Technical Tip: List of features that will still continue to work if FortiGate subscription is expired

This article describes which FortiGate features continue to function even if the device does not have an active FortiGuard security subscription or if the subscription has expired.

It is important to distinguish between FortiGate system licensing and FortiGuard security subscriptions.

FortiGuard subscriptions provide updated security intelligence, such as:

• IPS signatures.
• Antivirus definitions.
• Application Control signatures.
• Web filtering ratings.

However, many FortiGate capabilities are core firewall and networking functions that do not rely on FortiGuard services. These features continue operating normally even if FortiGuard subscriptions are not present.

When a FortiGuard subscription expires, security features such as IPS, Application Control, Antivirus, and Web Application Firewall will continue to function using the last downloaded signature databases, but new updates will no longer be downloaded.

For FortiGate VM deployments, there is also a separate VM license validation mechanism that requires periodic communication with Fortinet licensing servers. This mechanism is independent of FortiGuard subscriptions. If a FortiGate VM cannot reach Fortinet licensing servers for an extended period (typically around 30 days), the VM may stop processing traffic unless it is configured with an offline license.

FortiGate, FortiGate VM license, FortiGuard.

Even without active FortiGuard subscriptions, many FortiGate features remain fully operational because they are part of the firewall's core functionality. However, security services that rely on FortiGuard threat intelligence will not receive updates.

Features that continue to work without FortiGuard Subscriptions:

1. Firewall Policies: Stateful inspection and policy enforcement continue to function normally.
2. NAT (SNAT, DNAT, VIP, IP Pools): Continues performing address translation based on configured NAT rules.
3. VPN (IPsec / SSL VPN): Continues allowing secure remote access and site-to-site connectivity (FortiClient tunnel access over IPSec, SSL VPN is deprecated starting v7.6.3+).
4. Routing (Static/Dynamic): Continues forwarding traffic based on configured routing tables and protocols.
5. SD-WAN: Continues selecting optimal paths using configured performance and routing rules.
6. High Availability (HA): Continues providing cluster synchronization and failover between FortiGate units.
7. Interfaces (Physical, VLAN, LAG, Loopback, Zones): Continues handling traffic according to configured interface settings.
8. QoS / Traffic Shaping: Continues applying bandwidth limits and traffic prioritization policies.
9. Logging (Local / Syslog / FortiAnalyzer / NetFlow / sFlow): Continues generating and exporting logs based on configured logging settings.
10. Authentication (LDAP, RADIUS, TACACS+, SAML, MFA): Continues authenticating users against configured authentication servers.
11. GRE / VXLAN: Continues encapsulating traffic using configured tunneling protocols.
12. Policy-Based Routing: Continues directing traffic according to configured routing policies.
13. DHCP Server: Continues assigning IP addresses to clients using configured DHCP scopes.
14. SNMP: Continues providing monitoring data to SNMP management systems.
15. FortiAP Controller: Continues managing connected FortiAP wireless access points.
16. FortiSwitch Controller: Continues managing connected FortiSwitch devices.
17. External Threat Feeds: Continues consuming configured external threat intelligence feeds.
18. Internet Service Database (ISDB): Continues matching traffic to the existing ISDB entries already present on the device.
19. DoS / DDoS Protection: Continuously detecting and mitigating traffic anomalies using configured thresholds.
20. VoIP Protection: Continuously inspects and protects VoIP traffic using configured profiles.
21. Configuration Revisions: Continues tracking configuration changes and maintaining revision history.
22. Device Detection / Inventory: Continues identifying devices based on observed network traffic characteristics.
23. DLP: Continues enforcing configured data loss prevention rules and content inspection policies.

Features that continue with limited functionality: 

1. IPS: Continues inspecting traffic using the last downloaded IPS signature database.
2. Application Control: Continues identifying applications using existing signatures.
3. Antivirus: Uses existing virus definitions but cannot download updates.
4. Web Application Firewall: Continues using previously downloaded signatures.

Features that will require FortiGuard subscription:

1. FortiGuard Web Filtering Categories.
2. FortiGuard Web Rating Queries.
3. FortiGuard Antivirus Updates.
4. FortiGuard IPS Updates.
5. FortiGuard Application Control Updates.
6. Botnet / IP Reputation.
7. Outbreak Prevention.
8. FortiSandbox Cloud Integration.

Note for Webfiltering behavior: 

Web/URL filtering can still be applied on the FortiGate even without an active FortiGuard Web Filtering subscription; however, its functionality becomes limited.

Without a FortiGuard subscription, the FortiGate cannot query FortiGuard Web Rating servers to determine the reputation or category of a website. As a result, category-based web filtering will not function, since the firewall cannot retrieve the FortiGuard classification for a given URL.

What will work:

The following Web Filtering features will continue to function because they rely on locally configured rules rather than FortiGuard cloud services:

• Static URL filter lists (explicit allow/block entries).
• Local domain or wildcard URL matching.
• Blocking specific URLs or domains is configured manually.
• Blocking ActiveX controls.
• Local content filtering rules are applied through proxy inspection.

These controls operate using locally stored configuration on the FortiGate, so they remain unaffected by the absence of FortiGuard subscriptions.

What will not work:

The following functionality requires FortiGuard services and will therefore not work without a valid subscription:

• FortiGuard URL category filtering.
• Real-time URL reputation lookups.
• Automatic categorization of new or unknown websites.
• Cloud-based URL filtering intelligence.

Without these services, the firewall cannot determine whether a website belongs to categories such as:

• Social Media.
• Malware.
• Phishing.
• Adult Content.
• Gambling.
• Newly Registered Domains.

Without FortiGuard Web Filtering subscriptions:

• Administrators must manually maintain URL allow/block lists.
• The firewall cannot automatically detect and block malicious or newly categorized websites.
• Newly created domains or websites will not be categorized automatically, which may reduce protection against phishing or malicious sites.
• Web filtering policies based on FortiGuard categories will not be enforced.

Related documents:
Technical Tip: FortiGate behavior when FortiGuard licenses are expired

License expiration 

FortiGate Subscriptions and FortiGuard Bundles