Fortigate buying used pre-owned firewall most frequently asked questions (2024)

Buying a used/pre-owned Fortigate is often the best way to learn to work with thefirewall. Offers are plenty - just hit the search on eBay. But, there is alwaysbut, purchasing a pre-owned Fortigate is not like ordering a used MacBook - manyquestions will arise, not many of which have answers in official docs. In thisarticle I compiled the most frequent/important of them. Disclaimer: I do notwork for Fortinet and this is not an official guide in any way, so do your duediligence.

The appliance Fortigate, on the other hand, has none of these limitations,even without active subscription. Want to do Deep SSL Inspection? No problem.Trying to configure VPN SSL for Forticlient? Sure.

As an individual - no. Fortinet have Not For Resale (NFR) Fortigate appliancesthat are fully functional, but you can only get them as a Partner and even thenwith much effort. If all you want, on the other hand, is to see how FortigateGUI looks and feels without doing anything, you can go herehttps://fortigate.fortidemo.com with theuser/pass demo/demo and log in into a real Fortigate (2000E as of this writing)as read-only admin.

No, you can’t. The policy of Fortinet is to sell their products as new via registeredpartners/resellers only, and they have no incentive to supply clients with second-handFortigates.

Fortinet have no problems with this, so it is OK with them, provided youacquired the firewall in legitimate ways.

No, but read on. There is no such thing as "unlicensed"hardware/appliance firewall. Licensing, or more exact subscription is needed for someservices, but many core features, like VPN (IPsec and VPN SSL), Security Rules,QOS, static and dynamic (OSPF, BGP, etc.) routing, VLANs, and such will work outof the box. Even if you hard reset your Fortigate, or more - format itsharddisk erasing everything, the core features will work just fine.

It depends. When you buy a new Fortigate from a Fortinet partner, you canoptionally (and most usually do) buy services like hardware warranty, TechnicalSupport, subscriptions for FortiGuard Web Filtering/IPS/AV/etc. services as well. All those additionalservices are linked to an account in the Fortinet portal. It can be thepartner’s account, or the end client account who purchased the firewall and thentransferred to her own account. If you want to use/renew/buy those services foryour Fortigate, then yes - you have your Fortigate (its serial number) to beunder your account in the Fortinet portal.

You open a ticket with the Customer Service at support.fortinet.com, or send therequest for assets transfer to cs@fortinet.com. Next, Fortinet will send anemail to the current/registered owner for this Fortigate, asking if theyapprove the transfer to your account. Here comes the pitfall - if the owners (asper Fortinet records) of this used firewall do not confirm/reply to thisrequest, you may be denied the transfer or (more probably), asked for a proof ofthe purchase and ownership of the appliance (photo of the admin GUI with theserial number clearly seen). If the Fortinet cannot verify that you lawfullypurchased your unit from an official partner/owner, you may be denied transferof the ownership. This does not stop Fortigate from working, but subscriptionbased services will be unavailable to it.

If there is a time gap between the dateof subscription expiration and your order to renew it, you pay one time for thisgap as well. That is, say you bought a Fortigate with a subscription bundlethat expired 3 months ago and you want to renew this bundle - Fortinet will bill this3 month gap as well. And so forth, up to 6 months back. Also worth noting that tobe able to buy/renew a subscription for a Fortigate, it has to be still supportedand active. You cannot buy, for example, subscription for Fortigate 110C. To seethe end of life status for a Fortigate search for Fortinet Product Life Cycle.

When you get someone’s firewall, it is always a good idea to reset itsconfiguration to thefactory defaults. You can do it on CLI with execute factoryreset. This willreset the configuration to the default one but will leave the firmware FortiOSintact. Many recommend to go further andformat the flash that holds FortiOS firmware to boot from. The downside toformatting the flash is you have to do TFTP network boot afterwards, and haveimage of FortiOS ready, noteveryone would want to do so.

You may need a console cable, if a Fortigate was not reset to the defaultconfigs and so will not allocate IPs via DHCP. The console cable is the usualone, like you may have seen with the Cisco equipment. IMPORTANT: when buying a usedfirewall, make sure it includes a power adapter, as the new one will costyou at least 100$.

For learning purposes even the smallest models will do. The available featuresare almost identical for small and big (expensive) models. For example, thesmallest Fortigate 30E also supports up to 5 VDOMs, High Availabilty in cluster,and such. The important consideration here is the latest supported FortiOSversion for a given model. Fortinet stops supporting small models much soonerthan the larger ones. As an example, Fortigate 30E has the latest FortiOS available6.2.11, while a slightly larger model Fortigate 60E has FortiOS 7.2.3available. This means if you buy the (cheaper) 30E model, you will not be able touse features introduced in 6.4/7.0/7.2 versions. This may be important to you ornot, but be aware.

It happens, especially when a seller offers a Fortigate in "power test only"condition, that you will have no admin-level user/password to manage it. Thebest case scenario is that you will be able to reset admin password on boot upvia console using maintainer built-in account. Just search Google forFortigate Resetting a lost Admin password. The worst case scenario is that youhave no admin password AND previous owner disabled maintainer feature - youwill get an error trying to use maintainer account PASSWORD RECOVERYFUNCTIONALITY IS DISABLED. What happens next depends on a specific model -small models (Fortigate 40F, 80F, etc.) have RESET button on the face panel,which, while pressed, will reset the configuration to the factory default. Thelarge models do not have such one. Conclusion - if you’re not sure of the seller, checkthat your model can be reset with the button in its data sheet beforehand. Ihave collected most of the data sheets here if you need to:Fortigate Firewalls Hardware - CPU model and number, Memory (RAM) and hard disk size datasheet table

You can only legally get new firmware, provided it exists for a given model, if you havean active Forticare contract. Chances are your used Fortigate will have allcontracts/subscriptions expired already. So, see entry above aboutbuying/renewing subscriptions or you may try your luckasking for firmware on the Internet (Reddit/Telegram/Forums/etc.). The firmware upgrade is just adownloadable file that will work no matter in which way you got it.