FortiFlex Workshop

Real-World Scenario: CloudSecure Solutions MSSP Challenge

Company: CloudSecure Solutions - A mid-sized MSSP serving 150+ enterprise customers

The Challenge: CloudSecure Solutions was struggling with their traditional Fortinet licensing model. Their customers had varying security needs that changed seasonally - retail customers needed additional protection during holiday seasons, financial services required scaling during quarterly reporting, and manufacturing clients had project-based security requirements.

Pain Points:

Procurement Delays: Traditional licensing required 2-4 weeks lead time, missing customer opportunities
Over-provisioning Costs: Customers paid for peak capacity year-round, leading to 40% waste during low-usage periods
Manual Provisioning: Each new customer deployment required manual license allocation, taking 3-5 business days
Billing Complexity: Monthly reconciliation across different license types and customer usage patterns consumed 20+ hours of administrative work

The FortiFlex Solution: With FortiFlex’s usage-based licensing and API-driven automation, CloudSecure Solutions transformed their operations:

Instant Provisioning: New customer deployments automated down to 15 minutes
Cost Optimization: Customers now pay only for actual usage, reducing costs by 35%
Automated Scaling: Seasonal traffic handled automatically without manual intervention
Streamlined Billing: API integration with their billing system reduced admin overhead by 80%

Workshop Goal: Learn how to implement FortiFlex to solve similar challenges in your organization through hands-on experience with both manual operations and API automation.

CTF Quiz Example

** TO BE REPLACED WITH YOUR OWN CONTENT **

1. Introduction

Welcome to Public Cloud 105: FortiFlex & FortiCloud Organizations

In this workshop, we’ll explore the FortiFlex feature set. We will show examples and limitations of the Organizations capabilities. Finally, we’ll explore FortiFlex entitlements within an Org structure and provide examples of the FortiFlex API.

Learning Objectives

Lean how FortiFlex can simplify Fortinet Product Licensing across much of the product portfolio
Discover FortiCloud Organizations basic terminology and concepts
Understand how FortiFlex operates in a single & multi-tenant environment
Learn how to use the FortiFlex API to manage configurations and entitlements

Primary Use Cases

Enterprises
- prepaid/flexible licensing
MSSP
- FortiFlex PAY-as-you-Go licensing for customers and/or offered in MSSP Marketplaces
- Partner/Enterprise/Customer Consolidation & Organization of (FortiCloud Accounts, Users, and Assets)
FortiSASE

Learning Objectives & Workshop Components

By the end of this workshop, you will be able to:

Understand FortiFlex Architecture
- Explain the difference between traditional licensing and usage-based billing
- Identify key FortiFlex components and their relationships
- Navigate the FortiFlex WebUI effectively
Manual FortiFlex Operations
- Create and manage FortiFlex configurations
- Entitle devices through the WebUI
- Modify entitlements to match changing requirements
- Monitor usage and costs
API-Driven Automation
- Use the FortiFlex API with Postman
- Create configurations and entitlements programmatically
- Implement serverless automation triggers
- Integrate FortiFlex with existing workflows
FinOps Best Practices
- Optimize costs through usage-based scaling
- Implement automated provisioning workflows
- Monitor and report on license utilization

Workshop Components

Prerequisites

Technical Background: Basics of web apps
Fortinet Knowledge: Basic familiarity with FortiGate and

Workshop Duration

Total Time: 4 hours
Introduction & Setup: 60 minutes
Manual Operations: 45 minutes
API Automation: 45 minutes
Integrations & Marketplace Demo: 45 minutes
Wrap-up & Q&A: 15 minutes

Lab Environment

Your lab environment includes:

Pre-configured Azure environment & Resource Group
FortiCloud account with Flex licensing & Required IAM permissions for FortiFlex operations
Sample configurations and scripts

Workshop Materials

Step-by-step lab guides with screenshots
FortiFlex API Postman collection
Best practices documentation

Success Criteria

You’ll know you’ve mastered the material when you can:

Provision a FortiGate in under 15 minutes using FortiFlex
Automate entitlement changes through API calls
Explain the cost benefits of usage-based licensing to customers
Design an automated provisioning workflow for your organization

Ready to get started? Let’s explore the FortiFlex platform components.

Learning Modules

All about FortiFlex and FortiCloud Organizations

In the next 2 sections, we’ll cover the key features of FortiFlex and how FortiCloud Organizations enabled multitenancy/MSSP features for FortiFlex licensing

We’ll cover the following topics:

FortiFlex features
FortiFlex use cases
FortiFlex API
FortiCloud Organizations & IAM features
MSSP features
Tools and resources
Integrations and Automations

FortiFlex

What is FortiFlex?

FortiFlex is Fortinet’s usage-based licensing solution that transforms how organizations consume and manage Fortinet security services. Instead of traditional fixed licenses, FortiFlex provides:

Pay-as-you-use billing based on actual consumption
API-driven automation for instant provisioning
Flexible scaling to match business demands
Simplified management through centralized control

Supported Products?

VM’s, Hardware Services, Cloud/SaaS

FortiFlex Flavors: Enterprise vs MSSP

FortiFlex Enterprise(also called FortiFlex prepaid subscription service): Designed for individual organizations to manage their own Fortinet deployments with flexible licensing.
- Flex Points are purchased in advance and consumed as Fortinet products are deployed.
- Ideal for enterprises with predictable usage patterns and a need for direct control over their security infrastructure.
FortiFlex MSSP(also referred to a FortiFlex postpaid subscription service): Tailored for Managed Security Service Providers (MSSPs) to offer Fortinet services to multiple customers.
- Allows MSSPs to manage multiple customer deployments from a single FortiFlex account.
- Provides features for multi-tenancy, centralized billing, and customer management.
- Ideal for MSSPs looking to provide automated Marketplace deployments with flexible billing to their customers.

Core Components

1. FortiPoints

Purpose: Mechanism for measuring and billing usage of Fortflex licensed products FortiPoints facilitate:

Licensing scalability and flexibility
Efficient and agile procurement
Easy access to a broad product ecosystem
Simplified management

2. FortiFlex Configurations

Purpose: Templates that define the type and parameters of Fortinet products you want to deploy.

