Technical Tip: FortiGate is displaying a grace period even when the license has been activated and is marked as valid

The FortiGate grace period means the FortiGate firewall's service contract has reached the end of its service contract, but will continue to function for a designated period. This will allow to renew the subscription without losing functionality right away.

The grace period usually lasts 60 to 90 days, depending on the location and contract terms. Refer to this useful link for more information. 

Fortinet’s Service Contract Activation and Grace Period Policy 

The way a FortiGate device behaves when a license expires depends on the type of license and configuration. Here is what usually happens:

• Grace Period: Some licenses include a grace period, allowing the device to keep working with limited functionality or reduced security features. This gives time to renew the license without immediate service interruption.
• Service Disruption: If a license expires, certain features like antivirus, intrusion prevention, web filtering, or VPN services may stop working, depending on the license type.
• Limited Functionality: Even if the license expires, basic network routing and connectivity may still work, but advanced security features requiring a valid license will be disabled or restricted.
• Notifications: FortiGate devices usually send warnings before a license expires. These alerts help network administrators take action before services are affected.

It can be noted that if FortiGate has a valid license but still shows a 'Warning' status and is in a grace period (see the screenshot below), it is necessary to manually update it with the FortiGuard server to refresh the license status.

Follow this useful guideline to fix the issue: Troubleshooting Tip: Unable to connect to FortiGuard servers.

If all of the above have been checked and the issue persists, try upgrading the unit to the next available release. This will resolve the 'in-grace period' issue immediately.

Additionally, a similar issue has also been observed on FortiGate firmware version 7.4.11 on devices where VDOMs and vclustering are enabled.

The invalid Grace Period warning depends on the root VDOM within the cluster.

For example:

• When the root VDOM is active on the primary unit, the primary validates successfully while the secondary enters a warning/grace period.
• When the root VDOM is moved to the secondary unit, the secondary validates successfully, and the primary becomes the unit that cannot validate.

This issue has been resolved in the upcoming FortiGate firmware version 7.4.12.