprise
The FortiCare Elite Upgrade can only be combined with one of the FortiGuard Service Bundles (ATP, UTP, or Enterprise).
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
20
Fortinet Inc.
Program guide
FortiAP
Service Type Support Services
Services FortiCare Premium FortiCare Elite
The entitlement must be active for at least 30 days after creation.
FortiSwitch
Service Type Support Services
Services FortiCare Premium FortiCare Elite
The entitlement must be active for at least 30 days after creation.
Cloud Services
FortiWeb Cloud - Private
Service Type Average Throughput Web Applications
Entitlement Limits Throughput Minimum Maximum Increments
10 10 000 25
Services Average throughput measured by the 95th percentile. Number of web applications.
Web Apps Minimum Maximum Increments
1 5 000 1
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
21
Fortinet Inc.
Program guide
FortiWeb Cloud - Public
Service Type Average Throughput Web Applications
Entitlement Limits Throughput Minimum Maximum Increments
10 10 000 25
FortiClient EMS Cloud
Service Type Support Services Service Packages
Entitlement Limits All Endpoints Minimum Maximum Increments
FortiSASE
Service Type Number of users Service Packages
25 25 000 1
Services Average throughput measured by the 95th percentile. Number of web applications.
Web Apps Minimum Maximum Increments
1 5 000 1
Services FortiCare Best Practice ZTNA/VPN ZTNA/VPN + FortiGuard Forensics EPP/ATP + ZTNA/VPN EPP/ATP + ZTNA/VPN + FortiGuard Forensics Chromebook
Services Number of users of the service Standard Advanced
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
22
Fortinet Inc.
Program guide
Service Type
Bandwidth (Mbps) Dedicated IPs Additional Compute Region
Services Comprehensive Total required bandwidth Number of dedicated IP addresses Number of regions
Scaling down this parameter is not supported.
SD-WAN On-Ramp Locations
Number of locations
This parameter is not available for the Standard service package. For the initial configuration, the minimum quantity is two. It can then be incrementally increased.
Entitlement Limits Users
Bandwidth
Minimum Maximum Increments
50 50 000 1
Minimum Maximum Increments
25 10 000 25
Dedicated IP
Minimum Maximum Increments
4 65 534 1
SD-WAN On-Ramp Locations
Minimum
0 (disabled)
Maximum
8
Increments
1
The minimum entitlement term is 90 days after creation. Likewise, when editing an entitlement, the expiration date cannot be less than 90 days. For example, if an entitlement is STOPPED after 91 days and then reactivated, it cannot be STOPPED again for another 90 days.
FortiEDR MSSP
Service Type Service Package
Entitlement Limits Endpoints Minimum Maximum Increments
0 50 000 1
Services Discover/Protect/Respond
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
23
Fortinet Inc.
Program guide
FortiRecon
Entitlement Limits Assets Minimum Maximum Increments Networks Minimum Maximum Increments Executives Minimum Maximum Increments Vendors Minimum Maximum Increments
Evaluation Limits Assets Minimum Maximum Increments Networks Minimum Maximum Increments Executives Minimum Maximum Increments
200 1 000 000 50
0 (Disabled) 100 1
0 (Disabled) 1 000 1
0 (Disabled) 1 000 1
1 100 1
0 (Disabled) 5 1
0 (Disabled) 5 1
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
24
Fortinet Inc.
Program guide
Evaluation Limits Vendors Minimum Maximum Increments
0 (Disabled) 5 1
Only one FortiRecon entitlement can be included in an account. However, two FortiRecon entitlements from different sources, such as a regular contract and FortiFlex, is allowed for migration.
FortiRecon entitlements must be active for at least 90 straight days. When creating a new entitlement, the expiration date cannot be less than 90 days from the date of creation. When editing an entitlement, the expiration date cannot be less than 90 days from the last date the entitlement was ACTIVE.
FortiSIEM Cloud
Entitlement Limits
Compute Units
Minimum
10
Maximum
600
Increments
10
Online Storage Minimum Maximum Increments
500 GB 60 000 GB 500 GB
Archive Storage Minimum Maximum Increments
0 GB 60 000 GB 500 GB
Email notifications
Email notifications are sent to provide updates on the current status of registered FortiFlex programs and points balances. When certain conditions are triggered, an email is sent by FortiFlex to notify you of the event that triggered the email. Emails are sent from noreply@fortinet.com.
Email notification types include:
Notification Type Low Balance
Description
This email is used to notify users that the current point balance is less than the average consumption in the last 30 days multiplied by the number of days until it runs out. The email is triggered if the points balance is not high enough to maintain the current average points consumption for 90, 60, 30, 15, or seven days. This email is part of the Pre-paid program.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
25
Fortinet Inc.
Program guide Notification Type
Negative Balance Program Anniversary Program End Program Expired
Description
For example, if the average points consumption in the last 30 days is 1000 points per day, FortiFlex will anticipate that the same average points consumption rate will be maintained for the next 90 days (1000 points per day * 90 days = 90 000 points consumed). However, if the current points balance is less than 90 000, FortiFlex will send an email alert to notify users that the points will run out in 90 days time.
This email is used to notify users when the point balance becomes negative. This email is part of the Pre-paid program.
This email is used to mark how many days are left until the anniversary of program registration. The email is sent when there are 60, 30, 21, 15, seven, and three days left until the anniversary. This email is part of the Pre-paid program.
This email is used to notify users when the expiry of the program is approaching. The email is sent when there are 90, 60, 30, 21, 15, seven, and three days left until the program expires. This email is part of the Pre-paid and Post-paid programs.
This email is used to notify users about how many days have passed since the program expired. The email is sent when three, seven, 11, 15, 21, 26, and 30 days have passed since the program expired. This email is part of the Pre-paid and Post-paid programs.
Reports
The Reports tab contains the Point Usage Summary, Point Usage Detail, and Point Pack Summary. You can run a report for a specified time period, and then export it as a CSV, XLXS, or XML file.
To run the Point Usage Summary: 1. Go to Reports > Point Usage Summary. 2. Select the Period and Account. The Consumed Points Breakdown is displayed.
3. Select the product type. The breakdown of point usage for that product time in displayed.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
26
Fortinet Inc.
Program guide 4. Select a date. The Point Usage Detail for that date is displayed.
To run the Point Usage Detail Report:
1. Go to Reports > Point Usage Detail. 2. Select the desired filters.
The Start Date cannot be more than 90 days ago. If FortiFlex is used in an Organization, the OU/Account dropdown menu will show options based on the user's permission scope. When in the root account, all accessible accounts will be displayed. When in a member account, only the current account will be displayed.
3. Click View Report. The report results are displayed.
4. (Optional) Right-click the report and click Export to download the report as a CSV or XLSX file. To view the Point Pack Summary: 1. Go Reports > Point Pack Summary.
The FortiFlex point licenses that were registered are displayed. If there are no point packs registered, the report will be empty.
2. (Optional) Right-click the report, and click Export to download the report as a CSV or XLSX file.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
27
Fortinet Inc.
Program guide
Grace periods
FortiFlex provides two types of 90-day grace periods, Program Expiration and Negative Points.
