Licensing Options

Overview

The FortiGate autoscale solution supports three distinct licensing models, each optimized for different use cases, cost structures, and operational requirements. You can use a single licensing model or combine them in hybrid configurations for optimal cost efficiency.

Licensing Model Comparison

FactorBYOLFortiFlexPAYG
Total Cost (12 months)LowestMediumHighest
Upfront InvestmentHighMediumNone
License ManagementManual (files)API-drivenNone
FlexibilityLowHighHighest
Capacity ConstraintsYes (license pool)Soft (point balance)None
Best ForLong-term, predictableVariable, flexibleShort-term, simple
Setup ComplexityMediumHighLowest

Option 1: BYOL (Bring Your Own License)

Overview

BYOL uses traditional FortiGate-VM license files that you purchase from Fortinet or resellers. The template automates license distribution through S3 bucket storage and Lambda-based assignment.

License Directory Structure License Directory Structure

Configuration

asg_license_directory = "asg_license"
asg_byol_asg_min_size = 2
asg_byol_asg_max_size = 4

Directory Structure Requirements

Place BYOL license files in the directory specified by asg_license_directory:

terraform/autoscale_template/
β”œβ”€β”€ terraform.tfvars
β”œβ”€β”€ asg_license/
β”‚   β”œβ”€β”€ FGVM01-001.lic
β”‚   β”œβ”€β”€ FGVM01-002.lic
β”‚   β”œβ”€β”€ FGVM01-003.lic
β”‚   └── FGVM01-004.lic

Automated License Assignment

  1. Terraform uploads .lic files to S3 during terraform apply
  2. Lambda retrieves available licenses when instances launch
  3. DynamoDB tracks assignments to prevent duplicates
  4. Lambda injects license via user-data script
  5. Licenses return to pool when instances terminate

Critical Capacity Planning

Warning

License Pool Exhaustion

Ensure your license directory contains at minimum licenses equal to asg_byol_asg_max_size.

What happens if licenses are exhausted:

  • New BYOL instances launch but remain unlicensed
  • Unlicensed instances operate at 1 Mbps throughput
  • FortiGuard services will not activate
  • If PAYG ASG is configured, scaling continues using on-demand instances

Recommended: Provision 20% more licenses than max_size

Characteristics

  • βœ… Lowest total cost: Best value for long-term (12+ months)
  • βœ… Predictable costs: Fixed licensing regardless of usage
  • ⚠️ License management: Requires managing physical files
  • ⚠️ Upfront investment: Must purchase licenses in advance

When to Use

  • Long-term production (12+ months)
  • Predictable, steady-state workloads
  • Existing FortiGate BYOL licenses
  • Cost-conscious deployments

Option 2: FortiFlex (Usage-Based Licensing)

Overview

FortiFlex provides consumption-based, API-driven licensing. Points are consumed daily based on configuration, offering flexibility and cost optimization compared to PAYG.

Prerequisites

  1. Register FortiFlex Program via FortiCare
  2. Purchase Point Packs
  3. Create Configurations in FortiFlex portal
  4. Generate API Credentials via IAM

For detailed setup, see Licensing Section.

Configuration

fortiflex_username      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
fortiflex_password      = "xxxxxxxxxxxxxxxxxxxxx"
fortiflex_sn_list       = ["FGVMELTMxxxxxxxx"]
fortiflex_configid_list = ["My_4CPU_Config"]
Warning

FortiFlex Serial Number List - Optional

  • If defined: Use entitlements from specific programs only
  • If omitted: Use any available entitlements with matching configurations

Important: Entitlements must be created manually in FortiFlex portal before deployment.

Obtaining Required Values

1. API Username and Password:

  • Navigate to Services > IAM in FortiCare
  • Create permission profile with FortiFlex Read/Write access
  • Create API user and download credentials
  • Username is UUID in credentials file

2. Serial Number List:

  • Navigate to Services > Assets & Accounts > FortiFlex
  • View your FortiFlex programs
  • Note serial numbers from program details

3. Configuration ID List:

  • In FortiFlex portal, go to Configurations
  • Configuration ID is the Name field you assigned

Match CPU counts:

fgt_instance_type = "c6i.xlarge"  # 4 vCPUs
fortiflex_configid_list = ["My_4CPU_Config"]  # Must match
Warning

Security Best Practice

Never commit FortiFlex credentials to version control. Use:

  • Terraform Cloud sensitive variables
  • AWS Secrets Manager
  • Environment variables: TF_VAR_fortiflex_username
  • HashiCorp Vault

Lambda Integration Behavior

At instance launch:

  1. Lambda authenticates to FortiFlex API
  2. Creates new entitlement under specified configuration
  3. Receives and injects license token
  4. Instance activates, point consumption begins

At instance termination:

  1. Lambda calls API to STOP entitlement
  2. Point consumption halts immediately
  3. Entitlement preserved for reactivation

