I'm interested in obtaining a used Fortigate FW appliance like a 40C to learn. Not sure how the licensing works. Can I just buy a used one without support and it will work or do you need a license key to get basic functionality?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
My current home firewall is running without support. Here is what I officially have access to.
No Support. No hardware replacement. No firmware updates. There is a basic hardware/firmware support option available that is relatively affordable for home/test use.
Everything in Fortiview works
All network settings work- including the fortiddns, sd-wan, dynamic routing.
Most system settings work- multiple admin profiles, replacement messages, snmp, certificates, ha. Obviously fortiguard updates don't work unless you're licensed. I believe the reputation DB is there, but stuck at whatever version it had when last licensed.
All policy settings work.
Almost all Security profile settings work, with minor exceptions. Antivirus works, but you are stuck with the definitions it had when last licensed. Web filter works- but you cannot use fortiguard categories. You can use onboard url lists, content filtering, etc. Most of DNS filter does NOT work, because it relies upon fortiguard. Application control works, but it's stuck with an application list from when it was last licensed. In theory application control became a free service at some point, but i haven't been able to find additional details about what that actually means. IPS works, but you're stuck with signatures from when it was last licensed. Most of Antispam does not work, the majority of it depends on fortiguard. DLP works. WAF works. Forticlient compliance is licensed separately, but it will work as long as you have <10 clients for free. SSL inspection works. You can create custom IPS signatures.
Everything VPN works- except OCVPN. That is a thing that requires licensing.
Everything User/device management works. FSSO, local users/groups, device inventory.
WAN Optimization works. On devices with hard drives, Wan Opt should work.
Log/Reporting should all work.
Forticloud free services work- you can upload logs to the cloud and get the weekly reports, etc as long as you dont go past the free limits there.
It appears that fortinet has changed their stance on used/second hand firewalls and support. It used to be that an ownership transfer could happen with help from support and you could then renew support as needed on your own. Based on some responses on the forums recently- they may have moved to a no support at all for anyone not buying from approved vendors.
If you are renewing support on a device that has lapsed- you need to remember about the 6-month burn policy. All support renewals go retroactive until their support lapse date up to 6 months. So if you have a device that has not had support for 1 year, and you buy 1 additional year of support for it- the contract will be back-dated 6 months, and have a new expiration date only 6 months in the future. I feel it's a fair compromise to incentivize people to have continuing coverage but not completely ignore that sometimes that just doesn't happen.
CISSP, NSE4
well without licenses you won't get Frimwareupdates or Support.
You will not be able to use UTM Features like webfilter or SSL Inspection.
You will be able to set up VPNs, Interfaces,Routes,Policies so basic functionality should be there without licenses.
Even Fortinets DynDNS Service works without License.
I used some old 80C the licenses of which already have expired (but we had them licensed when they were still in use at shops but we didn't get them new licenses after we replaced them). I needed some routing, switching and ipsec and dyndns. Worked all fine...
btw I'd suggest not buying any A,B or C series because you only get old firmware for those. Only a few C series (like the 80C) get up to at least FortiOS 5.6. The older fortioses are missing too many useful options and have some incompatibilities.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
And to add IPS updates to that list. You can always add AV and IPS updates manually without a license. In fact you can download the updates if you have one supported fortigate and install on another.
Ken Felix
PCNSE
NSE
StrongSwan
My current home firewall is running without support. Here is what I officially have access to.
No Support. No hardware replacement. No firmware updates. There is a basic hardware/firmware support option available that is relatively affordable for home/test use.
Everything in Fortiview works
All network settings work- including the fortiddns, sd-wan, dynamic routing.
Most system settings work- multiple admin profiles, replacement messages, snmp, certificates, ha. Obviously fortiguard updates don't work unless you're licensed. I believe the reputation DB is there, but stuck at whatever version it had when last licensed.
All policy settings work.
Almost all Security profile settings work, with minor exceptions. Antivirus works, but you are stuck with the definitions it had when last licensed. Web filter works- but you cannot use fortiguard categories. You can use onboard url lists, content filtering, etc. Most of DNS filter does NOT work, because it relies upon fortiguard. Application control works, but it's stuck with an application list from when it was last licensed. In theory application control became a free service at some point, but i haven't been able to find additional details about what that actually means. IPS works, but you're stuck with signatures from when it was last licensed. Most of Antispam does not work, the majority of it depends on fortiguard. DLP works. WAF works. Forticlient compliance is licensed separately, but it will work as long as you have <10 clients for free. SSL inspection works. You can create custom IPS signatures.
Everything VPN works- except OCVPN. That is a thing that requires licensing.
Everything User/device management works. FSSO, local users/groups, device inventory.
WAN Optimization works. On devices with hard drives, Wan Opt should work.
Log/Reporting should all work.
Forticloud free services work- you can upload logs to the cloud and get the weekly reports, etc as long as you dont go past the free limits there.
It appears that fortinet has changed their stance on used/second hand firewalls and support. It used to be that an ownership transfer could happen with help from support and you could then renew support as needed on your own. Based on some responses on the forums recently- they may have moved to a no support at all for anyone not buying from approved vendors.
If you are renewing support on a device that has lapsed- you need to remember about the 6-month burn policy. All support renewals go retroactive until their support lapse date up to 6 months. So if you have a device that has not had support for 1 year, and you buy 1 additional year of support for it- the contract will be back-dated 6 months, and have a new expiration date only 6 months in the future. I feel it's a fair compromise to incentivize people to have continuing coverage but not completely ignore that sometimes that just doesn't happen.
CISSP, NSE4
Thank you all for your posts. That was exactly what I was looking for.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.