Key Parameters:

Product selection (FortiGate, FortiManager, FortiAnalyzer, etc.)
VM sizing and specifications

Example Use Cases:

FortiGate: CPU Size, # of VDOMs, Service Package, Services
FortiAppSec Cloud: WAF, GSLB, Service Package, SOCaaS
FortiManager: # of Managed Devices, # of ADOMs

3. Entitlements

Purpose: Individual instances of deployed Fortinet products that consume FortiFlex points.

Key Parameters:

Unique serial numbers for each deployment
Real-time usage tracking
License lifecycle management

Billing Model:

Charged by points per hour of operation
Different VM sizes consume different point rates
Automatic billing integration with Fortinet accounts

Warning

Due to the regulatory nature and requirements around serial numbers and billing of the FortiFlex program, it is not possible to delete configurations or entitlements once they are created. This is to ensure compliance and accurate billing records are maintained in perpetuity.

As such, we will not be creating any more entities than are necessary for demonstration purposes during this workshop

4. Reporting

Purpose: Provides insights into FortiFlex usage and consumption patterns.

Key Features:

FortiFlex Points Usage Summary by Product
Daily detail up to 90 days
Customizable reports available via API

5. FortiFlex WebUI

Access: https://support.fortinet.com → FortiFlex section

Key Features:

Configuration management dashboard
Usage monitoring
Entitlement lifecycle operations
Reporting
Tools - Points Calculator

Navigation Overview:

FortiFlex Dashboard
├── Configurations
│   ├── Create New Configuration
│   ├── Manage Existing Configurations
│   └── Configuration Templates
├── Entitlements
│   ├── Active Entitlements
│   ├── Create New Entitlement
│   └── Entitlement History
├── Reporting
│   ├── Point Usage Summary
│   ├── Point Usage Detail
└── Tools
    ├── Points Calculator

Useful Resources

Documentation

Tools & Integrations

FortiFlex Calculator: Estimate your FortiFlex costs
Code: Ansible, Terraform, Python, and Postman
Terraform Provider: Infrastructure-as-code integration
Ansible Module: https://galaxy.ansible.com/ui/repo/published/fortinet/fortiflexvm/

Now that you understand the FortiFlex components, let’s get hands-on experience with the platform.

FortiFlex API

API Documentation: FNDN

Base URL: https://support.fortinet.com/ES/api/fortiflex/v2/

Authentication: API key-based authentication

API Benefits:

Programmatic control over all FortiFlex operations
Integration with CI/CD pipelines
Automated scaling based on metrics
Custom billing and reporting solutions

REST – Representational State Transfer - https://restcookbook.com/ –> good explanations
- HTTP Protocol and REST Architecture are intertwined
- The HTTP Response Codes are (should be) indicative of the status of the REST API call
- REST APIs are typically REST-ish as they do not fully/correctly implement the REST Architecture
- REST call Operations can be defined by a combination of Idempotency and Safety
- Most Common REST API calls – Idempotency: when then same request provides the same results or state

HTTP Method	Idempotent	Safe
GET
POST
PUT
DELETE
PATCH

FortiFlex API is REST-ish
- All FortiFlex API calls are POSTs, some calls should be GETs or PUTs

Anatomy of a REST API Query

FortiCloud Organizations

FortiCloud Organizations consolidate multiple FortiCloud Accounts into an Organizational Units (OUs) and manage user access to cloud products and services with fine grained service level permissions

Group multiple customer accounts and organize them into Organizational Units
Register and transfer assets between the accounts in the Organization
Delegate tenant or OU management to admins with detailed service level permissions and access scope
Access OU level views to manage assets or services across multiple account

Terminology - Start with a solid foundation!

Organizations/“OU”/Units – these are hierarchical identifiers indicating directories or folders within the FCLD Organizations concept
- The Org has a root OU ID and can have child OU ID’s
IAM - Accounts – numbered FortiCloud Account ID’s.
- The Org has a single Root Account (belonging to MSSP)
- MSSP can create child/member Accounts in an OU via FCLD Web GUI
IAM - Users –3 types as described in docs
1. IAM “users”- user entity managed in FCLD
- Can be local or Org with same “permission scope” and “permission profile” as below
- Password must be set with “Reset URL”, which can only be triggered by admin (not user)
- 2FA enabled by default and cannot be disabled
  - Delivered to User’s email, so must be valid (FortiToken is the only other option presently)
2. External Idp Roles/Roles – which is really just a mapping of a SAML Assertion containing “Role” = “XYZ” to the following
- Local role – access to the “Account” in which the Role is created
  - Permission scope (asset folder)
  - Permission profile (local specific) – specifies which FCLD Portal features are available
- Org role – access to an OU or Account within the Org
  - Permission scope (Org OU or Account within OU)
  - Permission profile (Org specific) - specifies which FCLD Portal features are available
- 2FA handled by IdP
- IDP enablement is via special request to PM
3. API User – required for calling any of the available API’s

Term	Definition
Organization Root Account	FortiCloud numbered <012345> Account which created the organization.
Org Root User	FortiCloud User registered with REAL EMAIL address and owns the Org Root Account
Organizational Unit (OU)	A unit within organization. Single OU member can be designated OU Master account.
OU Member Account	FortiCloud numbered <987654> Accounts invited to organization with no administrative privileges.
OU Scope	IAM User’s scope (OU) within the Organization.
IAM User	Local IAM user with credentials stored in FortiCloud
IdP User Role	External IdP user with role mapping to FortiCloud Organization where credentials are stored in external IdP

https://docs.fortinet.com/document/forticloud/23.4.0/organization-portal/829537/introduction

FortiFlex & Orgs

FortiFlex For MSSP’s

FortiCloud Organizations enables Muliti-Tenancy for FortiFlex. This is particularly interesting for MSSP’s.

Each Org Account can represent a separate entity with its own set of devices, Users, and Permission scope/Permission profile, which can be arranged in Org Units . This allows service providers to manage multiple customers from a single FortiCloud account.

