Hi there,
I have FG60D with no license. since this product already end of life support.
I want to use this firewall as basic firewall with:
1. restrict user from certain port, that only can access internet to exact address.
2. use antivirus with installed latest definition
3. use as VPN IPSEC between other FG60D or other client.
I've tried to make policy, activate antivirus and web filter policy with create custom profile.
custom profile has been set:
- disable fortigate category based.
- activate web url rule, and add some address, with parameter wildcard, allow. and at the bottom rule box, I set * , blocked.
- nat on
then I try, all client can't access internet, until i disable web filter.
kindly please help:
1. can we use old fortigate without license for basic firewall, as above?
2. why my problem occur, client can't connect internet?
thank you
-
Keeping an unsupported network/security device in production network should not be allowed (pseudo security).
Basically without a valid subscription the communication with FortiGuard services is not possible and the UTM features are practically not functional. The web filter may be blocked because of a rating error (it may be bypassed by 'Allow websites when a rating error occurs'), more details are shown here.
Hi @papapuff ,
1. can we use old fortigate without license for basic firewall, as above?
A: Yes, you can still use the URL Filter list even if you do not have a web filter license. For the URL Filter list usage, please check the following KB:
But for AV, I am not sure whether it will be working or not. You may test it with Eicar:
2. why my problem occur, client can't connect internet?
A: Please share the FGT configurations (tell us which firewall policy, and Web Filter profile are in use).
Apparently, something is wrong with your URL Filter entries. If the URL in the CA certificate is not the same as the real URL you need to access, you have to use Deep Inspection instead of Certificate Inspection.
Not sure what your FortiGate version is, but the following doc should still have the info for Deep Inspection:
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/122078/deep-inspection
Hi
Yes, you can use an old FortiGate device without a license for basic firewall functionalities. Here are some steps to help you achieve your requirements:
1. **Restricting User Access to Certain Ports**:
- Create a firewall policy to restrict user access to specific ports by defining the source, destination, and services allowed.
- Ensure the policy is correctly configured to only allow internet access to exact addresses.
2. **Using Antivirus with Latest Definitions**:
- Activate the antivirus feature on the FortiGate device.
- Ensure that the antivirus profile is configured to scan traffic for viruses with the latest definitions.
3. **Setting up VPN IPSec**:
- Configure VPN IPSec tunnels between your FortiGate devices or other clients.
- Ensure that the VPN settings, including encryption algorithms, authentication methods, and pre-shared keys, are correctly configured on both ends.
Regarding the issue with the web filter policy causing all clients to lose internet access, it seems like the web filter policy might be blocking all traffic unintentionally. Double-check the web filter rules and ensure they are configured correctly to allow necessary internet access while still providing the desired restrictions.
yes in fact the webfilter does block everything if it is enabled on a policy without valid license.
I don't think antivirus will get any definition updates without valid fortiguard license.
Since url filter list is a part of the webfilter I don't think you can use it without valid license.
What you can do:
you can restrict the user by port (i.e. service in FortiOS) definition
you can restrict the destination by using FQDN addressobjects (those do support wildcards)
you can to IPSec VPN
But you might have limitations on users usw.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hi @sw2090
---- "yes in fact the webfilter does block everything if it is enabled on a policy without valid license."
This statement is NOT true.
Please check the following KB about using the URL Filter list without a valid license:
And I did help one customer of mine to apply the URL Filter with no valid web filter license on their FortiGate. It was working as expected.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.