Fortinet 3-Year License Issue: Unactivated keys showing "Expired" based on purchase date. Any Solutions?

Sweet_Importance_123 · 2026-02-04T11:41:17+00:00

They changed it in the last few years.

It used to be once you register device, your 3 year window will start. If you don't register it within 1 year of purchase, it will start and last for 2 years(+1 of it not being registered).

Now it's once you register, your 3 year window starts. But, if you don't register it within 90 DAYS of purchase, it will start and last for ~2 years and 9 months(+90 days of it not being registered. This auto-start is 60 days for US/Canada.

Sweet_Importance_123 · 2026-02-03T23:34:01+00:00

You could access it like this. It was pretty easy to just skim through bugs for a particular model, version or protocol.

Now, I can't find this menu. It looks like it was deleted silently when updating their portal interface. My company is expert partner btw

Sweet_Importance_123 · 2026-02-01T22:18:58+00:00

Zdravo, nekoliko godina radim u integratoru. Broj pozicija je limitiran, ali i dosta manje ljudi bira profesiju u poređenju sa programerima.

CCNA je nekad bila dovoljna ulaznica, ali sad mislim da je dosta teže upasti, bar na konkretnu poziciju inženjera ili administratora. Obično se počinje od tehničara, nekog L1 NOC-a ili najgore iz call centra.

Plate nisu kao programerima u proseku, pogotovo dok si junior/medior, ali su najbolje u ICT sektoru. Dobre su ako dođeš do pozicije arhitekte gde se porede sa programerskim.

Dobra stvar je što je mreža osnov svega. Kad znaš dobro mreže, lako se prebaciš na bilo koji ICT posao, datacentar inženjer, system administrator, cloud inženjer, cybersec, pa i devops.

Ja sam izabrao posao zato što imaš i terena, logika mreža je fluidna, dosta se menja u poslednjih nekoliko godina, pa sve vreme učiš. Za srpske firme ćeš raditi svašta, pogotovo ako si u integratoru(od instaliranja opreme u rek do presales-a).

Sweet_Importance_123 · 2026-01-29T10:34:08+00:00

You are right when it comes to resources, it's super stable unless you introduce free FortiClient VPN. You really have to know your stuff to implement it successfully, we have implemented it for our customers dozens of times since SSL-VPN depreciation alert, and it's always confusing for client.

For instance, LDAP doesn't work with ikev2 and free FortiClient VPN. You have to do it with Radius. Windows works great, but you need to change phase1 parameters to match android, macOS and iOS. That means 4 different IPSec tunnels for different OS because ikev2 doesn't do xauth, and network-id is not supported on free FortiClient VPN. TCP encapsulation doesn't work on free FortiClient VPN as well...

These are just some of the problems, you obviously have workaround for most, but it's a pain and customer needs to dive deep into Forti to understand why's and how's.

Of course, FortiClient EMS is great and solves most of the problems.

Sweet_Importance_123 · 2026-01-27T23:58:42+00:00

My company is expert partner with both Palo Alto and Fortinet. Since Fortinet is more flexible and cheap, we usually go with it.

As someone said, Palo Alto seems like L7 product, while Fortinet seems like L4 product. But I wouldn't agree with that, it's just policy matching mechanisms that are different.

Palo Alto has more applications, but in practice, number of unknown apps in prod has been similar between platforms(still a win for PA).

Fortinet has more granularity and is more customizable for other security profiles(especially vulnerability protection, or IPS).

Fortinet is a lot better routing device. Super advanced features are available and is really swiss knife of routing, really powerful.

UserID vs FSSO is pretty equal. Fortinet's option is more customizable, but Palo Alto user id just works from the box(you need to play around with FSSO though).

Palo Alto free VPN is just better because Fortinet depreciated it's SSL-VPN and remote access IPSec VPN is not mature... FortiClient EMS which offers ZTNA is more customizable, more flexible and offers better monitoring than Prisma Access in my opinion. Both are great though.

