Fortigate buying used pre-owned firewall most frequently asked questions


Introduction

Buying a used/pre-owned Fortigate is often the best way to learn to work with the firewall. Offers are plenty - just hit the search on eBay. But, there is always but, purchasing a pre-owned Fortigate is not like ordering a used MacBook - many questions will arise, not many of which have answers in official docs. In this article I compiled the most frequent/important of them. Disclaimer: I do not work for Fortinet and this is not an official guide in any way, so do your due diligence.

Is it worth buying hardware Fortigate vs free VM evaluation one?

I’d say free VM is enough if you start learning from zero. As you progress you will hit the VM evaluation limitations. I list those limits here Fortigate VM Evaluation License 15 Days Limitations and here Fortigate free VM Evaluation License is now permanent, not limited to 15 days, here is how to get it.

The appliance Fortigate, on the other hand, has none of these limitations, even without active subscription. Want to do Deep SSL Inspection? No problem. Trying to configure VPN SSL for Forticlient? Sure.

Can I get a demo Fortigate appliance?

As an individual - no. Fortinet have Not For Resale (NFR) Fortigate appliances that are fully functional, but you can only get them as a Partner and even then with much effort. If all you want, on the other hand, is to see how Fortigate GUI looks and feels without doing anything, you can go here https://fortigate.fortidemo.com with the user/pass demo/demo and log in into a real Fortigate (2000E as of this writing) as read-only admin.

Can I buy a used Fortigate from Fortinet?

No, you can’t. The policy of Fortinet is to sell their products as new via registered partners/resellers only, and they have no incentive to supply clients with second-hand Fortigates.

Fortinet have no problems with this, so it is OK with them, provided you acquired the firewall in legitimate ways.

Will I need a license for my Fortigate to work?

No, but read on. There is no such thing as "unlicensed" hardware/appliance firewall. Licensing, or more exact subscription is needed for some services, but many core features, like VPN (IPsec and VPN SSL), Security Rules, QOS, static and dynamic (OSPF, BGP, etc.) routing, VLANs, and such will work out of the box. Even if you hard reset your Fortigate, or more - format its harddisk erasing everything, the core features will work just fine.

Should I transfer the purchased Fortigate to my account in Fortinet?

It depends. When you buy a new Fortigate from a Fortinet partner, you can optionally (and most usually do) buy services like hardware warranty, Technical Support, subscriptions for FortiGuard Web Filtering/IPS/AV/etc. services as well. All those additional services are linked to an account in the Fortinet portal. It can be the partner’s account, or the end client account who purchased the firewall and then transferred to her own account. If you want to use/renew/buy those services for your Fortigate, then yes - you have your Fortigate (its serial number) to be under your account in the Fortinet portal.

How do I transfer Fortigate to my account in the Fortinet portal?

You open a ticket with the Customer Service at support.fortinet.com, or send the request for assets transfer to cs@fortinet.com. Next, Fortinet will send an email to the current/registered owner for this Fortigate, asking if they approve the transfer to your account. Here comes the pitfall - if the owners (as per Fortinet records) of this used firewall do not confirm/reply to this request, you may be denied the transfer or (more probably), asked for a proof of the purchase and ownership of the appliance (photo of the admin GUI with the serial number clearly seen). If the Fortinet cannot verify that you lawfully purchased your unit from an official partner/owner, you may be denied transfer of the ownership. This does not stop Fortigate from working, but subscription based services will be unavailable to it.

Hidden cost of renewing an existing subscription

If there is a time gap between the date of subscription expiration and your order to renew it, you pay one time for this gap as well. That is, say you bought a Fortigate with a subscription bundle that expired 3 months ago and you want to renew this bundle - Fortinet will bill this 3 month gap as well. And so forth, up to 6 months back. Also worth noting that to be able to buy/renew a subscription for a Fortigate, it has to be still supported and active. You cannot buy, for example, subscription for Fortigate 110C. To see the end of life status for a Fortigate search for Fortinet Product Life Cycle.

Should I wipe the firewall, could it be back-doored?

When you get someone’s firewall, it is always a good idea to reset its configuration to the factory defaults. You can do it on CLI with execute factoryreset. This will reset the configuration to the default one but will leave the firmware FortiOS intact. Many recommend to go further and format the flash that holds FortiOS firmware to boot from. The downside to formatting the flash is you have to do TFTP network boot afterwards, and have image of FortiOS ready, not everyone would want to do so.

Do I need to buy additional hardware?

You may need a console cable, if a Fortigate was not reset to the default configs and so will not allocate IPs via DHCP. The console cable is the usual one, like you may have seen with the Cisco equipment. IMPORTANT: when buying a used firewall, make sure it includes a power adapter, as the new one will cost you at least 100$.

What model should I buy?

For learning purposes even the smallest models will do. The available features are almost identical for small and big (expensive) models. For example, the smallest Fortigate 30E also supports up to 5 VDOMs, High Availabilty in cluster, and such. The important consideration here is the latest supported FortiOS version for a given model. Fortinet stops supporting small models much sooner than the larger ones. As an example, Fortigate 30E has the latest FortiOS available 6.2.11, while a slightly larger model Fortigate 60E has FortiOS 7.2.3 available. This means if you buy the (cheaper) 30E model, you will not be able to use features introduced in 6.4/7.0/7.2 versions. This may be important to you or not, but be aware.

Seller sold me a firewall without an admin password, what can I do?

It happens, especially when a seller offers a Fortigate in "power test only" condition, that you will have no admin-level user/password to manage it. The best case scenario is that you will be able to reset admin password on boot up via console using maintainer built-in account. Just search Google for Fortigate Resetting a lost Admin password. The worst case scenario is that you have no admin password AND previous owner disabled maintainer feature - you will get an error trying to use maintainer account PASSWORD RECOVERY FUNCTIONALITY IS DISABLED. What happens next depends on a specific model - small models (Fortigate 40F, 80F, etc.) have RESET button on the face panel, which, while pressed, will reset the configuration to the factory default. The large models do not have such one. Conclusion - if you’re not sure of the seller, check that your model can be reset with the button in its data sheet beforehand. I have collected most of the data sheets here if you need to: Fortigate Firewalls Hardware - CPU model and number, Memory (RAM) and hard disk size datasheet table

Where do I get up-to-date firmware for my firewall?

You can only legally get new firmware, provided it exists for a given model, if you have an active Forticare contract. Chances are your used Fortigate will have all contracts/subscriptions expired already. So, see entry above about buying/renewing subscriptions or you may try your luck asking for firmware on the Internet (Reddit/Telegram/Forums/etc.). The firmware upgrade is just a downloadable file that will work no matter in which way you got it.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.