ANS

ISACA CISM

Huawei

Palo Alto

Aruba

Juniper

Comptia

Fortinet

Microsoft

F5

GCIH

Oracle

Itil-v4

CWNA

Opengroup

Yes—you can absolutely run a FortiGate firewall without any paid license. All the core networking and VPN features remain intact, making it a capable router and stateful firewall right out of the box. However, to leverage Fortinet’s advanced threat prevention, content inspection, and receive critical firmware and support services, purchasing FortiGuard subscriptions and FortiCare contracts is essential.

By understanding which functions are free and which require subscriptions, you can architect your deployment—lab or production—to balance cost against security needs. If you’re evaluating FortiGate for home labs or secondary-market purchases, you’ll find it remarkably robust even unlicensed. But in today’s threat landscape, most organizations will opt to license at least the basic UTM and support services to stay protected and up to date.

Overview of FortiGate Licensing Model

FortiGate appliances blend free, built-in network functions with subscription-based services:

  • Core Firewall & Routing: Always free. Includes L2/L3 stateful inspection, NAT, static and dynamic (OSPF, BGP) routing, VLANs, policy-based routing, and basic QoS.
  • VPN (IPsec & SSL): Always free—FortiGate allows unlimited site-to-site IPsec and client SSL-VPN connections without additional licensing.
  • UTM & Advanced Security: Subscription-based. To receive up-to-date signatures and cloud intelligence, you must purchase FortiGuard services (Antivirus, IPS, Web Filtering, Application Control, Anti-Spam, DNS Filtering, etc.).
  • Support & Firmware Updates: Covered under a FortiCare contract—required to download new FortiOS firmware and to receive hardware-replacement support.

Below, we’ll break down what you get for free, what you need licenses for, and the implications for physical and virtual deployments.

1. Core Functionality: Completely Free

Regardless of licensing status, every FortiGate ships with a full suite of network and firewall capabilities. Even an appliance that’s years out of support—or one with no subscriptions attached—will continue to operate as a high-performance L3 firewall and router. Specifically, you retain:

  • Stateful Inspection Firewall: Create policies to control traffic between interfaces using source/destination, services, and schedules.
  • Network Address Translation (NAT): SNAT, DNAT, Virtual IPs—even dynamic IP pools.
  • Static & Dynamic Routing: OSPF, BGP, RIP, policy routes.
  • VLANs & Virtual Domains (VDOMs): Segment traffic, run multiple logical firewalls on one box.
  • Quality of Service (QoS): Traffic shaping and prioritization.
  • VPN: Unlimited IPsec tunnels (site-to-site and client) and SSL-VPN connections—no subscription needed.

“There is no such thing as an ‘unlicensed’ hardware/appliance firewall. Licensing…is needed for some services, but many core features…will work out of the box.”
“Any FortiGate can be used as a simple firewall and router with no licensing. You won’t get firmware updates though. I use one at home like this.”

Because these functions are baked into the FortiOS firmware, they remain fully operational even if all subscriptions expire or if you purchase a second-hand unit with no active contracts.

2. What Requires a Subscription?

While the basic firewall/VPN works unlicensed, Fortinet’s value-add security services depend on FortiGuard subscriptions. These include:

ServicePurpose
AntivirusSignature-based malware scanning & quarantine
Intrusion PreventionDetect & block network exploits (IPS signatures)
Web FilteringCategory- and URL-based blocking & logging
Application ControlIdentify & manage app traffic (e.g., YouTube)
Anti-SpamFilter email for spam, phishing
DNS FilteringBlock malicious/undesirable domains at DNS level
IP ReputationBlock traffic from known malicious IPs

Without these subscriptions enabled, the firewall will not receive updates for new threats, and related profiles in the GUI will simply be unavailable or non-functional. You can still configure the profiles, but they won’t enforce or log anything until a valid license is installed.

3. FortiCare: Support & Firmware Updates

FortiCare is Fortinet’s support and hardware-maintenance contract. Key points:

  • Firmware Access: Only appliances with an active FortiCare contract can download FortiOS updates from Fortinet’s support site.
  • Technical Support: Access to 24×7 technical assistance, RMA (hardware replacement), and advanced troubleshooting.
  • EOL Considerations: If your model is “End of Support,” even a FortiCare contract may not restore firmware downloads beyond the last supported version.

Tip: If you plan to run a production network, maintain FortiCare at least for access to critical security fixes and firmware upgrades.

4. Virtual Appliance Licensing & Evaluation

FortiGate VM can be deployed without a paid subscription for evaluation. Key nuances:

  • Evaluation License (VM-Eval): Time-limited (commonly 15 or 60 days). Grants full UTM functionality during the period.
  • Permanent Free VM: Community-documented tricks can extend the free VM license indefinitely, but these workarounds are unsupported.
  • BYOL (Bring Your Own License): You can purchase subscriptions and apply them to the VM edition, just like physical appliances.

“The appliance FortiGate, on the other hand, has none of these limitations, even without active subscription. Want to do Deep SSL Inspection? No problem….”

In lab environments, many administrators prefer used physical units (e.g., FortiGate 40C/60C) over VMs to avoid evaluation-time limits and performance overhead.

5. Buying Used Hardware & Licensing Pitfalls

Purchasing secondary-market FortiGates can be economical, but watch for:

  1. Subscriptions Expired: A used unit often has FortiGuard services lapsed—effectively stripping UTM until you renew.
  2. FortiCare Status: Without an active FortiCare contract, firmware upgrades and RMA support aren’t available.
  3. Asset Transfer: To re-associate subscriptions or support contracts, you must transfer the unit’s serial number into your Fortinet support account (Fortinet may require proof of purchase).
  4. Hidden Renewal Fees: If subscriptions expired months ago, renewing may incur back-billing for elapsed time (up to a Fortinet-defined limit, typically six months).

“To see the end of life status…Fortinet stops supporting small models much sooner than the larger ones…if you buy the (cheaper) 30E model, you will not be able to use features introduced in 6.4/7.0/7.2 versions.”

6. Practical Scenarios & Recommendations

ScenarioCan I Use It?Notes
Home lab, no subscriptionsYesBasic firewall, NAT, VPN fully functional
Production network, no FortiGuard subscriptionsYes (but limited security)No malware/URL filtering, IPS, app control, etc.
Production network, no FortiCare supportYesNo firmware updates, no official technical support
FortiGate VM evaluationYes (time-limited)Full UTM for eval period
Used hardware with expired subscriptionsYesRenew subs to enable UTM and firmware downloads

Best Practice:

  • For non-critical deployments (e.g., strictly internal testing), run with no subscriptions—your appliance stays up, but be mindful of unpatched vulnerabilities.
  • For any exposed or business-critical firewall, invest at minimum in FortiCare and FortiGuard Basic (AV, IPS, Web Filter) to maintain security posture.
Please follow and like us:
Tweet
fb-share-icon
Last modified: May 22, 2025

Author

Comments

Write a Reply or Comment

Your email address will not be published.