MSSP’s can leverage Organizations to manage individual customer FortiFlex entities under the same program
FortiFlex Configurations and Entitlements are dedicated to the Org Account and not visible from others
- MSSP Admins Users could have read/write access to all of their customers Org Accounts
- Each individual customer Users might only have read access or maybe no access to the FortiCloud portal, depending on how the MSSP wants to setup their services.
- Maybe the MSSP want to fully automate the provisioning and management of these the Forti products and only provide customer access to FortiCare for ticketing/etc
- Controlled via Permission scope & Permission profile, assigned at the User level
Global Organization can navigate all and view each OU consumption
Global Organization can build automation from Root level to all individual Org Account
Global Organization receives monthly consolidated billing for MSSP FortiFlex Program

Info

This Workshop is setup using a FortiCloud MSSP level Root Account with each workshop participant representing an individual customer. The Cloud CSE Marketplace Demo is an example of how the API’s can facilitate automation at the MSSP level for individual customers

WebUI Organizations

Number	Explanation
1	OU Listing
2	Create Sub-OU’s
3	Create FortiCloud Accounts in current OU view (no email necessary)
4	FortiCloud Account View
5	Invite existing FortiCloud Accounts to the Org

WebUI IAM Users

Org Root Admin view

Number	Explanation
1	Create new
2	IAM User listing with type, profile, and scope

WebUI IAM Permission Profile

Number	Explanation
1	Profile Name
2	Profile Type (Local or Organization)
3	Add Fortinet Product Portals
4	Specify Permissions per portal

WebUI IAM User Creation

User creation is generally the same as IAM Users, IdP Role creation, or API Users. The interface differs slightly, but the components are the same.

Number	Explanation
1	User/Role Name
2	User Tyle (Local or Organization)
3	Permission Scope (OU bucket or specific Account
4	Permission Profile (choose from pre-created profiles

Warning

IAM Users and IdP Roles can have ONLY 1 Permission Scope and 1 Permission Profile. You cannot layer multiples on a single user/role.

2. QuickStart & FAQ

Provision your Portal Accounts

Required for hands-on portion of this workshop

Warning

You must submit a valid email address here to get an account provisioned for this workshop.

Workshop Setup Guide

Prerequisites Checklist

Before starting the hands-on lab, ensure you have completed the following setup steps and have the necessary tools ready:

Azure Portal Access: Valid Azure subscription credentials
Fortinet Support Portal Account: Registered account with FortiFlex access
Postman: Desktop application, Web Version, or Azure VM
Web Browser: Chrome, Firefox, or Edge (latest version)
Lab Environment Access: Resource group and permissions provided by instructor

Tip

Step 1: Azure Portal & Cloudshell Access

Use these steps to access your Azure Portal environment.

Open a browser and access the following URL: https://portal.azure.com

Use the credentials provided in the email you got from fortinetsecdevops@gmail.com.

Username: “flexxx@fortinetcloud.onmicrosoft.com”

Enter Temporary access credentials, and click Sign In
Click No on the ‘Stay signed in?’ prompt
Click Get started on the ‘Welcome to Microsoft Azure’ page.
Click Skip on the ‘How do you plan to use Azure’ page.
Click Skip on the ‘Now, let show you around Azure’ page.

After login, you should see the Azure dashboard
Locate your assigned resource group: flex[XX]

Click the Cloud Shell icon in the top navigation bar and Select Bash as the shell type

Wait for the Cloud Shell to initialize

Next, you will see a “Getting started” page.
- Select Mount Storage Account
- Choose Internal-Training as the Storage account subscription
- Click Apply

On the Mount storage account screen
- click Select existing storage account
- click Next

On the Select storage account screen (values in drop down)
- choose Internal-Training as description
- resource group will be “student number”-flex105-workshop
- storage account name will be “student number” followed by some random numbers and letters
- File share will be cloudshellshare
- Click Select

Step 2: Fortinet Support Portal Access

Tip

We’ve provisioned a Fortinet Support Portal account with appropriate Flex entitlements for this workshop Same credentials as the Azure Portal, slightly different logon procedure. YOU MUST LOGIN USING THIS URL which is conveniently perma-listed on the left navbar, and as long as you use the same browser as your Azure login, you should be signed in with SAML SSO

Browse to the following URL: https://customersso1.fortinet.com/saml-idp/proxy/demo_sallam_okta/login/

Warning

Important: PLEASE URL EXACTLY AS ABOVE, ENDING WITH /. Do not use general Fortinet Support Portal URL.

Enter the credentials provided in the email you got from fortinetsecdevops@gmail.com

Username: “flex[XX]@fortinetcloud.onmicrosoft.com”
Temporary Access Password: “[TemporaryPassword]”
You can choose No to “stay Signed In”
You may have to click “Login” at the SAML Login Portal

From the FortiCloud Main Portal, look for “FortiFlex” in the main navigation menu

Click to enter the FortiFlex dashboard

Step 3: Postman Options

We will be using an existing Postman Collection to interact with the FortiFlex API

Postman desktop application will provide the best user experience and is a great tool for working with API’s
If you can’t install the Desktop client for some reason, you can use Postman’s web version requiring a login (you can use your personal email)
If you’d prefer not creating a Postman login, you can create an Azure VM with Postman pre-installed, and import the

Installing Postman

Option 1: Desktop Application (Recommended) 👈

Download from https://www.postman.com/downloads/
Install following the standard process for your operating system
Create a free Postman account when prompted

Option 2: Web Version

Go to https://web.postman.co/
Sign in with your Google or create a Postman account

Option 3: Azure VM

Continue to the next step to create an Azure VM with Postman pre-installed

Setup Complete? Let’s address some common questions before diving into the lab.

Next: FAQ →

Frequently Asked Questions

General FortiFlex Questions

Q: What’s the difference between FortiFlex and traditional Fortinet licensing?

A: Traditional licensing requires purchasing fixed-term licenses upfront (typically 1-3 years) for specific capacities. FortiFlex uses a usage-based model where you:

Pay only for actual consumption (hourly billing)
Scale resources up/down automatically
Provision instantly without procurement delays
Get consolidated billing across all Fortinet products

Q: How does FortiFlex pricing work?

A: FortiFlex uses a “points” system:

Different VM sizes consume different points per hour
Example: 2-vCPU FortiGate = 2 points/hour, 4-vCPU = 4 points/hour
Points are purchased in advance and consumed as resources run
Detailed pricing available in the FortiFlex portal under “Pricing Calculator”

Q: Can I use FortiFlex for on-premises deployments?