Program Expiration
This grace period is triggered when the FortiFlex program reaches the expiration date and it is applicable for both Prepaid and Postpaid programs. During the Program Expiration grace period, all entitlements with Termination Mode set to Follow Program will have their FortiGuard expiration date set to 90 days after the original expiration date. This is to avoid service stoppage, allowing the user to renew the program to recover from the grace period. It is important to highlight that during this period, the entitlement will still show as expired in the FortiCloud Asset Management portal, but internally FortiGuard will grant an extra 90 days on top. The extended expiration data will only be visible from within product's UI or through CLI commands. The Program Expiration grace period also plays a key role on the Prepaid program unused points. If the account has unused points, these points will be kept as valid in the account, as long as the program is renewed within the grace period but will be 100% forfeited if the grace period ends and program remains expired.
Negative Points
This grace period is only applicable to the Prepaid program, and it is triggered when the remaining points balance becomes negative. FortiFlex allows points to be consumed as negative for up to 90 days and points true up will automatically happen whenever new points packs are added. When the points balance becomes positive again, then the FortiFlex program will leave the grace period. If the points balance remains negative after the grace period has ended, then all active entitlements will be stopped, and the user will be unable to use FortiFlex until the points balance becomes positive. To buy additional points packs, please contact your Fortinet Inc. sales representative.
During any of the two grace periods, creating and updating entitlements is not allowed, and only existing active entitlements remain working. Points deduction will continue normally.
It is also possible that a given account hits both grace periods at the same time, where the user must fix both conditions in order to get the account out of the grace period restrictions.
If the FortiCloud account has the Asset Groups feature enabled, make sure to register the FortiFlex contract renewal under the same Asset Group and User Group where the FortiFlex service is registered to avoid the creation of a new FortiFlex SN, instead of renewing the existing one. See Asset groups in the FortiCloud Asset Management guide for more information.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
28
Fortinet Inc.
Deploying FortiFlex
Deploying FortiFlex
To deploy FortiFlex, create a configuration and use it to create a new entitlement. After the entitlement is created, inject the licensing token into the virtual machine. This will trigger the offering to download the corresponding license file.
To deploy FortiFlex: 1. Creating configurations on page 48. 2. Creating entitlements on page 32. 3. Inject the FortiFlex license. 4. Monitor the points consumed. 5. Run reports to manage points and serial numbers. This section includes the following information:
l Flex Entitlements on page 29 l Configurations on page 47 l Deployment examples and scripts on page 66
Flex Entitlements
Use the Flex Entitlements page to create and manage license entitlements which are consumed via the license tokens. You can also disable compromised license entitlements or change the configuration. You can change the entitlement scope by either editing the associated configuration or by migrating the token to another configuration. An entitlement can only be linked to a single configuration.
A License Token is a one-time code used to activate an instance. A new token must be regenerated if the instance needs to be re-activated. See Managing Flex Entitlements on page 43.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
29
Fortinet Inc.
Deploying FortiFlex
The table displays the following information:
Serial Number License File Token
Configuration Description Termination Date Status
The serial numbers generated when you configure an instance.
The available License File Tokens that can be injected into a VM to leverage consumption entitlements.
The VM configuration assigned to the serial number.
The description of the entitlement you entered when the service was created.
The expiry date for the token. The token can be stopped, edited, or reactivated.
The status of the entitlement. l PENDING: The entitlement is created but not activated. The service is not being charged for daily consumption. l ACTIVE: The entitlement is activated and the service is being charged for daily consumption (PST/PDT time zone). l ACTIVE: The entitlement is in use. l STOPPED: When the entitlement is stopped for the entire day, the VM will not be charged for the day. l EXPIRED: The entitlement has exceeded the Termination Date. l GRACE_PERIOD: The entitlement is ACTIVE but has a negative balance or a program expiration that has triggered the activation of the grace period. Once all grace period events have been cleared, it may take a full day for the status to change back from GRACE_PERIOD to ACTIVE.
PENDING, ACTIVE, and STOPPED entitlements can be edited to update the Configuration and Description. PENDING and ACTIVE entitlements can also be edited to have a new Termination Date.
My Assets
The My Assets view shows the Asset Folders assigned to an entitlement. You will only see the asset folders you have permission to view. Asset folders are created in the Asset Management portal. FortiFlex only shows services inside each folder except for when creating new services. For information about creating Asset Folders in Asset Management, see Asset Management > Creating custom views.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
30
Fortinet Inc.
Deploying FortiFlex
Asset folder permissions
Asset folder permissions are assigned in the Identity & Access Management (IAM) portal. For more information about Asset Folder permissions, see Identity & Access Management (IAM) > Asset and portal permissions.
You can use an asset folder to request the next available serial number with the API. See Creating a license pool group on page 47.
Decommissioned units
The Decommissioned Units view shows the serial numbers that were decommissioned in the Asset Management portal. When decommissioning an active serial number in the Asset Management portal, you must stop the entitlement before it can be decommissioned. Attempting to decommission the serial number while it is still active will return an error. See Managing Flex Entitlements on page 43 for information on stopping entitlements. For information about decommissioning units in Asset Management, see Asset Management > Viewing decommissioned units.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
31
Fortinet Inc.
Deploying FortiFlex
Creating entitlements
Entitlements can be created for virtual machines (VMs), hardware devices, and cloud services. The program requires a positive point balance to create entitlements. This section includes:
l Creating VM entitlements on page 32 l Creating hardware device entitlements on page 34 l Creating Cloud service entitlements on page 36
Creating VM entitlements
Create a VM entitlement to be used with various VM products, including FortiGate-VM or FortiWeb-VM.
When you create a VM on FortiFlex the consumption for the VM starts when the entitlement is activated for the first time. All newly created entitlements will be set to PENDING and will be changed to ACTIVE when the entitlement is activated by the VM instance, which triggers the start of charges.
You cannot add purchased VMs or pre-existing Trial or Evaluation services to FortiFlex. You must create a new VM entitlement.
Once the license entitlement becomes ACTIVE, it will remain active until: l The expiration date is reached, or l The user manually stops the entitlement through the FortiFlex UI or API.
FortiFlex does not monitor VM instance status, meaning it does not know if a VM instance is up or down, therefore it cannot automatically determine if a license entitlement should be active or stopped. It is the user's responsibility to manage the status of all license entitlements created in the FortiFlex platform.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
32
Fortinet Inc.
Deploying FortiFlex
To create a VM entitlement: 1. Go to Flex Entitlements, and click New Flex Entitlement. The Add Flex Entitlement(s) page opens.
2. Configure the VM Entitlement.
Product Type
Configuration Number of Flex Entitlements Description Termination Mode Asset Folder
Select one of the following service bundles from the dropdown: l FortiGate Virtual Machine - Service Bundle l FortiGate Virtual Machine - A La Carte Services l FortiWeb Virtual Machine - Service Bundle l FortiManager Virtual Machine l FortiClient EMS On-Prem l FortiAnalyzer Virtual Machine l FortiPortal Virtual Machine l FortiADC Virtual Machine l FortiSOAR Virtual Machine l FortiMail Virtual Machine
For information about the product types, see Service offerings on page 16.