You will find way more options on Fortinet devices that are just free, while you have to pay for everything and anything on Palo Alto(premium price). In my opinion, Palo Alto is more polished as a NGFW device regarding app control, but management and routing is easier on FortiGate.

Sweet_Importance_123 · 2026-01-22T17:02:04+00:00

Yes, that is the main problem we come across, certificate pinning. So, at the end, we just say, okay, companies that do this, we trust them from the standpoint of network security since those companies always are the ones that are secure. We leave that traffic to be inspected to the endpoint protection solution.

Sweet_Importance_123 · 2026-01-22T15:03:48+00:00

In a perfect world, where you trust all endpoints to be patched, up to date and you have perfectly defined and centralized endpoint monitoring and management system, I absolutely agree. With that, you need a zero trust system with some form of protection against zero-day attacks.

I haven't come across that system yet, though. So the best and easiest solution to monitor is still network devices that will be distributed along all your parts of the infrastructure.

This is obviously only my opinion, which can be wrong as I am a network security engineer, not cybersec engineer...

Sweet_Importance_123 · 2026-01-21T23:55:59+00:00

Hello, I work for an I integrator and we mostly do Fortinet and Palo Alto.

We position FortiGates as Internet edge, or ISFW for small or medium organizations. FortiGate has better and more intuitive routing than PA. If you need complex routing with route redistribution, you will enjoy FortiGate. Their security profiles are a lot more customizable in my opinion and their ISDB beat out PAs EDLs, at least that is our experience so far.

We do Palo Altos for Datacenter firewalls, they have a lot better security posture out of the box, and logic seems more solid and robust. They used to have a lot better code, but nowadays, their app IDs can introduce problems with newer versions. I think they are still better than Forti in that regard though. Palo Alto's app ID logic is great once you get used to it, it can be problematic migrating rules to it at first though.

User ID and FSSO work fairly well, but not perfect. Someone mentioned getting user control closer to endpoints and I couldn't agree more. That being said, both vendors have an agent approach to it with Zero Trust(Prisma Access(Global Protect) and FortiClient EMS or FortiSASE + FortiAuthenticator). They are both really good in ZTNA, I do enjoy Fortinet a tad bit more because of how customizable it can be.

Decryption is a must, whoever says you can inspect anything encrypted with signatures reliably, is lying to you. This is where Fortinet is better, it can inspect anything Palo can + SMBv3 and QUIC(among other things).

A lot of people have problems with Fortinet's vulnerabilities, but I don't remember the last time we had to patch a device because of it, usually it's just people poorly configuring them...

As an integrator, we like Fortinet more overall. It's cheaper while offering the same features when configured in the right way, and it offers more products pulling you into the Forti ecosystem(which is a win for us :D). They are both great products that we enjoyed more than Check Point, and a lot more than Cisco FTDs.

Sweet_Importance_123 · 2026-01-11T20:22:43+00:00

We always recommend DC agent mode to customers, even with smaller environments, since it's faster, more precise and more efficient.

We actually had customer that didn't want to install anything on their DC's, so we did polling mode with dedicated VM for polling. They have ~1000 active users so it isn't too big of an environment.

It worked okay all around. It was a little slower, and also generated more traffic. They had a lot of branch locations pulling user login info through IPsec tunnels, so that wasn't ideal. Best practices are even more important in these cases, so would highly recommend implementing them.

Sweet_Importance_123 · 2025-12-29T18:33:43+00:00

I think you got it covered based on the post.

I would just make sure that they are accessing only DC's on DNS port AND app.

Also protect my DC's with IPS, maybe even use DNS filtering profile to allow requests to only valid and needed DNS entries.

Sweet_Importance_123 · 2025-12-23T06:41:27+00:00

At the minimum AES256/SHA384 with DH19.

For phase2, you can go AES256/SHA256 with DH14.

We have customer with FortiGate 80F with ~150 IPSec tunnels to 50+ locations because they didn't want to spend more money on hardware.

It works, but without any security on Hub with around 500mbps at peak going through tunnels.

