Fortinet black logo

Administration Guide

License expiration

The FortiGate will still function as a firewall if any or all of the FortiGuard licenses are expired. Valid FortiGuard licenses are required to receive database and signature updates, and to perform real-time or near-real-time security lookups to detect and quickly adjust your security posture for newly discovered attacks.

Note

FortiGuard services are designed to be continuous. Any lapses in the service will require coverage back to the contract expiration date. For more information, see FortiCare/FortiGuard Renewal Continuous Service Policy.

License type

Expiration impact

Firmware & General Updates

Application Control Signatures, Device & OS Identification, FortiGate Virtual Patch Signatures, Inline-CASB Application Definitions, Internet Service Database Definitions, and PSIRT Package Definitions continue to work, but the databases are not updated and no new signatures are added.

For example, if application control is used in a firewall policy that has an internet service applied to the source or destination addresses, then the policy will continue to inspect matching traffic using the FortiGate's existing application control signatures and ISDB definitions.

Application Control Signatures, Device & OS Identification, FortiGate Virtual Patch Signatures, Inline-CASB Application Definitions, Internet Service Database Definitions, and PSIRT Package Definitions are included in the base services that are included with all FortiCare support contracts See FortiGuard Security Services for details.

Intrusion Prevention

IPS scanning continues to work, but the IPS databases are not updated and no new signatures are added.

For example, if an IPS sensor with Block malicious URLs enabled is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing IPS signatures and malicious URLs database.

An active IPS license is critical for stopping sophisticated and zero-day attacks, as FortiGuard IPS provides near‑real‑time intelligence with thousands of intrusion prevention rules to detect and block known and zero-day threats.

For more information, see Intrusion prevention.

Botnet IPs/Domains

IPS sensors and DNS Filter profiles with Botnet C&C configured continue to work, but the Botnet IPs and Botnet Domain databases are not updated and no new signatures are added.

While Botnet IPs and Domain are listed in the Intrusion Prevention category, they are actually part of the Firmware & General Updates contract.

For more information, see Botnet C&C domain blocking and IPS with botnet C&C IP blocking.

AntiVirus

Antivirus scanning continues to work, but the antivirus database is not updated and no new signatures are added.

For more information, see Antivirus.

Web and DNS Filtering

Category-based Web and DNS filtering stops working, as URLs and domains are sent to FortiGuard in real-time to determine the category.

By default, all web and DNS traffic is dropped. If allowing website or DNS requests when a rating error occurs is enabled, then all web and DNS traffic passes through without filtering.

If static URL or domain filtering is applied in a filter profile, those filters continue to work.

Configurations where only specific URLs and domains are allowed and all others are blocked continue to work, but this is not a scalable solution blocking websites or performing category filtering.

For more information, see FortiGuard filter and FortiGuard category-based DNS domain filtering.

Email Filtering

Spam filtering stops working, as it queries the FortiGuard spam filtering server in real-time to check spammer IP addresses and emails (except those that are locally configured), phishing URLs, spam URLs, spam email checksums, and spam submissions. Anti-spam signatures are not updated.

Profile options based on local spam filtering continue to work.

For more information, see Email filter.

Outbreak Prevention

Outbreak prevention stops working, as it uses real-time lookups to the FortiGuard Global Threat Intelligence database.

For more information, see FortiGuard outbreak prevention.

Security Rating & CIS Compliance

Paid security rating checks stop working. CIS security control mappings are also disabled.

The Security Rating & CIS Compliance component of the Attack Surface Security Rating entitlement is required to run paid security rating checks across all of the devices in the Security Fabric. They allow rating scores to be submitted to and received from FortiGuard for network ranking. Without the Security Rating entitlement, only built-in security rating rules can be run. PSIRT-related vulnerability rules depend on the Firmware license support.

For more information, see Security rating.

Operational Technology (OT) Threat Definitions

OT Security Services signatures continue to work, but the database attack definitions are not updated and no new signatures are added.

OT Security Services include application control and IPS signatures for OT applications and protocols.

For example, if an IPS sensor enabled with OT Security Service signatures is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing OT threat definition IPS signatures.

For more information, see OT threat definitions.

