Fortinet white logo
Fortinet white logo

Administration Guide

License expiration

License expiration

The FortiGate will still function as a firewall if any or all of the FortiGuard licenses are expired. Valid FortiGuard licenses are required to receive database and signature updates, and to perform real-time or near-real-time security lookups to detect and quickly adjust your security posture for newly discovered attacks.

Note

FortiGuard services are designed to be continuous. Any lapses in the service will require coverage back to the contract expiration date. For more information, see FortiCare/FortiGuard Renewal Continuous Service Policy.

License type

Expiration impact

Firmware & General Update

Application Control, Device & OS Identification, and Internet Service Database Definitions continue to work, but the databases are not updated and no new signatures are added.

For example, if application control is used in a firewall policy that has an internet service applied to the source or destination addresses, then the policy will continue to inspect matching traffic using the FortiGate's existing application control signatures and ISDB definitions.

Application control, device and OS detection, and internet service database are included in the base services that are included with all FortiCare support contracts See FortiGuard Security Services for details.

Intrusion Prevention

IPS scanning continues to work, but the IPS databases are not updated and no new signatures are added.

For example, if an IPS sensor with Block malicious URLs enabled is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing IPS signatures and malicious URLs database.

An active IPS license is critical for stopping sophisticated and zero-day attacks, as FortiGuard IPS provides near‑real‑time intelligence with thousands of intrusion prevention rules to detect and block known and zero-day threats.

For more information, see Intrusion prevention.

Botnet IPs/Domains

IPS sensors and DNS Filter profiles with Botnet C&C configured continue to work, but the Botnet IPs and Botnet Domain databases are not updated and no new signatures are added.

While Botnet IPs and Domain are listed in the Intrusion Prevention category, they are actually part of the Firmware & General Updates contract.

For more information, see Botnet C&C domain blocking and IPS with botnet C&C IP blocking.

AntiVirus

Antivirus scanning continues to work, but the antivirus database is not updated and no new signatures are added.

For more information, see Antivirus.

Web and DNS Filtering

Category-based Web and DNS filtering stops working, as URLs and domains are sent to FortiGuard in real-time to determine the category.

By default, all web and DNS traffic is dropped. If allowing website or DNS requests when a rating error occurs is enabled, then all web and DNS traffic passes through without filtering.

If static URL or domain filtering is applied in a filter profile, those filters continue to work.

Configurations where only specific URLs and domains are allowed and all others are blocked continue to work, but this is not a scalable solution blocking websites or performing category filtering.

For more information, see FortiGuard filter and FortiGuard category-based DNS domain filtering.

Email Filtering

Spam filtering stops working, as it queries the FortiGuard spam filtering server in real-time to check spammer IP addresses and emails (except those that are locally configured), phishing URLs, spam URLs, spam email checksums, and spam submissions. Anti-spam signatures are not updated.

Profile options based on local spam filtering continue to work.

For more information, see Email filter.

Outbreak Prevention

Outbreak prevention stops working, as it uses real-time lookups to the FortiGuard Global Threat Intelligence database.

For more information, see FortiGuard outbreak prevention.

Security Rating

The security rating check stops working.

Security Rating licenses are required to run security rating checks across all of the devices in the Security Fabric. They allow rating scores to be submitted to and received from FortiGuard for network ranking. Without security rating checks, critical vulnerabilities and configuration weaknesses in the Security Fabric cannot be identified, and best practice recommendations cannot be implemented.

For more information, see Security rating.

Industrial DB

Industry Security Service (ISS) signatures continue to work, but the database attack definitions are not updated and no new signatures are added.

ISS includes application control and IPS signatures for industrial applications and protocols.

For example, if an IPS sensor enabled with ISS signatures is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing industrial database IPS signatures.

For more information, see Industrial signature database.

License expiration

License expiration

The FortiGate will still function as a firewall if any or all of the FortiGuard licenses are expired. Valid FortiGuard licenses are required to receive database and signature updates, and to perform real-time or near-real-time security lookups to detect and quickly adjust your security posture for newly discovered attacks.

Note

FortiGuard services are designed to be continuous. Any lapses in the service will require coverage back to the contract expiration date. For more information, see FortiCare/FortiGuard Renewal Continuous Service Policy.

License type

Expiration impact

Firmware & General Update

Application Control, Device & OS Identification, and Internet Service Database Definitions continue to work, but the databases are not updated and no new signatures are added.

For example, if application control is used in a firewall policy that has an internet service applied to the source or destination addresses, then the policy will continue to inspect matching traffic using the FortiGate's existing application control signatures and ISDB definitions.

Application control, device and OS detection, and internet service database are included in the base services that are included with all FortiCare support contracts See FortiGuard Security Services for details.

Intrusion Prevention

IPS scanning continues to work, but the IPS databases are not updated and no new signatures are added.

For example, if an IPS sensor with Block malicious URLs enabled is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing IPS signatures and malicious URLs database.

An active IPS license is critical for stopping sophisticated and zero-day attacks, as FortiGuard IPS provides near‑real‑time intelligence with thousands of intrusion prevention rules to detect and block known and zero-day threats.

For more information, see Intrusion prevention.

Botnet IPs/Domains

IPS sensors and DNS Filter profiles with Botnet C&C configured continue to work, but the Botnet IPs and Botnet Domain databases are not updated and no new signatures are added.

While Botnet IPs and Domain are listed in the Intrusion Prevention category, they are actually part of the Firmware & General Updates contract.

For more information, see Botnet C&C domain blocking and IPS with botnet C&C IP blocking.

AntiVirus

Antivirus scanning continues to work, but the antivirus database is not updated and no new signatures are added.

For more information, see Antivirus.

Web and DNS Filtering

Category-based Web and DNS filtering stops working, as URLs and domains are sent to FortiGuard in real-time to determine the category.

By default, all web and DNS traffic is dropped. If allowing website or DNS requests when a rating error occurs is enabled, then all web and DNS traffic passes through without filtering.

If static URL or domain filtering is applied in a filter profile, those filters continue to work.

Configurations where only specific URLs and domains are allowed and all others are blocked continue to work, but this is not a scalable solution blocking websites or performing category filtering.

For more information, see FortiGuard filter and FortiGuard category-based DNS domain filtering.

Email Filtering

Spam filtering stops working, as it queries the FortiGuard spam filtering server in real-time to check spammer IP addresses and emails (except those that are locally configured), phishing URLs, spam URLs, spam email checksums, and spam submissions. Anti-spam signatures are not updated.

Profile options based on local spam filtering continue to work.

For more information, see Email filter.

Outbreak Prevention

Outbreak prevention stops working, as it uses real-time lookups to the FortiGuard Global Threat Intelligence database.

For more information, see FortiGuard outbreak prevention.

Security Rating

The security rating check stops working.

Security Rating licenses are required to run security rating checks across all of the devices in the Security Fabric. They allow rating scores to be submitted to and received from FortiGuard for network ranking. Without security rating checks, critical vulnerabilities and configuration weaknesses in the Security Fabric cannot be identified, and best practice recommendations cannot be implemented.

For more information, see Security rating.

Industrial DB

Industry Security Service (ISS) signatures continue to work, but the database attack definitions are not updated and no new signatures are added.

ISS includes application control and IPS signatures for industrial applications and protocols.

For example, if an IPS sensor enabled with ISS signatures is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing industrial database IPS signatures.

For more information, see Industrial signature database.