Each Fortigate Virtual Machine (VM) image comes with built-in 15 days evaluation license which starts the moment you spin this image in your virtual environment - VMWare ESXi/WorkStation, KVM, GNS3, EVE-NG. Unfortunately, it comes with some limitations you should be aware of so not to waste your time trying to debug them. Here is the list of them.
Note: There is another evaluation license - for 60 days, that you can only get from Fortinet Account Manager. This license, unlike the 15-days one, has almost NO limitations, and you get fully functional virtual Fortigate.
Note: You can only (legally) download Fortigate VM image from https://support.fortinet.com, and to register there you HAVE to be a Fortinet client, i.e. have valid support contract.
Limitations and their consequences:
- 1 CPU maximum: for labs/demo and such not much of a concern as you will not likely to hit this limitation.
- Memory 1024 Mb max: also, if not trying to use Virtual Fortigate for production level traffic, you will unlikely to hit this memory threshold. Both CPU and memory usage in Fortigate depends on the traffic volume passing the Fortigate. If you pass some 1-10 Mbit/sec in a lab, you will have both mostly idle.
- VDOMs: Only split-VDOM mode is supported, i.e. you can create 1 admin-only VDOM and 1 traffic-only VDOM. This is quite limited mode and does not approximate fully featured multi-VDOM mode. And you cannot create fully featured VDOMs on this license, just a single default one root VDOM is available.
- 5 Security Rules Maximum: At any given moment, you can have up to 5 security rules present. This causes discomfort as forces us to delete some rules to add new ones.
- Crypto - IPSec/SSL/TLS: Low only, means only DES is enabled as algorithm. In my view this is the most limiting disabled feature. It means we can create IPsec with DES algo only, which is actually OK for labbing, IPSec VPN tunnels, including Forticlient dial-up, will come up just fine and we can later run OSPF/BGP over them. But SSL VPN, AppControl, and Web Filtering for HTTPS traffic will not work at all, unless you use some Windows 2000-era browser with such a low encryption, and even then, it will not work for other reasons. Also, any HTTPS traffic inspection, even certificate-only, is not going to work.
- HTTPS GUI access for admin: disabled.See above for why, but the result is you can only access Fortigate via HTTP not HTTPS as admin (not a big deal for labs). The SSH admin access is fully functional.
- FortiOS version upgrade: not possible: this one is expected, and not that important.
- Importing configuration: not possible: Kind of limitation, but actually not - no one stops you from copy & pasting any configuration on the CLI.
- Any Fortiguard related services: unavailable: Any subscription-based services like signature updates, Web Filter Category filtering, DNS filtering will NOT work as this license does not allow any Fortiguard connection.
- VIP load balancing to multiple servers: will not work. Virtual IP mapping for a single internal server (usual VIP static or portforwarding), will work.
- Clustering (HA): will not work in any form. It does not throw any error on configuring, but the cluster will fail to form. It actually comes from a-must condition to form a cluster in Fortigate: both Fortigates have to be of the same version and other parameters AND have to have different serial numbers. And all VM Fortigate firewalls of the same FortiOS version with 15-days license will have the same serial number, no matter how many instances of it you will spin.
- Connect to the Fortimanager/FortiAnalyzer: problematic. Again, because of the low encryption Fortigate will not be able to use secured connection to FortiManager/FortiAnalyzer. In the older versions, we could disable encryption completely, now we can only set it to low, and it still works, but not sure about the future versions. Try this to lower the encryption level on Fortimanager:
config system global set enc-algorithm low set fgfm-ssl-protocol tlsv1.0 end
To see what kind of license you have, run : get sys stat or/and diag debug vm-print-license.
When this evaluation license expires, there is no need to create new Fortigate VM - it is enough to factory-reset this Virtual Fortigate with exe factoryreset or (if you want to keep IP addressing) exe factoryreset2 , this will erase all configuration and will reset evaluation license to 15 days again.
FGT-6-4-4 # diag debug vm-print-license SerialNumber: FGVMEVALPP4Z8K78 CreateDate: Tue Feb 9 04:29:06 2021 Evaluation license expires: Wed Feb 24 04:29:06 2021 Model: EVAL (1) CPU: 1 MEM: 2048