Select a VM configuration from the list. See Creating a VM configuration on page 48.
Enter the number of entitlements. See Creating a VM configuration on page 48.
Enter a description of the VM.
l Select Follow Program to terminate the machine when the program expires.
l Select User Defined, and select a date in the calendar to specify the termination date.
Assign the VM to a folder in My Assets. For more information about Asset Folders, see Asset Management > Creating custom views.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
33
Fortinet Inc.
Deploying FortiFlex
You can use an asset folder to request the next available serial number with the API. See Creating a license pool group on page 47.
Skip PENDING status and activate the entitlement(s) immediately
Select this option to immediately set you VM entitlement to ACTIVE instead of PENDING upon creation.
3. Click Next. 4. Review the Flex Entitlement Details and Program Information, and click Submit.
The Serial Numbers(s) are displayed.
Creating hardware device entitlements
Create a hardware device entitlement to be used with FortiGate products. License tokens are not applicable for hardware devices.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
34
Fortinet Inc.
Deploying FortiFlex
To create a hardware device entitlement: 1. Go to Flex Entitlements, and click New Flex Entitlement. The Add Flex Entitlement(s) page opens.
2. Configure the hardware entitlement.
Product Type
Configuration Termination Mode Serial Numbers
Select one of the following service bundles from the dropdown: l FortiGate Hardware l FortiAP l FortiSwitch
For information about the product types, see Service offerings on page 16.
Select a configuration from the list. See Creating a hardware appliance configuration on page 50.
l Select Follow Program to terminate the machine when the program expires.
l Select User Defined, and select a date in the calendar to specify the termination date.
Enter the device serial numbers.
3. Click Next. 4. Review the Flex Entitlement Details and Program Information, and click Submit.
Points start to be consumed on the same day even though your managed hardware may still not be running.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
35
Fortinet Inc.
Deploying FortiFlex
Creating Cloud service entitlements
Create a Cloud service entitlement to be used with various products, including FortiWeb Cloud or FortiSASE. License tokens are not applicable for Cloud services.
You cannot add purchased Cloud services or pre-existing Trial or Evaluation services to FortiFlex. You must create a new Cloud service entitlement.
To create a Cloud service entitlement: 1. Go to Flex Entitlements, and click New Flex Entitlement. The Add Flex Entitlement(s) page opens.
2. Configure the Cloud entitlement.
Product Type
Configuration Number of Flex Entitlements Description Termination Mode Asset Folder
Select one of the following service bundles from the dropdown: l FortiWeb Cloud l FortiClient EMS Cloud l FortiSASE l FortiEDR MSSP l FortiRecon l FortiSIEM Cloud
For information about the product types, see Service offerings on page 16.
Select a configuration from the list. See Creating a Cloud service configuration on page 52.
Enter the number of entitlements. See Creating a Cloud service configuration on page 52.
Enter a description.
l Select Follow Program to terminate the machine when the program expires.
l Select User Defined, and select a date in the calendar to specify the termination date.
Assign the service to a folder in My Assets.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
36
Fortinet Inc.
Deploying FortiFlex
For more information about Asset Folders, see Asset Management > Creating custom views.
You can use an asset folder to request the next available serial number with the API. See Creating a license pool group on page 47.
3. Click Next. 4. Review the Flex Entitlement Details and Program Information, and click Submit.
Injecting the FortiFlex license
Each FortiFlex entitlement has an associated license token that is automatically generated upon creation. To activate an entitlement, the license token must be injected into the target solution. You can inject a FortiFlex license into a VM instance via the CLI or during the VM bootstrapping via Cloud-Init (KVM) or OVF template (ESXi).
The commands execute vm-license-options count and execute vm-licenseoptions interval allow for the customization of license token activation retry parameters. See VM license in the FortiOS Administration Guide for more information.
Requisites:
l Create the VM configuration
Injecting the FortiFlex license consists of the following steps:
1. Ensure that the VM has Internet connectivity properly configured. 2. Inject the FortiFlex License Token into the VM using one of the following methods:
l CLI l OVF Template (FGT-64VM only) l Cloud-init l FortiOS API 3. Confirm that the license token is injected 4. Configuring web proxy tunneling for FDN
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
37
Fortinet Inc.
Deploying FortiFlex
Review specific product documentation information for more information on license token injection in the Fortinet Document Library.
FortiFlex License Activation Workflow
Inject a FortiFlex license with the CLI
For general virtual machine targets, such as FortiGate VM, the token can be inject with the execute vm-license command.
To inject a FortiFlex license with the FortiFlex CLI: To inject a FortiFlex license into a VM instance with the CLI: execute vm-license <license_token> Example: exec vm-license 58923569A3FFB7F46879
To inject a FortiFlex license via web proxy: execute vm-license <license_token> <proxy>
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
38
Fortinet Inc.
Deploying FortiFlex
The following are examples of the syntax for <proxy>: http://user:password@proxyip:proxyport user:password@proxyip:proxyport The following shows examples for each command: exec vm-license 58923569A3FFB7F46879 http://qa:123456@10.1.100.74:8080 exec vm-license 95D87F50C075C6F20EE7 hazel:123456@10.1.100.74:8080
Inject a license token with an OVF template
The custom OVF template contains a License Token and Configuration URL fields where a bootstrap configuration for the FortiGate is stored.
This option is only available for VMware vCenter.
To inject a license token with a custom OVF template: 1. Create a new FGT-VM64 from the vCenter web UI with the extracted files in FGT_VM64-v7-buildxxxx-
FORTINET.out.ovf.zip. 2. Deploy an OVF Template. 3. In the Customize template step:
a. Enter the License Token in the License Token field. b. Enter the Configuration URL in the Configuration URL field.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
39
Fortinet Inc.
Deploying FortiFlex
4. Restart the VM instance. After the FGT-VM64 is started, it will activate VM license and load the configuration automatically
Inject a FortiFlex license via cloud-init
The following are the MIME files that you can use to inject a FortiFlex license into a FortiGate-VM instance using cloudinit. See cloud-init Documentation for details.
FortiGate-VMs can be deployed into Proxmox using cloud-init and a FortiFlex token. See the Proxmox Administration Guide for more information.
Configuration information for the FortiGate-VM
Content-Type: multipart/mixed; boundary="===============0740947994048919689==" MIME-Version: 1.0 --===============0740947994048919689== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="config" config sys glo set hostname FGT-MSSP-MIME set admintimeout 480 end ......
License token information
--===============0740947994048919689== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
40
Fortinet Inc.
Deploying FortiFlex
Content-Disposition: attachment; filename="license" LICENSE-TOKEN:FF69500C90C1604F71EE --===============0740947994048919689==--
Injecting with the FortiOS API
The FortiOS API method is useful for automating the migration of existing FortiGate-VM instances into FortiFlex. The FortiFlex API and documentation are available on the Fortinet Developer Network website.