A: FortiFlex licensing works on VM’s, Hardware Services, Cloud/SaaS

FortiGate VMs in the cloud or on Prem.
Hardware Services
Cloud/SaaS Services

Technical Questions

Q: What happens if I run out of FortiFlex points?

A: When points are low:

You’ll receive email notifications at 80% and 90% consumption
At 100% consumption, new entitlements cannot be created
Existing entitlements continue running but accrue overage charges
You can purchase additional points anytime through the portal

Q: How quickly can I provision a new FortiGate?

A: With FortiFlex:

Manual provisioning: 5-10 minutes through WebUI
API provisioning: 1-3 minutes with automation
Traditional licensing: 2-4 weeks for procurement + provisioning

Q: Can I change VM sizes after deployment?

A: Yes! This is a key FortiFlex advantage:

Stop the entitlement in FortiFlex
Modify the VM size in your cloud provider
Update the entitlement configuration in FortiFlex
Restart the entitlement
Billing automatically adjusts to new point consumption

Q: How does FortiFlex integrate with Infrastructure-as-Code?

A: FortiFlex provides multiple automation options:

REST API: Direct integration with Terraform, Ansible, etc.
Terraform Provider: Native Fortinet provider for FortiFlex resources
Ansible Collection: Playbook to interact FortiFle
CI/CD Pipelines: API calls in deployment workflows

Lab-Specific Questions

Q: Can I access my lab environment after the workshop?

A: Lab environments are temporary:

Available during workshop + 24 hours for practice
All Scrips used in the workshop are available at the course GitHub Repo

Q: What if my API calls aren’t working in Postman?

A: Common issues and solutions:

Authentication Error: Verify API key is correct in environment variables
404 Errors: Check the base URL is set correctly
JSON Formatting: Use Postman’s JSON validator for request bodies

Q: How do I get production FortiFlex access for my organization?

A: To enable FortiFlex for production use:

Contact your Fortinet sales representative
Request FortiFlex access for your organization
Complete any required MSP/partner agreements
Purchase initial points allocation
Set up billing and payment methods

Best Practices Questions

Q: How should I organize FortiFlex configurations?

A: Recommended organization strategies:

By Environment: dev-config, staging-config, prod-config
By Customer: customer-a-config, customer-b-config (for MSPs)
By Region: us-east-config, eu-west-config
By Function: branch-office-config, datacenter-config

Q: What’s the best way to monitor FortiFlex costs?

A: Cost monitoring best practices:

Set up billing alerts at 75% and 90% of monthly budget
Regular usage reviews - weekly for active environments
Automated reporting - API calls to extract usage data
Tag entitlements with cost centers or customer codes
Schedule regular optimization reviews to identify unused resources

Q: Should I use separate FortiFlex accounts for different customers?

A: For MSPs, consider:

Single Account: Easier management, consolidated billing, use tagging for separation
Multiple Accounts: Complete isolation, individual customer billing, more complex management
Hybrid Approach: Major customers get separate accounts, smaller customers share an account with tagging

Troubleshooting

Q: My FortiGate VM isn’t getting a license from FortiFlex

A: Check these items:

VM has internet connectivity to Fortinet licensing servers
Entitlement is in “Active” status in FortiFlex portal
Serial number matches between VM and entitlement
No firewall rules blocking licensing traffic (TCP 443 to *.fortinet.com)

Q: I’m getting “Insufficient Points” errors

A: Resolution steps:

Check current points balance in FortiFlex dashboard
Review active entitlements and their point consumption
Purchase additional points if needed
Consider stopping unused entitlements to free up points

Q: Can I migrate from traditional licenses to FortiFlex?

A: Migration options:

New Deployments: Use FortiFlex for all new cloud deployments
Existing VMs: Contact Fortinet support for migration assistance
Hybrid Approach: Keep existing traditional licenses, use FortiFlex for new/scaled resources
Contract Renewal: Consider FortiFlex when traditional licenses expire

Questions Answered? Time to get hands-on with FortiFlex!

Next: Hands-On Lab →

Extra Setup - Not necessary

Terraform VM deploy

Launch resources using Terraform

All the components required for Lab are deployed through terraform.

Perform the following steps in your Cloudshell console to create your environment.

Clone the GitHub repo git clone https://github.com/FortinetCloudCSE/PublicCloud105-FortiFlex.git
Change directory to the cd PublicCloud105-Fortiflex/terraform folder
Run terraform init

git clone https://github.com/FortinetCloudCSE/PublicCloud105-FortiFlex.git
cd PublicCloud105-Fortiflex/terraform
terraform init

Run the following command to apply it
```
terraform apply -var="username=$(whoami)" --auto-approve
```
IF THE COMMAND ABOVE RESULTS IN AN ERROR
You can manually specify your username (found in your Azure Account email) in the command
If your Workshop Azure account login is web31@ftntxxxxx.onmicrosoft.com, your username is web31, and the command to enter is:
```
terraform apply  -var='username=web31' --auto-approve
```

Terraform deployment takes at least 10-15 min to complete.

Once Terraform is complete you should see the output. Please copy the output to notepad.

To print the node VM’s login password, you can run this command
```
terraform output -raw password
```

Start Kali RDP

Logging into your student environment

Prereqs

Internet Access
Web Browser
- Any modern browser will work. Some people have had issues with Safari. If that happens, please try Firefox or Chrome. Your student environment includes a client and server with all required software.

Start Kali RDP

For this lab, we will only need to interact with the Kali linux device. We will use guacamole to create an RDP session in your browser.

In your browser window, type in the url below, substituting your Kali server IP.
Warning
Kali Linux takes about 20 minutes to fully deploy, so you may get a connection refused error. Please be patient and the login prompt will eventually appear. Even after Kali is reachable via HTTPS, some of the initial packages may still be downloading.
```
https://<kali-IP>:8443
```
Accept all warnings and proceed to the site.
You will be prompted to login to Apache Guacamole.
- Enter guacadmin for Username and enter S3cur3P4ssw0rd123!
- Click Login

The Guacamole home page will have a list of connections. Click on the connection labled Lab Desktop

Note the icons at the top left of the home screen. We will be using these during the lab.

