Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dsrivastava
Staff
Staff

Created on ‎12-26-2022 03:16 AM Edited on ‎07-15-2025 09:11 AM By Staff

Article Id 240941

Technical Tip: List of features that will still continue to work if FortiGate subscription is expired

Description This article describes features that work, even if the Fortigate has never had the subscription in the first place.
Scope

VM FortiGate has a license check, which is unrelated to the FortiGuard subscription.

This license check requires non-stop online communication with the FortiGuard servers.
The VM FortiGate will stop working completely, if it cannot reach FortiGuard servers for a long time (30 days usually), unless using a special, offline license.
Solution

Security rules.

The FortiGate will continue filtering traffic according to the Security Rulebase.

  • All kinds of NAT: SNAT, DNAT, VIP, dynamic pools, etc.
  •  VPN - all types, IPSec site-to-site, Remote Access as SSL VPN in web mode, and full tunnel with FortiClient and as IPSec client.
  • IPS with the signatures last updated before the subscription expired. That is, IPS will continue working, but new signatures will not be downloaded.
  • AppControl using the signatures last updated before the subscription expired.
  • Web/URL Filtering using static allow/block lists. Without a subscription, the firewall cannot query FortiGuard for URL web ratings, so Web filtering using Fortiguard assigned Categories will not work. But if the static block/allows URL lists, it will work. Also blocking ActiveX controls will work too.
  • All types of interfaces: physical, VLANs, Virtual Wire, Loopbacks, LAGs, redundant, Zones.
  •  Security rules modes: proxy and flow. All modes of proxy mode will work: Explicit, Transparent.
  •  SSL/SSH inspection - certificate and deep packet inspection.
  •  Applying UTM in both: Policy based and Profile based modes.
  • VDOMs.
  •  High Availability (HA).
  • QOS.
  •  SD-WAN feature, including AppControl integration (but see above about Application Control signature updates).
  •  WAF with the signatures last updated before the subscription expired.
  • VIP of load balancing type.
  • DoS/DDoS protection rules.
  • Device inventory.
  • Access Point controller.
  • FortiSwitch management.
  • All types of logging, Netflow/sFlow export.
  • GRE and VXLAN traffic encapsulation.
  • VRFs, if supported by FortiOS version.
  • One-arm sniffer.
  • Static, all dynamic protocol, and Policy Based routing.
  • All types of authentication: local, LDAP, Radius, Tacacs, SAML, MFA.
  • SNMP.
  • DHCP server.
  • Internet Service Database (ISDB).
  • External Threat Feeds.
  • VOIP protections and profiles.
  • Configuration version revisions.
  • DLP.

 

Related documents:
Technical Tip: FortiGate behavior when FortiGuard licenses are expired  

License expiration 

FortiGate Subscriptions and FortiGuard Bundles Ordering Guide
12245
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.