Example: Inject a license via HTTP method:
<user_email>:~# curl -k --request POST 'http://<IP_ address>/api/v2/monitor/system/vmlicense/download?token=<token_ID>&access_token=<access_ token>' {
"http_method":"POST", "status":"success", "http_status":200, "vdom":"root", "path":"system", "name":"vmlicense", "action":"download", "serial":"<serial_number>", "version":"v7.2.0", "build":1157
Example: Inject a license via proxy URL:
<user_email>:~# curl -k --request POST 'https://<IP_ address>/api/v2/monitor/system/vmlicense/download?token=<token_ID>&proxy_url=<proxy_ URL>&access_token=<token>' {
"http_method":"POST", "status":"success", "http_status":200, "vdom":"root", "path":"system", "name":"vmlicense", "action":"download", "serial":"<serial_number>", "version":"v7.2.0", "build":1157 }<user_email>:~#
Confirming the license token is injected
To confirm that the license token is injected:
diagnose debug cloudinit show >> Checking metadata source ovf >> Found metadata source: ovf >> Trying to install vmlicense ... >> License-token:95D87F50C075C6F20EE7 http://qa:123456@10.1.100.74:8080 >> Config script is not available
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
41
Fortinet Inc.
Deploying FortiFlex
get system status Version: FortiGate-VM64 v7.0.4,build0292,220115 (interim) Serial-Number: FGVMMLTM111111
Configuring web proxy tunneling for FDN
After the FortiFlex license has been installed, the FortiGate-VM must validate the license on FDN servers. You can also configure a proxy to accomplish this.
To configure web proxy tunneling for FDN:
config system autoupdate tunneling set status enable set address "<web proxy IP address or FQDN>" set port <web proxy port> set username "<username>" set password <password>
end
It may take a while for FortiGate-VM to be able to validate the VM license and update UTP signatures from FortiGuard.
The following shows the output from get system status when the FortiGate-VM has completed the validation and update:
Version: FortiGate-VM64 v7.0.4,build0292,220115 (interim) Virus-DB: 89.08825(2022-01-18 21:26) Extended DB: 89.08825(2022-01-18 21:26) Extreme DB: 1.00000(2018-04-09 18:07) AV AI/ML Model: 2.04168(2022-01-18 18:45) IPS-DB: 6.00741(2015-12-01 02:30) IPS-ETDB: 19.00243(2022-01-18 01:30) APP-DB: 19.00243(2022-01-18 01:30) INDUSTRIAL-DB: 19.00243(2022-01-18 01:30) IPS Malicious URL Database: 3.00246(2022-01-18 20:50) Serial-Number: FGVMMLTM111111 License Status: Valid License Expiration Date: 2022-10-31 VM Resources: 1 CPU/2 allowed, 2007 MB RAM Log hard disk: Available Hostname: FGT-DEMO Private Encryption: Disable Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 1 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Branch point: 0292 Release Version Information: interim FortiOS x86-64: Yes System time: Tue Jan 18 21:46:36 2022 Last reboot reason: warm reboot
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
42
Fortinet Inc.
Deploying FortiFlex
Managing Flex Entitlements
You can stop and regenerate a license token if it is stolen or compromised. After the token is regenerated, it must be reinjected into your VM to revoke the old token. You can also export a list of tokens to parse them in scripts.
Modifying FortiGate-VM configurations
We recommend rebooting the FortiGate-VM after you change the configuration. To verify the configuration is in effect, run the following CLI command: get system status
l A reboot is required if you are lowering the vCPU size. l A reboot is recommended when adding more vCPU.
If you do not want to reboot the VM, run the following CLI command: exec cpu add X
Where X is the number of vCPU to be hot-added on top of the existing number.
Example: A reboot is not required if the FortiGate-VM currently consumes 4 vCPUs out of the entitled 16 vCPUs which can be seen as VM Resources: 4 CPU/16 Allowed in the get system status output, and you run exec cpu add 12 to consume 12 more vCPUs.
Starting in FortiOS 7.2.4, vCPU changes in the FortiFlex licenses are automatically handled by the FortiGate-VM instances. Running exec cpu add X is no longer required if you are running FortiOS v7.2.4.
Managing entitlemtents
To stop a VM Entitlement: 1. Go to Flex Entitlements, and click the serial number you want to stop. 2. Click Stop. The Stop VM Entitlement dialog opens.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
43
Fortinet Inc.
Deploying FortiFlex
3. Click Confirm. The VM status changes to STOPPED. Point consumption will stop from the next day even while your managed VM may be still running.
To stop multiple VM entitlements: 1. Go to Flex Entitlements. 2. Select the entitlements you want to stop. The Stop button is displayed.
You can only perform bulk entitlement actions for serial numbers that are the same product type. Use the column filters to filter for a specific product Serial Number or Product Type.
3. Click Stop. A confirmation message is displayed. 4. Click Confirm.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
44
Fortinet Inc.
Deploying FortiFlex
To reactivate a VM Entitlement: 1. Go to Flex Entitlements and click a serial number with a status of STOPPED. 2. Click Reactivate. The Virtual Machine Details page opens.
3. (Optional) Modify the VM Entitlement details.
4. Click Submit. The serial number Status changes to Active. Point consumption will restart from the day you make this change even though you may still have not rerun your managed VM.
To reactivate multiple VM entitlements: 1. Go to Flex Entitlements. 2. Select the entitlements you want to reactivate. The Reactivate button is displayed.
You can only perform bulk entitlement actions for serial numbers that are the same product type. Use the column filters to filter for a specific product Serial Number or Product Type.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
45
Fortinet Inc.
Deploying FortiFlex
3. Click Reactivate. A confirmation message is displayed. 4. Select the Termination Mode.
If you select User Defined, select the Program the Expiration Date.
5. Click Confirm. To export a list of serial numbers and tokens: 1. Go to Flex Entitlements. 2. Right-click the table, and click Export. 3. Select CSV Export, Excel Export (xlsx), or Excel Export (.xml). The file is saved to your computer.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
46
Fortinet Inc.
Deploying FortiFlex
Creating a license pool group
A license pool group allows you to request the next available serial number in the pool. When a VM is decommissioned, the license is returned to the pool.
Requirements:
l Access to Asset Management l Fortinet Developer Network membership
To create a license pool group:
1. In Asset Management, create an Asset Folder for the asset pool group. See Creating custom views. 2. Create a VM Entitlement and select a folder for the group. See, Creating entitlements on page 32. 3. Use the Virtual Machines API to create and add a folderpath to the asset folder in My Assets. 4. Create a new endpoint to return the group information. 5. Create a new endpoint to return the next available token.
Configurations
The Configurations tab is used to create and manage configurations. Configurations are used to define a template for entitlement creation and consumption. It defines the product form factor and type, the capacity or sizing, and associated service packages. You can create and modify configurations as required, while also being able to examine its details, associated entitlements, and history. A configuration can be linked to multiple entitlements at once. The scope defined by a configuration applies to all entitlements using that configuration. Any changes to a configuration affect all entitlements tied to that configuration. Configurations can be in two states: active or disabled. Entitlements using a disabled configuration are not able to consume points. However, disabled configurations can be reactivated. See Creating configurations on page 48.