Paste text into Kali Desktop

There are portions of this lab that will require large amounts of text to be entered on the Kali desktop. To accomplish this:

You will need to open (and close) the Guacamole menu by typing ctrl+alt+shift for Windows or ctrl+command+shift for MAC.
Paste your text into the window, and select Text input as the Input method.

Right click on the desktop where you want to past and click “paste” or “paste from clipboard” depending on which option is available.

Open Postman

Kali Linux comes with Postman pre-installed. Open it by clicking in the top left Kali Manu and search for Postman. Click on the Run Postman icon to open the application.

When postman opens, select Continue without an account
Now select Open Lightweight API Client

3. Workshop Hands-On

Workshop Agenda

In this workshop, we’ll use a crawl, walk, run approach to obtaining practical experience with FortiFlex through manual FortiFlex operations followed by API automation.

FortiFlex WebUI Operations
- Navigating the FortiFlex WebUI
- Creating and managing FortiFlex configurations and entitlements
FortiFlex Automating Operations
- Introduction to FortiFlex API
- Exploring FortiFlex Postman Collection tasks
Integration Use Cases -
- Integrating FortiFlex API with Terraform IaC
- Demoing a PoC MSSP FortiFlex MSSP Marketplace Integration PoC

FortiFlex WebUI


Goal	Gain Experience with the FortiFlex WebUI
Task	Create a FortiFlex configuration and entitlement, deploy a FortiGate VM in Azure using the entitlement, and then update the configuration to increase vCPU count.
Validation	FortiFlex Licensed 4vCPU FortiGate VM in Azure with matching SN and License.

In this section, you’ll learn how to manage FortiFlex entitlements through the FortiCloud web interface, providing a foundational understanding of FortFlex,

Note

If you need help accessing Azure FortiCloud/FortiFlex Portal, please refer to the Workshop Setup Guide page from QuickStart.

Step 1: Create a Configuration

Every FortiFlex subscription starts with a configuration. A configuration defines the product type, form factor, and service package for your FortiFlex subscription. You can create multiple configurations to manage different products or services.

Start from the FortiCloud Dashboard

Click on “FortiFlex” in the navigation menu

Navigate to Configurations

In the FortiFlex dashboard, click “Configurations”
You should see an empty list or existing lab configurations
Click the + New Configuration button

You’ll see the configuration wizard. Enter details as follows:

Name: XPerts25-FGT-VM (or any name you prefer)
Select Form Factor: Virtual Machines
Product Type: FortiGate Virtual Machine - Service Bundle
Click Next

On the next screen, set the following details:

Number of CPU’s: 2
Service Package: UTP
Leave Virtual domains set to 0
Click Next

Review the details of your configuration and click Submit

You’ll see the config successfully created

Step 2: Create an Entitlement

Once you have a configuration, you can create entitlements. An entitlement is a license that allows you to use the product defined in your configuration.

Navigate to the Flex Entitlements tab and click + New Entitlement

Fill in the following details in the entitlement wizard:

Product Type: Select FortiGate Virtual Machine - Service Bundle
Select the configuration you created above in Step 1 from the dropdown
Click Next

Review the details of your entitlement and click Submit

You’ll see the entitlement successfully created. Serial Number for future reference.

Click on List to go back to the Entitlement Listing and retrieve the Entitlement Token

From the entitlement details page, copy the License File Token. You will need this token to activate your FortiGate VM in the next step.

Step 3: Create a FortiGate VM in Azure & License with Flex Entitlement

Now that you have an entitlement, you can assign it to your FortiGate VM in Azure. Login to the Azure portal and follow these steps:

Navigate into your Resource Group and click on the + Create located at the top left of the tool bar. You will be redirected to the Azure Marketplace.

In the Marketplace search bar, type: Fortinet FortiGate and then enter. Navigate to the Fortinet FortiGate Next-Generation Firewall offering from Fortinet and select Create and Single VM.

You will be redirected to the Create Single VM template.

Warning

Make sure you select the BYOL (Bring Your Own License) option. This is important as it allows you to use your FortiFlex entitlement. When you click Create on the listing, you should see options for Active-Active, Active-Passive, and Single VM.

If you see anything referencing PAYG (Pay-As-You-Go), you are viewing the wrong listing.

Under the Basics tab, the Subscription and Resource Groups should already be filled in with your assigned info. If not, see the screen shot below for details.

Note

Use the **flexXX** username you've been assigned. Replace **[XX]** with your specific number.

Under Instance details, select/enter the following:
- Region: East US
- FGT VM instance Architecture: ARM64
- FortiGate administrative username: flex[XX]
- FortiGate password/Confirm password: FortinetAzure2025!
- Fortigate Name Prefix: flex[XX]
- Resource Group: flex[XX]-flex104-workshop
Select Next.

In the Instance Details tab, scroll down to the License section, and check the box for Use FortiFlex Entitlement entering the License File Token you copied earlier.

In the Networking tab, scroll down to the Accelerated Networking section and select Disabled. This feature can be enabled with specific instance types but for this example it’s not relevant.

Review all the settings in the Review + create tab. Ensure that everything is correct, especially the License File Token. Click on Create to deploy the FortiGate VM.

You’ll see the deployment in progress. This may take a few minutes. Once completed, you can navigate to the resource to manage your FortiGate VM.

Step 4: Verify the FortiGate VM Licensing

From the Resource Group, click on to the FortiGate VM you just created. Note the public IP address assigned to the VM. You can use this IP to access the FortiGate CLI or GUI.

Copy the Public IP address.

In a new browser tab, enter the public IP address of the FortiGate VM in the address bar
Accept the security warnings for the unsigned Cert.
You will be prompted to log in.
Use the username and password you set during the VM creation (e.g., flexXX and FortinetAzure2025!).

You can skip the inital setup be choosing Later

You’ll see the FortiGate Status Dashboard where the License will show 2 vCPU. The SN will match the entitlement you created in FortiFlex.

You can also verify the license via CLI. get system status You will see the matching SN, with Valid License, and the number of vCPU’s allowedreflecting the assigned entitlement.

Step 5: Update the Flex Config & Entitlement to add Additional new vCPU count

Next, we’ll update the FortiFlex configuration to increase the licensed vCPU count.

