Fortigate VM Evaluation License 15 Days Limitations Explained

in Fortigate
#Fortigate

Update August 2022: All the said below is still true, but starting with FortiOS 7.2.1 the process of issuing the evaluation license has changed. So, after reading this article, make sure to read this one as well: Fortigate free VM Evaluation License is now permanent, not limited to 15 days, here is how to get it.

Each Fortigate Virtual Machine (VM) image (until FortiOS 7.2.1) comes with built-in 15 days evaluation license which starts the moment you spin this image in your virtual environment - VMWare ESXi/WorkStation, KVM, GNS3, EVE-NG. Unfortunately, it comes with some limitations you should be aware of so not to waste your time trying to debug them. Here is the list of them.

Note: There is another evaluation license - for 60 days, that you can only get from Fortinet Account Manager. This license, unlike the 15-days one, has almost NO limitations, and you get fully functional virtual Fortigate.

Where To Download: You can (legally) download ANY version of Fortigate VM image from https://support.fortinet.com if you are a Fortinet client, i.e. have a valid support contract. BUT, you can always download (only) the LATEST version vm image, by just registering with an email in FortiCloud, no need to be a paying client of Fortinet.

Limitations and their consequences:

  • 1 CPU maximum: for labs/demo and such not much of a concern as you will not likely to hit this limitation.
  • Memory 1024 Mb max: also, if not trying to use Virtual Fortigate for production level traffic, you will unlikely to hit this memory threshold. Both CPU and memory usage in Fortigate depends on the traffic volume passing the Fortigate. If you pass some 1-10 Mbit/sec in a lab, you will have both mostly idle.
  • VDOMs: Only split-VDOM mode is supported, i.e. you can create 1 admin-only VDOM and 1 traffic-only VDOM. This is quite limited mode and does not approximate fully featured multi-VDOM mode. And you cannot create fully featured VDOMs on this license, just a single default one root VDOM is available.
  • 5 Security Rules Maximum: At any given moment, you can have up to 5 security rules present. This causes discomfort as forces us to delete some rules to add new ones.
  • Crypto - IPSec/SSL/TLS: Low only, means only DES is enabled as algorithm. In my view this is the most limiting disabled feature. It means we can create IPsec with DES algo only, which is actually OK for labbing, IPSec VPN tunnels, including Forticlient dial-up, will come up just fine and we can later run OSPF/BGP over them. But SSL VPN, AppControl, and Web Filtering for HTTPS traffic will not work at all, unless you use some Windows 2000-era browser with such a low encryption, and even then, it will not work for other reasons. Also, any HTTPS traffic inspection, even certificate-only, is not going to work.
  • HTTPS GUI access for admin: disabled.See above for why, but the result is you can only access Fortigate via HTTP not HTTPS as admin (not a big deal for labs). The SSH admin access is fully functional.
  • FortiOS version upgrade: not possible: this one is expected, and not that important.
  • Importing configuration: not possible: Kind of limitation, but actually not - no one stops you from copy & pasting any configuration on the CLI.
  • Any Fortiguard related services: unavailable: Any subscription-based services like signature updates, Web Filter Category filtering, DNS filtering will NOT work as this license does not allow any Fortiguard connection.
  • VIP load balancing to multiple servers: will not work. Virtual IP mapping for a single internal server (usual VIP static or portforwarding), will work.
  • Clustering (HA): will not work in any form. It does not throw any error on configuring, but the cluster will fail to form. It actually comes from a-must condition to form a cluster in Fortigate: both Fortigates have to be of the same version and other parameters AND have to have different serial numbers. And all VM Fortigate firewalls of the same FortiOS version with 15-days license will have the same serial number, no matter how many instances of it you will spin.
  • Connect to the Fortimanager/FortiAnalyzer: problematic. Again, because of the low encryption Fortigate will not be able to use secured connection to FortiManager/FortiAnalyzer. In the older versions, we could disable encryption completely, now we can only set it to low, and it still works, but not sure about the future versions. Try this to lower the encryption level on Fortimanager:
config system global
set enc-algorithm low
set fgfm-ssl-protocol tlsv1.0
end

To see what kind of license you have, run : get sys stat or/and diag debug vm-print-license.

When this evaluation license expires, there is no need to create new Fortigate VM - it is enough to factory-reset this Virtual Fortigate with exe factoryreset or (if you want to keep IP addressing) exe factoryreset2 , this will erase all configuration and will reset evaluation license to 15 days again.

FGT-6-4-4 #  diag debug vm-print-license
SerialNumber: FGVMEVALPP4Z8K78
CreateDate: Tue Feb  9 04:29:06 2021
Evaluation license expires: Wed Feb 24 04:29:06 2021
Model: EVAL (1)
CPU: 1 
MEM: 2048

I recorded a video walkthrough of downloading VM trial image from the Fortinet website as well: yurisk.info/2022/04/13/where-to-download-fortigate-free-trial-vm

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.