Yuri Slobodyanyuk Blog on Information Security 2024年07月23日
Fortigate subscription expired, list of features that will continue to work
index_new5.html
../../../zaker_core/zaker_tpl_static/wap/tpl_guoji1.html

 

Fortigate服务订阅过期后,虽然部分功能将停止工作,但仍有多种功能可以继续使用。以下列出了在订阅过期后仍可正常运行的Fortigate功能清单,这也意味着即使Fortigate从未有过订阅,这些功能也能使用。

🛡️ 安全规则:Fortigate将继续根据安全规则库过滤流量。

🔗 NAT功能:包括源NAT(SNAT)、目的NAT(DNAT)、虚拟IP(VIP)、动态地址池等。

🔒 VPN功能:所有类型的VPN,如IPSec站点到站点、远程访问SSL VPN网页模式和通过Forticlient的完整隧道,以及作为IPSec客户端。

🛡️ IPS功能:使用订阅过期前更新的签名,新的签名将不会下载。

📝 应用控制:使用订阅过期前更新的签名。

🌐 网址过滤:使用静态允许/阻止列表,无订阅时无法查询FortiGuard的网址评级,因此使用FortiGuard分配类别的网页过滤将不起作用,但静态列表和阻止ActiveX控件仍有效。

When subscription for Fortiguard-based services expires, many things will stopworking, but a lot will continue to work still. Below is the full list of featuresin Fortigate that will continue working after the subscription expires. Italso means these features work even if your Fortigate has never had thesubscription in the first place.

Warning
VM Fortigate has a license check, which is unrelated to the Fortiguardsubscription. This license check requires a non-stop online communication withthe Fortiguard servers. The VM Fortigate will stop working completely, if itcannot reach Fortiguard servers for a long time (30 days usually), unless usinga special, offline license (most clients don’t).

    Security rules. The Fortigate will continue filteringtraffic according to the Security Rulebase.

    All kinds of NAT: SNAT, DNAT, VIP, dynamic pools, etc.

    VPN - all types, IPSec site-to-site, Remote Access as SSL VPN in webmode and full tunnel withForticlient and as IPSec client.

    IPS with the signatures last updated before the subscription expired. That is,IPS will continue working, but new signatures will not be downloaded.

    AppControl using the signatures last updated before the subscription expired.

    Web/URL Filtering using static allow/block lists. Without subscriptionthe firewall cannot query FortiGuard for URL web ratings, so Web filtering usingFortiguard assigned Categories will not work. But if you use staticblock/allow URL lists, they will work. Also blocking ActiveX controls will worktoo.

    All types of interfaces: physical, VLANs, Virtual Wire, Loopbacks, LAGs,redundant, Zones.

    Security rules modes: proxy and flow. All modes of proxy mode will work: Explicit, Transparent.

    SSL/SSH inspection - certificate and deep packet inspection.

    Applying UTM in both: Policy based and Profile based modes.

    VDOMs.

    High Availability (HA).

    QOS.

    SD-WAN feature, including AppControl integration (but see above aboutApplication Control signature updates).

    WAF with the signatures last updated before the subscription expired.

    VIP of load balancing type.

    DoS/DDoS protection rules.

    Device inventory.

    Access Point controller.

    FortiSwitch management.

    All types of logging, Netflow/sFlow export.

    GRE and VXLAN traffic encapsulation.

    VRFs, if supported by FortiOS version.

    One-arm sniffer.

    Static, all dynamic protocol, and Policy Based routing.

    All types of authentication: local, LDAP, Radius, Tacacs, SAML, MFA.

    SNMP.

    DHCP server.

    Internet Service Database (ISDB).

    External Threat Feeds.

    VOIP protections and profiles.

    Configuration version revisions.

    DLP.

Fish AI Reader

Fish AI Reader

AI辅助创作,多种专业模板,深度分析,高质量内容生成。从观点提取到深度思考,FishAI为您提供全方位的创作支持。新版本引入自定义参数,让您的创作更加个性化和精准。

FishAI

FishAI

鱼阅,AI 时代的下一个智能信息助手,助你摆脱信息焦虑

联系邮箱 441953276@qq.com

相关标签

Fortigate 服务订阅 安全功能
相关文章