In the FortiFlex dashboard, navigate to the Configurations tab. Select the configuration you created earlier and click on the edit icon.

Click Next to continue past the product selection screen.

Update the number of CPU’s to 4 and click Next until you reach the review screen.

Click Submit to save the changes

You will see a warning message, and you should click to Confirm the changes.

The entitlement linked this configuration will automatically reflect the vCPU change.

Step 6: Double the vCPU on the Azure FortiGate VM

Now, we’ll change the VM size in Azure to double the vCPU from 2 to 4.

Go to the VM Overview Page and then on left side click on Availability + scale and then Size. Select a size that has 4 vCPUs (e.g., Standard D4ps V6) and click “Resize”.

You’ll see a confirmation message that the resize is in progress. This may take a few minutes.

Proceed when you see the successful message

After resizing, start the FortiGate VM again from the Azure portal.

On the VM Overview Page, you can verify that the VM size has been updated to reflect the new vCPU count.

Step 7: Add the additional CPU’s to FortiGate

Finally, log back into the FortiGate VM WebUI to verify that the license now reflects the updated vCPU count, and add the additional CPU’s to the FortiGate configuration.

From the Resource Group, click on to the FortiGate VM you just created. Note the public IP address assigned to the VM. You can use this IP to access the FortiGate CLI or GUI.

Copy the Public IP address.

In a new browser tab, enter the public IP address of the FortiGate VM in the address bar
Accept the security warnings for the unsigned Cert.
You will be prompted to log in.
- Use the username and password you set during the VM creation (e.g., flexXX and FortinetAzure2025!).
- You can skip the inital setup by choosing Later
- You’ll see the FortiGate Status Dashboard where the License will show 2/4 Allocated vCPU
- You can also verify the vCPU via CLI.
- get system status
- You will 2/4 vCPU.

To add the additional CPU’s to the FortiGate configuration, open the system CLI and run the following commands:

exec cpu add 2

Then verify the CPU count again:

get system status

You should now see 4/4 vCPU allocated.

FortiFlex API


Goal	Gain Experience with the FortiFlex API
Task	Import FortiCloud Postman Collection, Authenticate, and explore the FortiFlex API
Validation	Stop and Start FortiFlex API via Postman

Automation using FortiFlex API

In this section, you’ll learn how to automate FortiFlex operations using the REST API and Postman, then explore serverless automation with Azure Functions.

We’ll start by setting up Postman with our FortiFlex Collection, then create an API Key in FortiCloud, and finally use Postman to interact with the FortiFlex API. After that, we’ll build a serverless automation function in Azure to scale FortiGate resources based on business logic.

Step 1: Import FortiFlex Postman Collection

The following steps should remain relatively consistent regardless of how you’re using Postman, so open Postman and proceed.

In Postman, use an existing collection, or create a new one if you’d like
click on File–>Import in the top left corner, or Import button in the top left of the collection
On the import dialog, paste the following URL:
- https://raw.githubusercontent.com/FortinetCloudCSE/fortiflexvm-api/refs/heads/main/api/Postman/v2/FortiCloud.postman_collection.json
You should see the FortiCloud Collection appear in the left sidebar

All variables used in the collection are stored at the highest level of the Collection.
Click on Collection Title in the left sidebar, then click on the Variables tab
You’ll see variables for
- The API Base URLs
- api_username and api_password for authentication
- client_id for authentication (only used to override the automated client_id in the script)
- access_token, and expires_as for storing Bearer tokens returned from authentication request for each client_id/request

Tip

In most situations, the only variables you’ll need to modify are the api_user and api_password. You will notice the access_tokens populate as you launch different API requests

We’ve set up the FortiCloud Postman collection to automate the authentication process and store the access token for use in subsequent requests

You can see the scripting used to fetch Bearer tokens by clicking on the Scripts tab at the top level of the Collection, and viewing the Pre-request Script

Pseudocode

1. Grab the URL of the request, along with the API Username and Password
2. Set the authentication client_id depending on the path in the URL
3. If (No bearer token or it's already ): get a new bearer token with api_username, api_password, and client_id
4. Set the bearer token in the request header for the given request type

Postman Collection Scripting

Step 2: API Authentication Setup

From the FortiCloud Portal, click on Services–>IAM

Click on Add New –> API User

Enter a username for the API User such as: flexapiuser
Choose the SysAdmin Permission Profile
Click Next

When the API User is created, you will see a message to download the credentials.
Click to download, and enter a password to encrypt the file, such as FortiFlex2025!

You’ll get a password-protected zip file with the API credentials. Open it using the same password you entered when downloading the file.
The folder will contain a single text file with the apiId and password
You’ll enter the apiId and password into a Postman Collection Variables the next step

Back in Postman, enter the newly created apiId and password into the Postman Collection Variables
Copy the apiId from the credentials text file into the api_user Postman Current value variable
Copy the password from the credentials text file into the api_password Postman Current value variable
Click Save to save the collection variables

Tip

Important: Make sure to use the Current value field, not the Initial value field. The Current value is what will be used when you send requests.

From the top level FortiCloud Collection, open folder: FortiFlex V2.0–>Programs, and then POST Request: List
Click the Send button

You should see a response with a 200 OK status and 2 different serialNumber in the response body

Congratulations, you’re now authenticated with the FortiFlex API!

Warning

If you get an error at this step, please double-check everything and-or check with the Workshop Instructor

Step 3: Basic List Actions

Let’s take a moment to understand FortiFlex API list actions

To view configurations

We can then take the Flex Program SN we got from the previous request along with our FortiCloud Account ID, and use it to retrieve a list of Configurations for that Program.
Open the Post List request from the Configurations folder in the collection
- For this Workshop, we’re focusing on FortiFlex MSSP(postpaid), and the Program SN is: ELAVMS0000000518
- You can get your FortiCloud Account ID from the FortiCloud Portal top right corner
  - click on the down arrow next to your account name, and look for the Member Account ID
  FortiCloud Account ID
- enter both into the Body of the Configurations/list request, and click Send
- You should see a response with a 200 OK status and a list of configurations in the response body
FortiFlex Configurations List Body

Next, we can retrieve a list of Entitlements by sending a request to the /entitlements/list endpoint.

