Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
klnas
New Contributor

Licensing and basic functionality

I'm interested in obtaining a used Fortigate FW appliance like a 40C to learn. Not sure how the licensing works. Can I just buy a used one without support and it will work or do you need a license key to get basic functionality?

 

 

1 Solution
Kenundrum

My current home firewall is running without support. Here is what I officially have access to.

No Support. No hardware replacement. No firmware updates. There is a basic hardware/firmware support option available that is relatively affordable for home/test use.

 

Everything in Fortiview works

 

All network settings work- including the fortiddns, sd-wan, dynamic routing.

 

Most system settings work- multiple admin profiles, replacement messages, snmp, certificates, ha. Obviously fortiguard updates don't work unless you're licensed. I believe the reputation DB is there, but stuck at whatever version it had when last licensed.

 

All policy settings work.

 

Almost all Security profile settings work, with minor exceptions. Antivirus works, but you are stuck with the definitions it had when last licensed. Web filter works- but you cannot use fortiguard categories. You can use onboard url lists, content filtering, etc. Most of DNS filter does NOT work, because it relies upon fortiguard. Application control works, but it's stuck with an application list from when it was last licensed. In theory application control became a free service at some point, but i haven't been able to find additional details about what that actually means. IPS works, but you're stuck with signatures from when it was last licensed. Most of Antispam does not work, the majority of it depends on fortiguard. DLP works. WAF works. Forticlient compliance is licensed separately, but it will work as long as you have <10 clients for free. SSL inspection works. You can create custom IPS signatures.

 

Everything VPN works- except OCVPN. That is a thing that requires licensing.

 

Everything User/device management works. FSSO, local users/groups, device inventory.

 

WAN Optimization works. On devices with hard drives, Wan Opt should work.

 

Log/Reporting should all work. 

 

Forticloud free services work- you can upload logs to the cloud and get the weekly reports, etc as long as you dont go past the free limits there.

 

It appears that fortinet has changed their stance on used/second hand firewalls and support. It used to be that an ownership transfer could happen with help from support and you could then renew support as needed on your own. Based on some responses on the forums recently- they may have moved to a no support at all for anyone not buying from approved vendors.

If you are renewing support on a device that has lapsed- you need to remember about the 6-month burn policy. All support renewals go retroactive until their support lapse date up to 6 months. So if you have a device that has not had support for 1 year, and you buy 1 additional year of support for it- the contract will be back-dated 6 months, and have a new expiration date only 6 months in the future. I feel it's a fair compromise to incentivize people to have continuing coverage but not completely ignore that sometimes that just doesn't happen.

CISSP, NSE4

 

View solution in original post

4 REPLIES 4
sw2090
Honored Contributor

well without licenses you won't get Frimwareupdates or Support.

You will not be able to use UTM Features like webfilter or SSL Inspection.

You will be able to set up VPNs, Interfaces,Routes,Policies so basic functionality should be there without licenses.

Even Fortinets DynDNS Service works without License.

 

I used some old 80C the licenses of which already have expired (but we had them licensed when they were still in use at shops but we didn't get them new licenses after we replaced them). I  needed some routing, switching and ipsec and dyndns. Worked all fine...

 

btw I'd suggest not buying any A,B or C series because you only get old firmware for those. Only a few C series (like the 80C) get up to at least FortiOS 5.6. The older fortioses are missing too many useful options and have some incompatibilities.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

emnoc
Esteemed Contributor III

And to add IPS updates to that list. You can always add AV and IPS updates manually without a license. In fact you can download the updates if you have one supported fortigate and install on another.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

Kenundrum

My current home firewall is running without support. Here is what I officially have access to.

No Support. No hardware replacement. No firmware updates. There is a basic hardware/firmware support option available that is relatively affordable for home/test use.

 

Everything in Fortiview works

 

All network settings work- including the fortiddns, sd-wan, dynamic routing.

 

Most system settings work- multiple admin profiles, replacement messages, snmp, certificates, ha. Obviously fortiguard updates don't work unless you're licensed. I believe the reputation DB is there, but stuck at whatever version it had when last licensed.

 

All policy settings work.

 

Almost all Security profile settings work, with minor exceptions. Antivirus works, but you are stuck with the definitions it had when last licensed. Web filter works- but you cannot use fortiguard categories. You can use onboard url lists, content filtering, etc. Most of DNS filter does NOT work, because it relies upon fortiguard. Application control works, but it's stuck with an application list from when it was last licensed. In theory application control became a free service at some point, but i haven't been able to find additional details about what that actually means. IPS works, but you're stuck with signatures from when it was last licensed. Most of Antispam does not work, the majority of it depends on fortiguard. DLP works. WAF works. Forticlient compliance is licensed separately, but it will work as long as you have <10 clients for free. SSL inspection works. You can create custom IPS signatures.

 

Everything VPN works- except OCVPN. That is a thing that requires licensing.

 

Everything User/device management works. FSSO, local users/groups, device inventory.

 

WAN Optimization works. On devices with hard drives, Wan Opt should work.

 

Log/Reporting should all work. 

 

Forticloud free services work- you can upload logs to the cloud and get the weekly reports, etc as long as you dont go past the free limits there.

 

It appears that fortinet has changed their stance on used/second hand firewalls and support. It used to be that an ownership transfer could happen with help from support and you could then renew support as needed on your own. Based on some responses on the forums recently- they may have moved to a no support at all for anyone not buying from approved vendors.

If you are renewing support on a device that has lapsed- you need to remember about the 6-month burn policy. All support renewals go retroactive until their support lapse date up to 6 months. So if you have a device that has not had support for 1 year, and you buy 1 additional year of support for it- the contract will be back-dated 6 months, and have a new expiration date only 6 months in the future. I feel it's a fair compromise to incentivize people to have continuing coverage but not completely ignore that sometimes that just doesn't happen.

CISSP, NSE4

 

klnas

Thank you all for your posts. That was exactly what I was looking for.