The FortiGate will still function as a firewall if any or all of the FortiGuard licenses are expired. Valid FortiGuard licenses are required to receive database and signature updates, and to perform real-time or near-real-time security lookups to detect and quickly adjust your security posture for newly discovered attacks.

Note

FortiGuard services are designed to be continuous. Any lapses in the service will require coverage back to the contract expiration date. For more information, see FortiCare/FortiGuard Renewal Continuous Service Policy.

License type

Expiration impact

Firmware & General Updates

Application Control Signatures, Device & OS Identification, FortiGate Virtual Patch Signatures, Inline-CASB Application Definitions, Internet Service Database Definitions, and PSIRT Package Definitions continue to work, but the databases are not updated and no new signatures are added.

For example, if application control is used in a firewall policy that has an internet service applied to the source or destination addresses, then the policy will continue to inspect matching traffic using the FortiGate's existing application control signatures and ISDB definitions.

Application Control Signatures, Device & OS Identification, FortiGate Virtual Patch Signatures, Inline-CASB Application Definitions, Internet Service Database Definitions, and PSIRT Package Definitions are included in the base services that are included with all FortiCare support contracts See FortiGuard Security Services for details.

Intrusion Prevention

IPS scanning continues to work, but the IPS databases are not updated and no new signatures are added.

For example, if an IPS sensor with Block malicious URLs enabled is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing IPS signatures and malicious URLs database.

An active IPS license is critical for stopping sophisticated and zero-day attacks, as FortiGuard IPS provides near‑real‑time intelligence with thousands of intrusion prevention rules to detect and block known and zero-day threats.

For more information, see Intrusion prevention.

Botnet IPs/Domains

IPS sensors and DNS Filter profiles with Botnet C&C configured continue to work, but the Botnet IPs and Botnet Domain databases are not updated and no new signatures are added.

While Botnet IPs and Domain are listed in the Intrusion Prevention category, they are actually part of the Firmware & General Updates contract.

For more information, see Botnet C&C domain blocking and IPS with botnet C&C IP blocking.

AntiVirus

Antivirus scanning continues to work, but the antivirus database is not updated and no new signatures are added.

For more information, see Antivirus.

Web and DNS Filtering

Category-based Web and DNS filtering stops working, as URLs and domains are sent to FortiGuard in real-time to determine the category.

By default, all web and DNS traffic is dropped. If allowing website or DNS requests when a rating error occurs is enabled, then all web and DNS traffic passes through without filtering.

If static URL or domain filtering is applied in a filter profile, those filters continue to work.

Configurations where only specific URLs and domains are allowed and all others are blocked continue to work, but this is not a scalable solution blocking websites or performing category filtering.

For more information, see FortiGuard filter and FortiGuard category-based DNS domain filtering.

Email Filtering

Spam filtering stops working, as it queries the FortiGuard spam filtering server in real-time to check spammer IP addresses and emails (except those that are locally configured), phishing URLs, spam URLs, spam email checksums, and spam submissions. Anti-spam signatures are not updated.

Profile options based on local spam filtering continue to work.

For more information, see Email filter.

Outbreak Prevention

Outbreak prevention stops working, as it uses real-time lookups to the FortiGuard Global Threat Intelligence database.

For more information, see FortiGuard outbreak prevention.

Security Rating & CIS Compliance

Paid security rating checks stop working. CIS security control mappings are also disabled.

The Security Rating & CIS Compliance component of the Attack Surface Security Rating entitlement is required to run paid security rating checks across all of the devices in the Security Fabric. They allow rating scores to be submitted to and received from FortiGuard for network ranking. Without the Security Rating entitlement, only built-in security rating rules can be run. PSIRT-related vulnerability rules depend on the Firmware license support.

For more information, see Security rating.

Operational Technology (OT) Threat Definitions

OT Security Services signatures continue to work, but the database attack definitions are not updated and no new signatures are added.

OT Security Services include application control and IPS signatures for OT applications and protocols.

For example, if an IPS sensor enabled with OT Security Service signatures is used in a firewall policy, then the policy will continue to inspect matching traffic using the FortiGate's existing OT threat definition IPS signatures.

For more information, see OT threat definitions.