Open the Post List request from Entitlements folder in the collection
enter the configId returned from the previous request into the Body of the Get Entitlements request, and click Send

Step 4: Entitlement Management via API

Let’s look at stopping and re-activating entitlements via the API

Open the Stop request from the Entitlements folder in the collection
Under the Body tab, enter the serialNumber you got from the previous request
Click Send to disable the entitlement
You should see a response with a 200 OK status and the entitlement status updated to “STOPPED”
You can verify this by sending the list request and checking the status, or by checking the WebUI

Open the reactivate request from the Entitlements folder in the collection
Under the Body tab, enter the serialNumber you got from the previous request
Click Send to enable the entitlement
You should see a response with a 200 OK status and the entitlement status updated to “ACTIVE”
You can verify this by sending the list request and checking the status, or by checking the WebUI

Info

API Basics Complete! You’ve successfully:

Authenticated with the FortiFlex API using Postman
Viewed configurations and entitlements programmatically

Key Takeaways from API Basics

Speed: API operations complete in seconds vs minutes for manual operations.
Consistency: Automated processes eliminate human error and ensure standardization.
Integration: APIs enable seamless integration with existing DevOps and FinOps workflows.
Scalability: Serverless functions can handle multiple concurrent scaling requests.
Cost Optimization: Automated scheduling can significantly reduce costs during off-hours.
Best Practices Learned:
- Always validate API responses before proceeding to next steps
- Use Collection variables for sensitive data like API keys

FortiFlex Integrations


Goal	Explore the capabilities of advanced integrations with FortiFlex
Task	Launch Terraform Apply with Flex Token, Explore Reporting with Python Script, Interact with Demo MSSP Marketplace
Validation	FortiFlex Licensed 4vCPU FortiGate VM in Azure with matching SN and License.

In this section, we’ll explore how to automate FortiFlex operations using Terraform, take a peak at what an MSSP implementation for FortiFlex Might look like.

1. Terraform

Let’s take a peek at how we’d take advantage of the Terraform provider for FortiFlex to automate our infrastructure deployments!

We’ll use Terraform in Cloudshell from the Azure Portal, so head over to the Azure Portal and launch Cloudshell.

Run the following commands to clone this repo and navigate to the Terraform directory:

git clone https://github.com/FortinetCloudCSE/PublicCloud105-FortiFlex.git
cd PublicCloud105-FortiFlex/terraform/azure
export ARM_SUBSCRIPTION_ID=$(az account show --query "id" -otsv)

Initialize and run a Terraform plan to see what resources will be created:

terraform init
terraform plan

You will be asked to provide values for the following variables:

FortiFlex Entitlement Token: You can get this from the FortiFlex portal.
FortiGate VM Username: Use your Workshop Username Prefix (e.g. Flex01)

Warning

There is no error checking on the FortiFlex Entitlement Token, so you could enter whatever you’d like here, the VM just won’t be licensed correctly!

There is also no error checking on the FortiGate VM Username, but it will error out if you try to use an invalid username due to invalid access to the related resources.

Once you’ve provided the variables, you should see output with a plan of the resources Terraform will create

In a real production environment you would review the plan output to ensure it matches your expectations, and then apply the plan to deploy the FortiGate VM licensed by FortiFlex with the following command:

Warning

WE’RE NOT GOING TO ACTUALLY DEPLOY THIS IN THE WORKSHOP, AS WE HAVE SOMETHING MORE INTERESTING PLANNED FOR THE NEXT STEP!

terraform apply

Also in a real production environment:

your entire cloud infrastructure would be defined in code (Terraform)
you would be using a version control system like Git to manage changes to your infrastructure
all of your system variables would be stored securely in a secrets manager or environment variables, not hardcoded into your Terraform files
You’d be using the FortiFlex Terraform provider to directly integrate with FortiFlex, not passing the Entitlement Token or Username “manually” as a variable
This terraform deployment would ideally be running as part of a CI/CD pipeline to ensure consistent and repeatable deployments across your environments

2. Python Example - Points Reporting

Remember when we said you can only get 90 days of point history at the FortiFlex WebUI? Here, we demonstrate a simple Python script to interact with the FortiFlex API to retrieve points reporting information to go back to the beginning of the FortiFlex service.

We’ll use python from the Azure Cloudshell, so head over to the Azure Portal and launch Cloudshell.

cd ~/PublicCloud105-FortiFlex/scripts/python
pip install -r requirements.txt --user
python fortiflex_points_by_config.py

You’ll be prompted to enter the following information:

FortiFlex API Username: <IAM_API_Username_you_created_earlier>
FortiFlex API Password: <IAM_API_password_you_created_earlier>
Starting Date Range (YYYY-MM-DD): 1900-01-01
Ending Date Range (YYYY-MM-DD): 2025-08-26
FortiFlex Program Serial Number: ELAVMS0000000518

After entering the initial info, you’ll enter a loop where you can choose different options for point reporting. Try a few and then exit!

3. Advanced Use Cases

We don’t have time to get into every possible integration use case in this workshop but we wanted to at least give you a taste. Here are some additional resources to get you started if you’re interested in exploring further:

Code: Ansible, Terraform, Python, and Postman
Terraform Provider: Infrastructure-as-code integration
Ansible Module: https://galaxy.ansible.com/ui/repo/published/fortinet/fortiflexvm/

4. MSSP Use Case

Now that we know how the FortiFlex Program works, and we know how to automate with it, lets fly!

This section will explore how a Managed Security Service Provider (MSSP) might implement FortiFlex to manage multiple clients’ security infrastructure efficiently and automatically. The MSSP may want to offer a self service portal for their customers to provision, entitle, and deploy their own FortiGate VMs with pre-defined security templates created by the MSSP.

Open the CloudCSE FortiFlex Marketplace Demo and click “Login” at the top right.

As long as you’re using the same browser you used for logging into the Azure and FortiCloud Portals, you should be auto logged in with SAML and see your workshop account username next to the login button.

Info

This is an MVP0 demo application created by the Fortinet Cloud CSE team to demonstrate how an MSSP might implement a self-service portal for their customers to provision, entitle, and deploy FortiGate VMs using FortiFlex.

This is not a production ready application, and is not supported by Fortinet. It is provided as-is for educational purposes only.