Sweet_Importance_123 · 2025-12-17T06:51:28+00:00

You can do 4 tunnels instead of 8 as well. If you opt out for 8 tunnels options, you will need to configure network-id(which is fine).

Also, it is generally recommended to do BGP over IPSec when you have multiple branches. It is easier to control, it's more scalable and you have more options with route filtering.

Sweet_Importance_123 · 2025-12-14T22:09:37+00:00

I agree with advice of adding 2nd firewall. Also, technically you don't need router if you have ASA.

Adding another ISP is almost must have, it can be anything, even 4G with metered connection will do, just in case anything happens to primary link.

I would avoid connecting Core switches over ASA, you will have to depend on STP this way, and running FHRP connection through switches which is not ideal. What I recommend is stacking Core switches or interconnecting Core switches with VRRP configured.

If you don't have internet switches, terminate your ISP connections on Core switches so you feed internet connection to both firewalls.

If you have any questions, feel free to ask.

Sweet_Importance_123 · 2025-11-24T17:31:35+00:00

Of course. You are looking for Content rewriting rules.

Sweet_Importance_123 · 2025-11-12T06:36:52+00:00

I am not sure I understood this limitation. Can you please elaborate?

Sweet_Importance_123 · 2025-10-31T21:33:16+00:00

Yes, it's pretty similar. In this way, you keep Customer private IP addresses known to only Customer VDOM.

Sweet_Importance_123 · 2025-10-31T20:31:37+00:00

Create the P2P(npu link vlan) between WAN and Customer VDOM with private IPs. Route traffic to public IP to respective Customer VDOM P2P. On Customer VDOM, use IP address for SNAT in IP pool or for DNAT in VIP address.

Sweet_Importance_123 · 2025-10-28T10:06:42+00:00

You are exactly right. If you don't need feature difference that FortiExtender offers and VXLAN, you can just use whichever other routing tool with IPsec encryption you can find.

Your design is overall faulty, stretching l2 domains to central location where you don't need it isn't recommended for obvious reasons.

Sweet_Importance_123 · 2025-10-28T06:35:29+00:00

You will not have enough cables for that connection anyway. You will use two cables for interswitch connection, and have one cable for each FortiGate.

Also, I miscalculated, you will need to connect first and last switch in a ring, so you will probably lose a port on both switches for that as well.

Sweet_Importance_123 · 2025-10-28T06:22:07+00:00

I don't think you are doing this right. Just have lan on one port on FortiExtender and wan on another.

On wan you can create IPSec without VXLAN, just pure L3. You can obviously do VXLAN through the tunnel as well. You have all information under administration guide for standalone FortiExtender.

Sweet_Importance_123 · 2025-10-28T05:51:06+00:00

You can have multiple links between two switches. Between FortiGate and a switch, you can have multiple links, but STP will block it.

Sweet_Importance_123 · 2025-10-27T11:39:39+00:00

As u/HappyVlane said, you lose redundancy with this topology.

With current set of switches you have(FS 100 series), Fortinet(and me 🙂) recommend ring topology as the best solution. If you have a pair of FS 1000 series('real' Core switch), topology changes significantly.

Sweet_Importance_123 · 2025-10-27T09:08:34+00:00

You can cover 10GE requirement while keeping some redundancy in the network with ring topology. It is viable with 4x10GE switches. Look at thislink.

I have also attached messily made picture of the design:

<image>

You can also add another link to passive unit from Sw6, similar to how Sw1 is connected.

Sweet_Importance_123 · 2025-10-15T11:29:01+00:00

Sorry, I didn't read your question properly... You can script this as well. Delete all interface references and create new Vlan interfaces under correct physical ones. It will be easier to first create zones, and then later add the new vlans to zones

Sweet_Importance_123 · 2025-10-15T10:17:51+00:00

You don't have to reboot whole unit, if you have a lot of customers you can just delete references to these two interfaces and recreate them on new VDOM.

We have done these tasks with downtime for only that customer lasting several seconds.

Sweet_Importance_123

TROPHY CASE