Security rules. The Fortigate will continue filteringtraffic according to the Security Rulebase.

All kinds of NAT: SNAT, DNAT, VIP, dynamic pools, etc.

VPN - all types, IPSec site-to-site, Remote Access as SSL VPN in webmode and full tunnel withForticlient and as IPSec client.

IPS with the signatures last updated before the subscription expired. That is,IPS will continue working, but new signatures will not be downloaded.

AppControl using the signatures last updated before the subscription expired.

Web/URL Filtering using static allow/block lists. Without subscriptionthe firewall cannot query FortiGuard for URL web ratings, so Web filtering usingFortiguard assigned Categories will not work. But if you use staticblock/allow URL lists, they will work. Also blocking ActiveX controls will worktoo.

All types of interfaces: physical, VLANs, Virtual Wire, Loopbacks, LAGs,redundant, Zones.

Security rules modes: proxy and flow. All modes of proxy mode will work: Explicit, Transparent.

SSL/SSH inspection - certificate and deep packet inspection.

Applying UTM in both: Policy based and Profile based modes.

VDOMs.

High Availability (HA).

QOS.

SD-WAN feature, including AppControl integration (but see above aboutApplication Control signature updates).

WAF with the signatures last updated before the subscription expired.

VIP of load balancing type.

DoS/DDoS protection rules.

Device inventory.

Access Point controller.

FortiSwitch management.

All types of logging, Netflow/sFlow export.

GRE and VXLAN traffic encapsulation.

VRFs, if supported by FortiOS version.

One-arm sniffer.

Static, all dynamic protocol, and Policy Based routing.

All types of authentication: local, LDAP, Radius, Tacacs, SAML, MFA.

SNMP.

DHCP server.

Internet Service Database (ISDB).

External Threat Feeds.

VOIP protections and profiles.

Configuration version revisions.

DLP.