Disregard the front page…those 5 products are just to test frontend to backend connectivity.

The real magic is on the FortiFlex Configs and Entitlements pages….which are Empty presently, because we haven’t provided any credentials yet!

The Demo hasn’t implemented any kind of secure storage for credentials, because FortiCloud doesn’t offer API creation of IAM accounts yet.

So for now, we’ll just use the IAM API credentials you created earlier in the workshop.

Click on the API Credentials link in the top menu

Enter the following information:

FortiFlex IAM API Username: <IAM_API_Username_you_created_earlier>
FortiFlex IAM API Password: <IAM_API_password_you_created_earlier>
FortiFlex Program Serial Number: ELAVMS0000000518
FortiCloud Account ID: You can get this from your FortiCloud account info (top right).

then click Submit

If you provided all the info correctly, the FortiFlex Configs page, will show the XPerts25-FGT-VM Config you created manually back in the beginning of the hands on section!

You’ll notice the parameters show the config is set for 4 CPUs, and the Create Entitlement is disabled. This is purposeful as we’re trying to conserve resources for this workshop.

From the FortiFlex Configurations Page, Click on Modify Configuration for the XPerts25-FGT-VM Flex Config and set it back to 2 CPU’s.

Confirm the changes and you’ll see the Create Entitlement Button Activate.

Once the Configuration is back at 2 CPU, Click Create Entitlement and confirm

You’ll be redirected to the FortiFlex Entitlements Page to view the newly created Entitlement named CloudCSE MKPL VM. You’ll also notice the entitlement you previously created manually at the WebUI.

Click on Launch VM on the Cloud CSE MKPL VM Entitlement, and confirm the prompts.

Behind the scenes, the MSSP Marketplace is launch a combination of API calls and Terraform to automatically deploy a FortiGate into your Azure account. That FortiFate is already licensed with the FortiFlex Entitlement Token you just created at the MSSP Portal!

It will take approx 5 mins to fully deploy, and then you can go check in your Azure Portal in the resource group for your account.

Imagine the possibilities for MSSP’s to customize the deployment options (single VM’s, A/P, A/A, Azure vWAN, AWS GWLB, AutoScaling, etc)

You will know the VM is ready when you see the Flex Entitlement Card:

Launch Azure VM Button turn Grey
RED STOP Button Appear
Status turn to Active
Token Status turn to Used

Go to the Azure Portal and check your resource group for a Virtual Machine prefixed with cat-. This is the VM deployed from the Flex Catalog.

Tip

For step-by-step instructions, reference the Azure Portal steps in the FortiFlex WebUI steps here

Click on it, and copy the Public IP opening it in a new browser window.

Username:
Password: ChangeMe123#@!

You will see the Serial number of the Flex Entitlement you used to provision this VM.

Workshop Cleanup

This section provides instructions on how to clean up resources created during the workshop. Follow these steps to ensure that all resources are properly deleted and your environment is left in a clean state for the next session.

We’ll use the Demo FortiFlex MSSP Marketplace to Stop all Entitlements we created as part of this workshop Go to the FortiFlex Enttlements Page and click Stop on any active entitlements. Click to confirm.

Info

Remember, FortiFlex points deduction doesn’t stop even if the resources stop, are terminated, or are decomissioned. So it’s imperative to maintain proper FortiFlex maintenance records or automation on the entitlements

In the FortiCloud Portal, Go to the IAM Portal, Users section, Select the API account you created for this workshop and delete it.

Chapter 3 Quiz

Test your knowledge with this final quiz covering all the concepts from this workshop:

FortiFlex Workshop

Real-World Scenario: CloudSecure Solutions MSSP Challenge

CTF Quiz Example

Subsections of

1. Introduction

Welcome to Public Cloud 105: FortiFlex & FortiCloud Organizations

Learning Objectives

Primary Use Cases

Learning Objectives & Workshop Components

Workshop Components

Prerequisites

Workshop Duration

Lab Environment

Workshop Materials

Success Criteria

Subsections of 1. Introduction

Learning Modules

All about FortiFlex and FortiCloud Organizations

Subsections of Learning Modules

FortiFlex

What is FortiFlex?

Supported Products?

FortiFlex Flavors: Enterprise vs MSSP

Core Components

1. FortiPoints

2. FortiFlex Configurations

3. Entitlements

4. Reporting

5. FortiFlex WebUI

Useful Resources

Documentation

Tools & Integrations

Subsections of FortiFlex

FortiFlex API

Anatomy of a REST API Query

FortiCloud Organizations

Terminology - Start with a solid foundation!

Subsections of FortiCloud Organizations

FortiFlex & Orgs

FortiFlex For MSSP’s

WebUI Organizations

WebUI IAM Users

Org Root Admin view

WebUI IAM Permission Profile

WebUI IAM User Creation

2. QuickStart & FAQ

Subsections of 2. QuickStart & FAQ

Workshop Setup Guide

Prerequisites Checklist

Step 1: Azure Portal & Cloudshell Access

Step 2: Fortinet Support Portal Access

Step 3: Postman Options

Installing Postman

Frequently Asked Questions

General FortiFlex Questions

Q: What’s the difference between FortiFlex and traditional Fortinet licensing?

Q: How does FortiFlex pricing work?

Q: Can I use FortiFlex for on-premises deployments?

Technical Questions

Q: What happens if I run out of FortiFlex points?

Q: How quickly can I provision a new FortiGate?

Q: Can I change VM sizes after deployment?

Q: How does FortiFlex integrate with Infrastructure-as-Code?

Lab-Specific Questions

Q: Can I access my lab environment after the workshop?

Q: What if my API calls aren’t working in Postman?

Q: How do I get production FortiFlex access for my organization?

Best Practices Questions

Q: How should I organize FortiFlex configurations?

Q: What’s the best way to monitor FortiFlex costs?

Q: Should I use separate FortiFlex accounts for different customers?

Troubleshooting

Q: My FortiGate VM isn’t getting a license from FortiFlex

Q: I’m getting “Insufficient Points” errors

Q: Can I migrate from traditional licenses to FortiFlex?

Extra Setup - Not necessary

Subsections of Extra Setup - Not necessary

Terraform VM deploy

Launch resources using Terraform

Start Kali RDP