When you disable a configuration, the entitlements that are using the configuration are no longer entitled to consume points. Use caution when disabling configurations or stopping entitlements, as this will impact the performance of the virtual machines, devices, or services. Disabled configurations can be re-enabled. Enabled Show Disabled Configurations to include disabled configurations in the Configurations list.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
47
Fortinet Inc.
Deploying FortiFlex
Creating configurations
Create configurations to be used in VM, hardware device, and cloud service entitlements. This section includes:
l Creating a VM configuration on page 48 l Creating a hardware appliance configuration on page 50 l Creating a Cloud service configuration on page 52
Creating a VM configuration
Specify the number of vCPUs and service package to use in a VM entitlement. See Creating VM entitlements on page 32.
To create a VM configuration:
1. Go to Configurations, and click New Configuration. 2. In the Configuration Details page, set the configuration details and click Next.
Name
Enter a configuration name.
The configuration name is a label and not the identifier of the configuration. Changes to the name do not affect any references to the given configuration, which is referred to by its configuration ID. However, you cannot have two configurations with the same name.
Form Factor Product Type
Virtual Machines
Select one of the following options: l FortiGate Virtual Machine - Service Bundle l FortiGate Virtual Machine - A La Carte Services l FortiWeb Virtual Machine - Service Bundle l FortiManager Virtual Machine
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
48
Fortinet Inc.
Deploying FortiFlex
l FortiClient EMS On-Prem l FortiAnalyzer Virtual Machine l FortiPortal Virtual Machine l FortiADC Virtual Machine l FortiSOAR Virtual Machine l FortiMail Virtual Machine For information, see Service offerings on page 16.
3. In the Configuration Setup page, set the service details and click Next. For more information, see Configuration details on page 53.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
49
Fortinet Inc.
Deploying FortiFlex 4. Review the configuration details, and click Submit.
5. Click List to view the configuration in the Configurations tab.
Creating a hardware appliance configuration
Specify the device model and service package to use in a hardware device entitlement. See Creating hardware device entitlements on page 34.
To create a hardware appliance configuration:
1. Go to Configurations, and click New Configuration. 2. In the Configuration Details page, set the configuration details and click Next.
Name
Enter a configuration name.
The configuration name is a label and not the identifier of the configuration. Changes to the name do not affect any references to the given configuration, which is referred to by its configuration ID. However, you cannot have two configurations with the same name.
Form Factor Product Type
Hardware Appliances
Select the following option: l FortiGate Hardware l FortiAP l FortiSwitch
For information, see Service offerings on page 16.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
50
Fortinet Inc.
Deploying FortiFlex
3. In the Configuration Setup page, set the service details and click Next. For more information, see Configuration details on page 53.
4. Review the configuration details, and click Submit. 5. Click List to view the configuration in the Configurations tab.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
51
Fortinet Inc.
Deploying FortiFlex
Creating a Cloud service configuration
Specify the users, endpoints, service package, and bandwidth for a Cloud service entitlement. See Creating Cloud service entitlements on page 36.
To create a Cloud service configuration:
1. Go to Configurations, and click New Configuration. 2. In the Configuration Details page, set the configuration details and click Next.
Name
Enter a configuration name.
The configuration name is a label and not the identifier of the configuration. Changes to the name do not affect any references to the given configuration, which is referred to by its configuration ID. However, you cannot have two configurations with the same name.
Form Factor Product Type
Cloud Services
Select one of the following options: l FortiWeb Cloud l FortiClient EMS Cloud l FortiSASE l FortiEDR MSSP l FortiRecon l FortiSIEM Cloud
For information, see Service offerings on page 16.
3. In the Configuration Setup page, set the service details and click Next. For more information, see Configuration details on page 53.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
52
Fortinet Inc.
Deploying FortiFlex 4. Review the configuration details, and click Submit.
5. Click List to view the configuration in the Configurations tab.
Configuration details
This topic includes configuration details of the following: l Virtual Machines on page 53 l Hardware Appliances on page 57 l Cloud Services on page 64
Virtual Machines
FortiGate Virtual Machine - Service Bundle
Number of CPUs Service Package
Virtual Domains
Enter the number of CPUs.
Select one of the following options: l FortiCare Premium l UTP l Enterprise l ATP
Enter the number of virtual domains.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
53
Fortinet Inc.
Deploying FortiFlex
FortiGuard Services
Cloud Services
Support Services Number of Flex Entitlements
Select from the following options: l Advanced Malware Protection l AI-Based In-line Sandbox l FortiGuard OT Security Service l FortiGuard DLP l FortiGuard Attack Surface Security Service l FortiConverter Service
Select from the following options: l FortiGate Cloud Management l SD-WAN Underlay l SOCaaS l FortiAnalyzer Cloud l Cloud-based Overlay-as-a-Service l SD-WAN Connector for FortiSASE
Select one of the following options: l FC Elite Upgrade
Enter the number of FortiFlex entitlements.
FortiGate Virtual Machine - A La Carte Services
Number of CPUs FortiGuard Services
Cloud Services
Support Services Virtual Domains
Enter the number of CPUs.
Select from the following options: l Intrusion Prevention l Advanced Malware Protection l FortiGuard Attack Surface Security Service l FortiGuard OT Security Service l DLP l AI-Based InLine Sandbox l Web, DNS & Video Filtering l FortiConverter Service
Select from the following options: l FortiGate Cloud l SD-WAN Underlay l FortiAnalyzer Cloud with SOCaaS l FortiAnalyzer Cloud l SD-WAN Connector for FortiSASE l Cloud-based Overlay-as-a-Service
Select one of the following options: l FortiCare Premium l FortiCare Elite
Enter the number of Virtual Domains.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
54
Fortinet Inc.
Deploying FortiFlex
The FortiGate VM will report two Virtual Domains (VDOMs) due to its native ability to create an admin VDOM. The number of VDOMs added in FortiFlex is in addition to these two VDOMs. For example, if you add one VDOM in FortiFlex, the VM will report three VDOMs.
Number of Flex Entitlements Enter the number of FortiFlex entitlements.
FortiWeb Virtual Machine - Service Bundle
Number of CPUs Service Package
Number of Flex Entitlements
Select the number of CPUs from the dropdown.
Select the service package: l Standard l Advanced l Enterprise
Enter the number of FortiFlex entitlements.
FortiManager Virtual Machine
Number of managed devices Number of ADOMs
Enter the number of managed devices. Enter the number of ADOMs.
FortiManager comes with a base of five ADOMs, per a normal subscription. Therefore, the number of ADOMs is additional to this base. For example, if you add one ADOM in FortiFlex, the FortiManager VM is capable of six.
Number of Flex Entitlements Enter the number of FortiFlex entitlements.
After creating an entitlement which contains any of the Cloud Services, you can refer to the following on-boarding guides for further instructions:
l FortiGate Cloud l FortiManager Cloud l FortiAnalyzer Cloud
FortiClient EMS On-Prem
ZTNA/VPN EPP/ATP + ZTNA/VPN Chromebook Support Services
Enter the number of endpoints. Enter the number of endpoints. Enter the number of endpoints. Select a support service:
l FortiCare Premium
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
55
Fortinet Inc.