Troubleshooting

Problem: Instances don’t activate license

  • Check Lambda CloudWatch logs for API errors
  • Verify FortiFlex portal for failed entitlements
  • Confirm network connectivity to FortiFlex API

Problem: “Insufficient points” error

  • Check point balance in FortiFlex portal
  • Purchase additional point packs
  • Verify configurations use expected CPU counts

Characteristics

  • βœ… Flexible consumption: Pay only for what you use
  • βœ… No license file management: API-driven automation
  • βœ… Lower cost than PAYG: Typically 20-40% less
  • ⚠️ Point-based: Requires monitoring consumption
  • ⚠️ API credentials: Additional security considerations

When to Use

  • Variable workloads with unpredictable scaling
  • Development and testing
  • Short to medium-term (3-12 months)
  • Burst capacity in hybrid architectures

Option 3: PAYG (Pay-As-You-Go)

Overview

PAYG uses AWS Marketplace on-demand instances with licensing included in hourly EC2 charge.

Configuration

asg_ondemand_asg_min_size = 0
asg_ondemand_asg_max_size = 4
asg_ondemand_asg_desired_size = 0

How It Works

  1. Accept FortiGate-VM AWS Marketplace terms
  2. Lambda launches instances using Marketplace AMI
  3. FortiGate activates automatically via AWS
  4. Hourly licensing cost added to EC2 charge

Characteristics

  • βœ… Simplest option: Zero license management
  • βœ… No upfront commitment: Pay per running hour
  • βœ… Instant availability: No license pool constraints
  • ⚠️ Highest hourly cost: Premium pricing for convenience

When to Use

  • Proof-of-concept and evaluation
  • Very short-term (< 3 months)
  • Burst capacity in hybrid architectures
  • Zero license administration requirement

Cost Comparison Example

Scenario: 2 FortiGate-VM instances (c6i.xlarge, 4 vCPU, UTP) running 24/7

DurationBYOLFortiFlexPAYGWinner
1 month$2,730$1,030$1,460FortiFlex
3 months$4,190$3,090$4,380FortiFlex
12 months$10,760$12,360$17,520BYOL
24 months$19,520$24,720$35,040BYOL

Note: Illustrative costs. Actual pricing varies by term and bundle.

Hybrid Licensing Strategies

Strategy 1: BYOL Baseline + PAYG Burst (Recommended)

# BYOL for baseline
asg_license_directory = "asg_license"
asg_byol_asg_min_size = 2
asg_byol_asg_max_size = 4

# PAYG for burst
asg_ondemand_asg_max_size = 4

Best for: Production with occasional spikes

Strategy 2: FortiFlex Baseline + PAYG Burst

# FortiFlex for flexible baseline
fortiflex_configid_list = ["My_4CPU_Config"]
asg_byol_asg_max_size = 4

# PAYG for burst
asg_ondemand_asg_max_size = 4

Best for: Variable workloads with unpredictable spikes

Strategy 3: All BYOL (Cost-Optimized)

asg_license_directory = "asg_license"
asg_byol_asg_min_size = 2
asg_byol_asg_max_size = 6
asg_ondemand_asg_max_size = 0

Best for: Stable, predictable workloads

Strategy 4: All PAYG (Simplest)

asg_byol_asg_max_size = 0
asg_ondemand_asg_min_size = 2
asg_ondemand_asg_max_size = 8

Best for: POC, short-term, extreme variability

Decision Tree

1. Expected deployment duration?
   β”œβ”€ < 3 months β†’ PAYG
   β”œβ”€ 3-12 months β†’ FortiFlex or evaluate costs
   └─ > 12 months β†’ BYOL + PAYG burst

2. Workload predictable?
   β”œβ”€ Yes, stable β†’ BYOL
   └─ No, variable β†’ FortiFlex or Hybrid

3. Want to manage license files?
   β”œβ”€ No β†’ FortiFlex or PAYG
   └─ Yes, for cost savings β†’ BYOL

4. Tolerance for complexity?
   β”œβ”€ Low β†’ PAYG
   β”œβ”€ Medium β†’ FortiFlex
   └─ High (cost focus) β†’ BYOL

Best Practices

  1. Calculate TCO: Use comparison matrix for your scenario
  2. Start simple: Begin with PAYG for POC, optimize for production
  3. Monitor costs: Track consumption via CloudWatch and FortiFlex reports
  4. Provision buffer: 20% more licenses/entitlements than max_size
  5. Secure credentials: Never commit FortiFlex credentials to git
  6. Test assignment: Verify Lambda logs show successful injection
  7. Plan exhaustion: Configure PAYG burst as safety net
  8. Document strategy: Ensure ops team understands hybrid configs

Next Steps

After configuring licensing, proceed to FortiManager Integration for centralized management.