Application Control Signatures, Device & OS Identification, FortiGate Virtual Patch Signatures, Inline-CASB Application Definitions, Internet Service Database Definitions, and PSIRT Package Definitions continue to work, but the databases are not updated and no new signatures are added.

For example, if application control is used in a firewall policy that has an internet service applied to the source or destination addresses, then the policy will continue to inspect matching traffic using the FortiGate's existing application control signatures and ISDB definitions.

Application Control Signatures, Device & OS Identification, FortiGate Virtual Patch Signatures, Inline-CASB Application Definitions, Internet Service Database Definitions, and PSIRT Package Definitions are included in the base services that are included with all FortiCare support contracts See FortiGuard Security Services for details.

IPS scanning continues to work, but the IPS databases are not updated and no new signatures are added.

For example, if an IPS sensor with Block malicious URLs enabled is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing IPS signatures and malicious URLs database.

An active IPS license is critical for stopping sophisticated and zero-day attacks, as FortiGuard IPS provides near‑real‑time intelligence with thousands of intrusion prevention rules to detect and block known and zero-day threats.

For more information, see Intrusion prevention.

IPS sensors and DNS Filter profiles with Botnet C&C configured continue to work, but the Botnet IPs and Botnet Domain databases are not updated and no new signatures are added.

While Botnet IPs and Domain are listed in the Intrusion Prevention category, they are actually part of the Firmware & General Updates contract.

For more information, see Botnet C&C domain blocking and IPS with botnet C&C IP blocking.

Antivirus scanning continues to work, but the antivirus database is not updated and no new signatures are added.

For more information, see Antivirus.

Category-based Web and DNS filtering stops working, as URLs and domains are sent to FortiGuard in real-time to determine the category.

By default, all web and DNS traffic is dropped. If allowing website or DNS requests when a rating error occurs is enabled, then all web and DNS traffic passes through without filtering.

If static URL or domain filtering is applied in a filter profile, those filters continue to work.

Configurations where only specific URLs and domains are allowed and all others are blocked continue to work, but this is not a scalable solution blocking websites or performing category filtering.

For more information, see FortiGuard filter and FortiGuard category-based DNS domain filtering.

Spam filtering stops working, as it queries the FortiGuard spam filtering server in real-time to check spammer IP addresses and emails (except those that are locally configured), phishing URLs, spam URLs, spam email checksums, and spam submissions. Anti-spam signatures are not updated.

Profile options based on local spam filtering continue to work.

For more information, see Email filter.

Outbreak prevention stops working, as it uses real-time lookups to the FortiGuard Global Threat Intelligence database.

For more information, see FortiGuard outbreak prevention.

Paid security rating checks stop working. CIS security control mappings are also disabled.

The Security Rating & CIS Compliance component of the Attack Surface Security Rating entitlement is required to run paid security rating checks across all of the devices in the Security Fabric. They allow rating scores to be submitted to and received from FortiGuard for network ranking. Without the Security Rating entitlement, only built-in security rating rules can be run. PSIRT-related vulnerability rules depend on the Firmware license support.

For more information, see Security rating.