Deploying FortiFlex
Addons Number of Flex Entitlements
Select an add on: l FortiCare Best Practice
Enter the number of FortiFlex entitlements.
FortiAnalyzer Virtual Machine
Daily Storage (GB) Number of ADOMs
Use the toggle to set the select the number of GB of daily storage. Use the toggle to set the select the number of ADOMS.
FortiAnalyzer comes with a base of five ADOMs, per a normal subscription. Therefore, the number of ADOMs is additional to this base. For example, if you add one ADOM in FortiFlex, the FortiAnalyzer VM is capable of six.
Support Services Addons Number of Flex Entitlements
Select a support service: l FortiCare Premium
Select an add on: l OT Security Service l Attack Surface Security Surface
Enter the number of FortiFlex entitlements.
FortiAnalyzer comes with IOC, the Security Automation Service, and the FortiGuard Outbreak Detection Service. These additional services cannot be detached or purchased a-la-carte.
FortiPortal Virtual Machine
Number of managed devices Number of Flex Entitlements
Use the toggle to set the select the number of managed devices. Enter the number of FortiFlex entitlements.
FortiADC Virtual Machine
Number of CPUs Service Package
Number of Flex Entitlements
Select the number of CPUs from the dropdown.
Select the service package from the dropdown: l FortiCare Premium l Network Security l Application Security l AI Security
Enter the number of FortiFlex entitlements.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
56
Fortinet Inc.
Deploying FortiFlex
FortiSOAR Virtual Machine
Service Package
Additional Users License Add ons
Select the service package from the dropdown: l Enterprise Edition l Multi Tenant Edition - Manager l Multi Tenant Edition - Tenant Node - Single User l Multi Tenant Edition - Tenant Node - Multi User
Enter the number of additional user licenses.
Select an add on: l Threat Intelligence Management
This option is unavailable if the service package is Multi Tenant Edition - Tenant Node - Single User.
FortiMail Virtual Machine
Number of CPUs Service Package
Add ons
Select the number of CPUs from the dropdown.
Select the service package from the dropdown: l Base Bundle l ATP Bundle
Select an add on: l Advanced Management l Dynamic Content Analysis l Cloud Email API Integration l Email Continuity
Add ons are disabled if only one CPU is selected.
Hardware Appliances FortiGate Hardware
Device Model
Select one of the device models from the dropdown: l FortiWifi-30E l FortiWifi-40F l FortiWifi-40F-3G4G l FortiWifi-50E l FortiWifi-50E-2R
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
57
Fortinet Inc.
Deploying FortiFlex
l FortiWifi-51E l FortiWifi-50G-DSL l FortiWifi-50G-SFP l FortiWifi-60E l FortiWfi-60E-DSL l FortiWifi-60E-DSLJ l FortiWifi-60F l FortiWifi-61E l FortiWifi-61F l FortiWifi-80F-2R l FortiWifi-80F-2R-3G4G-DSL l FortiWifi-81F-2R l FortiWifi-81F-2R-3G4G-DSL l FortiWifi-81F-2R-3G4G-PoE l FortiWifi-81F-2R-POE l FortiGateRugged-35D l FortiGateRugged-60F l FortiGateRugged-60F-3G4G l FortiGateRugged-70F l FortiGateRugged-70F-3G4G l FortiGate-30E l FortiGate-30E-3G4G-GBL l FortiGate-40F l FortiGate-40F-3G4G l FortiGate-50E l FortiGate-50G-DSL l FortiGate-50G-SFP l FortiGate-50G-SFP-PoE l FortiGate-51E l FortiGate-51G-SFP-PoE l FortiGate-60E l FortiGate-60E-DSL l FortiGate-60E-DSLJ l FortiGate-60E-POE l FortiGate-60F l FortiGate-61E l FortiGate-61F l FortiGate-70F l FortiGate-71F l FortiGate-80E l FortiGate-80E-POE
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
58
Fortinet Inc.
Deploying FortiFlex
l FortiGate-80F l FortiGate-80F-PoE l FortiGate-80F-Bypass l FortiGate-80F-DSL l FortiGate-81E l FortiGate-81E-POE l FortiGate-81F l FortiGate-81F-PoE l FortiGate-90E l FortiGate-90G l FortiGate-91E l FortiGate-91G l FortiGate-100E l FortiGate-100EF l FortiGate-100F l FortiGate-101E l FortiGate-101F l FortiGate-120G l FortiGate-121G l FortiGate-140E-POE l FortiGate-200E l FortiGate-200F l FortiGate-200G l FortiGate-201E l FortiGate-201F l FortiGate-201G l FortiGate-300E l FortiGate-301E l FortiGate-400E l FortiGate-400E-BYPASS l FortiGate-400F l FortiGate-401E l FortiGate-401E-DC l FortiGate-401F l FortiGate-500E l FortiGate-501E l FortiGate-600E l FortiGate-600F l FortiGate-601E l FortiGate-601F l FortiGate-900G
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
59
Fortinet Inc.
Deploying FortiFlex
l FortiGate-901G l FortiGate-1000F l FortiGate-1001F l FortiGate-1100E l FortiGate-1100E-DC l FortiGate-1101E l FortiGate-1800F l FortiGate-1800F-DC l FortiGate-1801F l FortiGate-1801F-DC l FortiGate-2000E l FortiGate-2200E l FortiGate-2201E l FortiGate-2500E l FortiGate-2600F l FortiGate-2600F-DC l FortiGate-2601F l FortiGate-2601F-DC l FortiGate-3000F l FortiGate-3000F-DC l FortiGate-3001F l FortiGate-3001F0DC l FortiGate-3200F l FortiGate-3201F l FortiGate-3300E l FortiGate-3301E l FortiGate-3400E l FortiGate-3400E-DC l FortiGate-3500F l FortiGate-3501F l FortiGate-3600E l FortiGate-3600E-DC l FortiGate-3601E l FortiGate-3700F l FortiGate-3701F l FortiGate-3960E l FortiGate-3960E-DC l FortiGate-3980E l FortiGate-3980E-DC l FortiGate-4200F l FortiGate-4200F-DC
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
60
Fortinet Inc.
Deploying FortiFlex
Service Package Addons
Number of Flex Entitlements
l FortiGate-4400F l FortiGate-4400F-DC l FortiGate-4401F l FortiGate-4800F l FortiGate-4800F-DC l FortiGate-4801F l FortiGate-4801F-DC
Select one of the following options: l FortiCare Essential l FortiCare Premium l FortiCare Elite l ATP l UTP l Enterprise
Select an add on: l FortiCare Elite Upgrade l FortiGate Cloud Management l AI-Based In-line Sandbox l SD-WAN Underlay l FortiGuard DLP l FortiAnalyzer Cloud l SOCaaS l Managed FortiGate l SD-WAN Connector for FortiSASE l FortiConverter Service l FortiGuard OT Security Service l SD-WAN Overlay-as-a-Service
Enter the number of FortiFlex entitlements.
