Skip to main content
bosch32
bosch32
New Member
November 2, 2025
Question

Is this a bad design choice.

  • November 2, 2025
  • 2 replies
  • 368 views

I have been running Full UTP on a ha pair of 40F for my family main goal was fitler kids vlan. small device had to cut back on some stuff but was still able to do the filtering. I just bought a pair of 100F, and I wanted to ask if this is dumb thought.

Comparing the UTP vs just Forticare the two things I see I would miss that my 2 years of logs show I use is DNS filtering and web filtering. However 99.9% of my web filter hits are on my kids vlan. For my VLAN to VLAN routing and ACL I had a pair of mikrotik routers.

My plan was to replace the routers with the two 100F buy forticare run SSL decrypt and APP control at that level. Then keep UTP on the 40F but then only decrypt on my kids vlan and only run web filtering and dns filtering on just that vlan. I don't think DNS filtering is a heavy hitter. I am honestly a bit confused why app control can't do it all I see the same categories in app control and as I understand app control is before web filter in the policy chain.

I have a dedicated account i put money in every pay day to pay my annual license cost it would be just slightly less then I needed to buy two 100F UTP so I guess I could cut else where and spend there. But given I have been able to get what I need for the most part with the 40F I thought this might be a good middle ground to split resources usage up.

2 replies

funkylicious
SuperUser
funkylicious
SuperUser
November 2, 2025

hi,

FortiCare alone only provides support for software and hardware, you would need a UTP license for NGFW features like App Control, DNS Filter, Web Filter etc.

is there a reason why you would want to replace the 40F with 100F? 

app control has and works in a different way from dns filter and web filter, therefore it cannot replace one or the other but they work well combined each doing its job.

 

L.E. you should look into OpenDNS to set up as dns servers on your kids vlan to control access to certain categories, which also is free to a certain extent.

"jack of all trades, master of none"
Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
November 2, 2025

I wouldn't say dumb but I never heard of anyone who uses 100F HA pair for home. Only a few our customers/companies in mid size got that set up at their ONLY HQ locations. How many kids do you have? More than ten?
The cost of UTP annually for 100F pair is match higher than 40F's.  At least, you should get the special HA hardware set deal to cut UTP cost in half.
https://docs.fortinet.com/document/fortigate/7.4.0/new-features/246857/single-fortiguard-license-for-fortigate-a-p-ha-cluster-7-4-6

Toshi

AEK
SuperUser
AEK
SuperUser
November 2, 2025

Hope your kids are not like my little angels. They simply use neighbors' wifi to bypass my $1K security.

AEK
Terms & ConditionsAccessibility statement