Fortigate end of support and end of life explained


Fortigate end of support and end of life life cycle

When buying/renewing Fortigate firewalls it is important to take into account the Support/Updates life cycle. Fortinet use few terms in this regard we need to understand.

End of Order Date

The last date we can buy a particular model of the Fortigate. Those dates are individual for each model and are announced on ongoing basis. The source of truth for all models is the page https://support.fortinet.com/Information/ProductLifeCycle.aspx, which is being updated periodically. The page requires Forticloud registration, but is free and available to everyone. This date is the starting point of all the other date calculations.

End of Support (EOS)

The last date in the Fortigate model life cycle. There will be no hardware or software support for this model beyond this date. The usual practice is to have EOS 60 months (5 years) since the End of Order date. After this date, nor hardware nor software support is provided, even the critical vulnerabilities in the FortiOS (software) will not be fixed.

Last Service Extension Date (LSED)

The last date we can extend support/subscription service for a model which is not being sold anymore. This date will be at the latest 12 months before the End of Support date.

End of Engineering Support Date (EOES)

This is for firmware (FortiOS) only - after this date, only the critical security patches and updates will be issued for a given version of FortiOS, until the End of Support for this FortiOS version. The regular bugs will not be fixed or reported. Currently, it is 36 months (3 years) starting with the date of the first release in a given FortiOS version.

Now let’s look at examples. Fortigate 100E - End of Order is August 17th of 2021, Last Service Extension Date is 17th of August year 2025, and End of Support is 17th of August year 2026. This means we cannot (2023) order this model anymore as new, we can extend subscription services like AV/IPS/etc. till the 17th of August 2025, and after the 17th of August 2026 we cannot open support/RMA tickets or get new patches/software for this Fortigate. On the FortiOS level, the release notes for FortiOS 7.2.3 list Fortigate 100E as supported, so we can safely assume that until the End of Engineering Support for this version (7.2.x), set at 31st of March 2025, we will have updated versions fixing bugs and security vulnerabilities available as well. After that date we can hope Fortinet will issue patches for critical vulnerabilities in 7.2.x, but no regular bugs would be fixed. After the End of Support for 7.2 date, which happens at 30th of September 2026, given that hardware model is supported until 17th August of 2026, there will be no new releases of any FortiOS for this Fortigate 100E.

Fortinet page ofr life cycle for all models
Screenshot of the life cycle page
Important
Life cycles of Fortigate hardware models and FortiOS firmware versions are unrelated. Fortinet drops FortiOS new releases support for smaller models first.

Let’s look at Fortigate 30E - which was released in 2015. The End of Order is 31st of March 2022, End of Service Extension is 31st of March 2026, and the End of Support is on 31st of March, 2027. The logic is the same as for the Fortigate 100E, but the latest version of FortiOS available for this model is 6.2.x train and there will be no 6.4/7.0/7.2/etc. versions for it. End of Engineering Support for 6.2 happened on 28th of March 2022, which means even though we have model support up to 2027, Fortinet will not release new features or fix regular bugs for this 6.2 versions. Moreover, the critical vulnerabilities will be fixed until 28th of September 2023. So we may potentially have a supported hardware model until 2027, but which has/will have critical vulnerabilities in its FortiOS version unfixed for 4 years. Be aware of this in your calculations.

N.B. It is not all black or white - for the recent critical heap-based buffer overflow Fortinet did create a fix even for beyond End of Support version 6.0 (6.0.16), but it is not guaranteed or even promised.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.