Hardware entitlements cannot be applied to a hardware FortiGate with an active license. You must either:
l Wait for the FortiGate to expire and then apply the FortiFlex license. There is a 48-hour grace period after the license expires where security subscriptions and FortiGuard will continue to work.
l Request Customer Service to de-register the device. This option does not grant the 48hour grace period. Once it is de-registered, the FortiGate will be unable to receive security updates or utilize FortiGuard services.
FortiAP
Device Model
Select one of the device models from the dropdown: l FortiAP-23JF
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
61
Fortinet Inc.
Deploying FortiFlex
Service Package Addons
FortiSwitch
Device Model
l FortiAP-221E l FortiAP-222E l FortiAP-223E l FortiAP-224E l FortiAP-231E l FortiAP-231F l FortiAP-231G l FortiAP-233G l FortiAP-234F l FortiAP-234G l FortiAP-431F l FortiAP-431G l FortiAP-432F l FortiAP-432FR l FortiAP-432G l FortiAP-433F l FortiAP-433G l FortiAP-441K l FortiAP-443K l FortiAP-831F l FortiAP-U231F l FortiAP-U234F l FortiAP-U422EV l FortiAP-U431F l FortiAP-U432F l FortiAP-U433F
Select one of the following options: l FortiCare Premium l FortiCare Elite
Select an add on: l FortiSASE Cloud Managed AP
Select one of the device models from the dropdown: l FortiSwitch-108E l FortiSwitch-108E-FPOE l FortiSwitch-108E-POE l FortiSwitch-108F l FortiSwitch-108F-FPOE l FortiSwitch-108F-POE l FortiSwitch-110G-FPOE
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
62
Fortinet Inc.
Deploying FortiFlex
l FortiSwitch-124E l FortiSwitch-124E-FPOE l FortiSwitch-124E-POE l FortiSwitch-124F l FortiSwitch-124F-FPOE l FortiSwitch-124F-POE l FortiSwitch-148E l FortiSwitch-148E-POE l FortiSwitch-148F l FortiSwitch-148F-FPOE l FortiSwitch-148F-POE l FortiSwitch-224D-FPOE l FortiSwitch-224E l FortiSwitch-224E-POE l FortiSwitch-248D l FortiSwitch-248E-FPOE l FortiSwitch-248E-POE l FortiSwitch-424D l FortiSwitch-424D-FPOE l FortiSwitch-424D-POE l FortiSwitch-424E l FortiSwitch-424E-FPOE l FortiSwitch-424E-Fiber l FortiSwitch-424E-POE l FortiSwitch-448D l FortiSwitch-448D-POE l FortiSwitch-448E l FortiSwitch-448E-FPOE l FortiSwitch-448E-POE l FortiSwitch-524D l FortiSwitch-524D-FPOE l FortiSwitch-548D l FortiSwitch-548D-FPOE l FortiSwitch-624F l FortiSwitch-624F-FPOE l FortiSwitch-648F l FortiSwitch-648F-FPOE l FortiSwitch-1024D l FortiSwitch-1024E l FortiSwitch-1048D l FortiSwitch-1048E
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
63
Fortinet Inc.
Deploying FortiFlex
Service Package
l FortiSwitch-2048F l FortiSwitch-3032D l FortiSwitch-3032E l FortiSwitch-M426E-FPOE l FortiSwitch-T1024E l FortiSwitchRugged-112D-POE l FortiSwitchRugged-124D l FortiSwitchRugged-216F-POE l FortiSwitchRugged-424F-POE
Select one of the following options: l FortiCare Premium l FortiCare Elite
Cloud Services FortiWeb Cloud - Private
Average Throughput Web Applications
Select average throughput measured by the 95th percentile from the dropdown, between 10 Mbps to 10 Gbps.
Enter the number of web applications, between 1 and 5000.
FortiWeb Cloud - Public
Average Throughput Web Applications
Select average throughput measured by the 95th percentile from the dropdown, between 10 Mbps to 10 Gbps.
Enter the number of web applications, between 1 and 5000.
FortiClient EMS Cloud
ZTNA/VPN ZTNA/VPN + FortiGuard Forensics EPP/ATP + ZTNA/VPN EPP/ATP + ZTNA/VPN + FortiGuard Forensics Chromebook Addons
Number of Flex Entitlements
Enter the number of endpoints. Enter the number of endpoints.
Enter the number of endpoints. Enter the number of endpoints.
Enter the number of endpoints. Select an add on:
l FortiCare Best Practice Enter the number of FortiFlex entitlements.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
64
Fortinet Inc.
Deploying FortiFlex
FortiSASE
Number of users Service Package
Bandwidth (Mbps) Dedicated IPs Additional Compute Region
Enter the number of users. Select a service package:
l Standard l Advanced l Comprehensive
Enter amount of bandwidth required. Enter the number of dedicated IP addresses. Enter the number of regions.
Scaling down this parameter is not supported.
SD-WAN On-Ramp Locations Enter the number of locations.
FortiEDR MSSP
Service Package Addons
Select a service package: l Discover/Protect/Respond
Select an add on: l XDR
The number of EDR and XDR endpoints will be the same when creating a configuration.
FortiRecon
Service Package
Number of Monitored Assets Internal Attack Surface Monitoring Executive Monitoring Vendor Monitoring
Select a service package: l External Attack Surface Monitoring l External Attack Surface Monitoring & Brand Protect l External Attack Surface Monitoring & Brand Protect & Adversary Centric Intelligence
Enter the number of monitored assets. Enter the number of networks.
Enter the number of executives. Enter the number of vendors.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
65
Fortinet Inc.
Deploying FortiFlex
FortiSIEM Cloud
Number of Compute Units Additional Online Storage Archive Storage
Enter the number of compute units. Enter the amount of additional online storage. Enter the amount of archive storage.
You cannot scale down Additional Online Storage and Archive Storage.
Deployment examples and scripts
The following section provides an example of a manual deployment for KVM as well as links to sample scripts to automate deployments for KVM.
l Manual deployment on KVM on page 66 l Automatic deployments on page 73
Manual deployment on KVM
Activate a FortiGate VM using a FortiFlex license. FortiFlex allows for adhoc license via its portal.
Step 1. Create the FortiFlex configuration.
To create a FortiFlex configuration: 1. Open the FortiFlex portal. 2. Go to Configurations and click New configuration.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
66
Fortinet Inc.
Deploying FortiFlex 3. In the Configuration Details page, enter a name for the configuration and the product type and click Next.
4. Set the configuration values and click Next.
5. On the Review configuration page, click Submit.
The configuration is complete.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
67
Fortinet Inc.
Deploying FortiFlex
Step 2. Create the license entitlement
To create a license entitlement: 1. Go to VM Entitlements and click New VM Entitlement. 2. In the VM Entitlement Details page, from the Configuration list, select the configuration you created in Step 1 and
click Next.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
68
Fortinet Inc.
Deploying FortiFlex 3. On the Confirmation page, click Submit.
The license entitlement is created. The serial number is displayed under Generated Serial Number(s).
4. Go to VM Entitlements and search for the Serial Number you generated. Click the Serial Number to view the Product details.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
69
Fortinet Inc.
