Fortigate subscription expired, list of features that will continue to work

Forticare expired subscription

When subscription for Fortiguard-based services expires, many things will stop working, but a lot will continue to work still. Below is the full list of features in Fortigate that will continue working after the subscription expires. It also means these features work even if your Fortigate has never had the subscription in the first place.

VM Fortigate has a license check, which is unrelated to the Fortiguard subscription. This license check requires a non-stop online communication with the Fortiguard servers. The VM Fortigate will stop working completely, if it cannot reach Fortiguard servers for a long time (30 days usually), unless using a special, offline license (most clients don’t).
  • Security rules. The Fortigate will continue filtering traffic according to the Security Rulebase.

  • All kinds of NAT: SNAT, DNAT, VIP, dynamic pools, etc.

  • VPN - all types, IPSec site-to-site, Remote Access as SSL VPN in webmode and full tunnel with Forticlient and as IPSec client.

  • IPS with the signatures last updated before the subscription expired. That is, IPS will continue working, but new signatures will not be downloaded.

  • AppControl using the signatures last updated before the subscription expired.

  • Web/URL Filtering using static allow/block lists. Without subscription the firewall cannot query FortiGuard for URL web ratings, so Web filtering using Fortiguard assigned Categories will not work. But if you use static block/allow URL lists, they will work. Also blocking ActiveX controls will work too.

  • All types of interfaces: physical, VLANs, Virtual Wire, Loopbacks, LAGs, redundant, Zones.

  • Security rules modes: proxy and flow. All modes of proxy mode will work: Explicit, Transparent.

  • SSL/SSH inspection - certificate and deep packet inspection.

  • Applying UTM in both: Policy based and Profile based modes.

  • VDOMs.

  • High Availability (HA).

  • QOS.

  • SD-WAN feature, including AppControl integration (but see above about Application Control signature updates).

  • WAF with the signatures last updated before the subscription expired.

  • VIP of load balancing type.

  • DoS/DDoS protection rules.

  • Device inventory.

  • Access Point controller.

  • FortiSwitch management.

  • All types of logging, Netflow/sFlow export.

  • GRE and VXLAN traffic encapsulation.

  • VRFs, if supported by FortiOS version.

  • One-arm sniffer.

  • Static, all dynamic protocol, and Policy Based routing.

  • All types of authentication: local, LDAP, Radius, Tacacs, SAML, MFA.

  • SNMP.

  • DHCP server.

  • Internet Service Database (ISDB).

  • External Threat Feeds.

  • VOIP protections and profiles.

  • Configuration version revisions.

  • DLP.