Deploying FortiFlex 5. In the Details page, copy the License File Token. You will need this token to activate the FortiGate VM instance.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
70
Fortinet Inc.
Deploying FortiFlex
Step 3: Configure the VM
To configure the VM: 1. Open the KVM host which has already deployed the FortiGate VM and connect to it.
2. Confirm the VM is connected to the Internet.
3. Activate the license with the following command: execute vm-license <license_token>
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
71
Fortinet Inc.
Deploying FortiFlex
4. When prompted enter y to allow the VM to reboot to activate the new license. The VM reboots and the license is validated against the FortiGaurd servers.
5. To confirm the license and configuration, run the following command: get system status
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
72
Fortinet Inc.
Deploying FortiFlex
Automatic deployments
Customers with access to Orchestrator tools can the use FortiFlex API to automate the FortiGate deployment and activation.
Automatic deployment on KVM
Automate the FortiGate deployment and activation on HyperVisor using a python script and the KVM cloud-init capabilities. A Python script with examples of the basic calls for the FortiFlex API is available in the Fortinet Developer Network (FNDN). To view the script, log in to FNDN and search for the following article: Sample Python Script for Flex-VM API.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
73
Fortinet Inc.
Automation
Automation
The topics in this section provide information about automation and the FortiFlex API: l FortiFlex API on page 74 l FortiFlexVM Terraform provider on page 76 l Ansible Collection on page 76
FortiFlex API
Instead of making changes to your FortiFlex objects in the FortiCloud portal, you can automate tasks, such as creating VMs and entitlements, with an API when integrating with cloud orchestration platforms.
FortiFlex API information can also be found on the Fortinet Developer Network along with sample Python script.
When implementing the FortiFlex API, you can follow this general process: 1. Create an API user. 2. Acquire the API token. 3. Run API calls against the FortiFlex portal to view, create, or modify objects.
Before you begin, ensure that you have a FortiCloud account and have FortiFlex activated.
To create an API user: 1. Go to https://support.fortinet.com. 2. Go to Services > IAM. 3. Create an active permission profile that includes the FortiFlex portal. See Creating a permission profile in the
Identity & Access Management (IAM) guide.
Actions that involve changing or creating data, such as creating a new configuration or updating a VM, will require read and write permissions or above.
4. Create an API user with the permission profile from the previous step applied. See Adding an API user in the Identity & Access Management (IAM) guide.
5. Click Download Credentials and set a password. A CSV file with the API user's credentials is downloaded that can only be opened with the password. See Adding an API user in the Identity & Access Management (IAM) guide.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
74
Fortinet Inc.
Automation
Downloading API user credentials will reset the user's security credentials each time you perform this action. Any previous password will become invalid.
To acquire the API token: 1. Open the Postman app.
The Postman API Toolkit can be found at https://www.postman.com. FortiFlex Postman collections can also be found on GitHub.
2. Click Create a request. 3. Enter the following information:
Method URL
POST https://customerapiauth.fortinet.com/api/v1/oauth/token/
4. Click Body. 5. Select raw and JSON. 6. Enter the following content:
{ "username":"<username of your API user>", "password":"<password of your API user>", "client_id":"flexvm", "grant_type":"password"
}
7. Click Send. If authentication is successful, you should receive a 200 response code with the following information: l access_token: The API token that will be used to run API calls against the FortiFlex portal. l expires_in: The token expiration time in seconds. The default value is 1440 seconds.
8. Copy the access_token value.
To run API calls:
1. Click on the + to open a new tab in the Postman app. 2. Click Authorization. 3. Set Type to Bearer Token. 4. Paste the access_token value in the Token field.
The URL for the API calls is https://support.fortinet.com.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
75
Fortinet Inc.
Automation
FortiFlexVM Terraform provider
The FortiFlexVM Terraform provider is used to interact with the resources supported by FortiFlexVM. The provider must be configured with the proper credentials before it can be used. See the FortiFlexVM Documentation on the Terraform Registry for information on available resources, data sources, and so on.
The FortiFlexVM provider requires: l A FortiCloud account. l FortiFlex registered. l An API token. See FortiFlex API on page 74.
Ansible Collection
The FortiFlex Ansible Collection can be used to run playbooks to interact with FortiFlex. The FortiFlex Ansible Collection can be found on GitHub and Ansible Galaxy. See the Ansible Galaxy FortiFlexVM Collection Documentation for more information on using Ansible Galaxy, running a playbook, available modules, and so on.
You can get support from the Fortinet Inc. Technical Assistance Center or from the community engineering team by filing an issue in the GitHub issues page. For support with common Ansible issues, you can get support from the Ansible community.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
76
Fortinet Inc.
Tools
Tools
The topics in this section provide information about the points calculator tool: l Points calculator on page 77 l Daily points on page 78
The points calculator in the FortiFlex portal should be used to calculate points consumption for existing FortiFlex programs only. It should not be used for new deals.
Points calculator
Use the points calculator to calculate how many points will be consumed before you create a new configuration.
The points calculator can be found in the Tools > Points Calculator page, on the Fortinet Developer Network (https://fndn.fortinet.net/index.php?/tools/fortiflex/) or accessed through an API endpoint. Accessing the calculator through an API endpoint provides the current price, latest price, and effective date for the latest price.
To calculate points for a configuration:
1. Go to Tools > Points Calculator. 2. From the list select on of the following options.
l FortiGate Virtual Machine - Service Bundle l FortiGate Virtual Machine - A La Carte Services l FortiWeb Virtual Machine - Service Bundle l FortiManager Virtual Machine l FortiClient EMS On-Prem l FortiAnalyzer Virtual Machine l FortiPortal Virtual Machine l FortiADC Virtual Machine l FortiGate Hardware l FortiAP l FortiSwitch l FortiWeb Cloud - Private l FortiClient EMS Cloud l FortiSASE l FortiEDR-MSSP l FortiRecon
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
77
Fortinet Inc.
Tools l FortiSIEM Cloud
3. Configure the instance based on the service you selected. The configuration settings will vary depending on the service. For more information, see Service offerings on page 16
4. From the number of Number of VMs dropdown, select the number of VMs. 5. Click Calculate. The number of points is displayed.
The Daily Points may display both current and latest pricing. See Daily points on page 78 for more information.
Daily points
When the daily rates of a product are updated, the Daily Points will display both the Current Pricing and Latest Pricing for the points calculator:
l Current Pricing: Displays the daily point cost for the total entitlements configured. This is calculated using the fixed ratings from when the program was registered. This fixed rating is valid for up to one year and is not subject to fluctuations in program ratings.
l Latest Pricing (as of YYYY-MM-DD): Displays the cost based on the latest pricing as of the date that the points calculator tool is used. This rate is the new rate that will be applied to the configured entitlements after the next anniversary date, beginning on the date displayed. This rate is an estimate based on current rates and is subject to fluctuations.
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
78
Fortinet Inc.
Tools
FortiFlex (Formerly Flex-VM) 24.4.1 Administration Guide
79
Fortinet Inc.
www.fortinet.com
Copyright© 2024 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's Chief Legal Officer, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
madbuild