Home

Fortinet Device Decommissioning: A Complete Guide to Managing Retired Assets

.

Decommissioning Fortinet devices is a critical cybersecurity and license management process that removes hardware or virtual assets from active FortiCloud services when they are no longer in use. This comprehensive guide outlines the essential procedures, consequences, and requirements for properly decommissioning Fortinet units, ensuring organizations maintain clean asset inventories and prevent unauthorized access to retired devices. Proper decommissioning is especially crucial when disposing of hardware or retiring virtual machines to eliminate security vulnerabilities and optimize license utilization across the enterprise network infrastructure.

Understanding Fortinet Asset Decommissioning

Asset decommissioning within the Fortinet ecosystem is the formal process of removing a product from all connected cloud services and deleting associated data. When a device is decommissioned, it undergoes several significant changes: it disappears from the primary Products > Product List view, becomes ineligible for new support ticket creation, and loses access to all FortiCloud management services. This process is irreversible without administrative intervention and should only be performed when a device is permanently retired from service.

The distinction between decommissioning and deregistration is crucial. Decommissioning moves a device to a special administrative view, while deregistration represents the final step of purging the unit from your account entirely. According to Fortinet documentation, "when decommissioning a product, it will be removed from all cloud services and data will be deleted." However, historical records including ticket and contract information remain accessible in the portal, though the asset must be removed from the decommissioned units list to view contract history.

Step-by-Step Decommissioning Procedure

1. Initial Decommissioning Process

The decommissioning process begins in the FortiCloud Asset Management portal:

  1. Navigate to Products > Product List in the Asset Management portal
  2. Select the specific unit you intend to decommission
  3. Locate and select "Decommission This Unit" in the Registration section
  4. Acknowledge the warning message detailing the consequences of decommissioning
  5. Select the checkbox confirming understanding of these consequences
  6. Click "Continue" to finalize the decommissioning

Following this process, the device is immediately moved to the "Decommissioned Units" view, accessible via Products > More Views > Decommissioned Units. This specialized view serves as a quarantined area for retired assets before their potential permanent removal through deregistration.

2. Viewing and Managing Decommissioned Units

The Decommissioned Units interface provides comprehensive management capabilities for retired assets. Users with "My Assets" permission scope can access this view, which displays all decommissioned products and account services. This specialized interface includes functionality to:

  • Export the decommissioned units list as CSV or Excel files
  • Delete assets completely from the Decommissioned Units view
  • Restore units back to the active Product List
  • Deregister eligible units permanently from the account

The restoration process requires selecting either individual units via the "Move Back to Product List" button in the Action column or multiple units using the bulk operation button, followed by confirmation through the "Yes, I want to continue" dialog.

Deregistration: The Final Removal Step

Eligibility Requirements for Deregistration

Deregistration represents the permanent removal of a device from your Fortinet account. This action has strict eligibility criteria:

  • User Role Requirements: Only master users, IAM users with Admin permissions, or external IdP roles with Admin permissions can perform deregistration
  • Minimum Registration Period: Hardware devices must be registered for at least three years before becoming eligible for deregistration
  • Re-registration Waiting Period: If a device has been re-registered, you must wait one year before deregistering it again
  • Hardware Limitation: Virtual machines (VMs) cannot be deregistered—only physical Fortinet hardware devices qualify

A critical exception noted in Fortinet documentation states: "If a physical unit has been registered for fewer than three years, reach out to Customer Support to decommission the device."

Deregistration Procedures

Individual Device Deregistration:

  1. Access Products > More Views > Decommissioned Units
  2. Click the "Deregister This Unit" button in the Action column for the selected device
  3. Accept the terms of deregistration in the confirmation dialog
  4. Click "Deregister this Unit"
  5. Enter account password when prompted and click "Submit"

Bulk Deregistration (Up to 200 Units):

  1. From the Decommissioned Units view, select multiple units for deregistration
  2. Click the "Deregister" button that appears
  3. Select the acknowledgment checkbox
  4. Click "Confirm"
  5. Enter account password and submit

If errors occur during bulk deregistration, an error message appears with a "Check Deregistered Units" option to view successfully processed devices. The system provides a safety mechanism: "If you deregister the wrong device, you can re-register it again right away."

Critical Considerations and Best Practices

Data and Service Impact

Decommissioning has immediate and significant consequences:

  • Complete Service Disconnection: The device is removed from all FortiCloud services
  • Data Deletion: All associated cloud data is permanently deleted
  • Support Limitations: No new support tickets can be created for decommissioned units
  • Visibility Change: The asset disappears from the primary Product List interface

Alternative Approach for Temporary Disconnection

For situations requiring only temporary disconnection from FortiCloud logging and central management without removing licenses or decommissioning the device, administrators can:

  1. Navigate to System > FortiGuard > FortiGate Cloud in the FortiGate GUI
  2. Select "Logout" to disconnect from cloud services while maintaining the device's registered status and licenses

Organizational Asset Management

For enterprises managing multiple accounts, the Asset Management portal version 25.1 introduced asset transfer capabilities between accounts through the Asset Transfer page. Additionally, organizations can leverage the "My Assets" folder structure to organize devices hierarchically before decommissioning, creating custom views based on location, function, or lifecycle status to streamline retirement decisions.

Frequently Asked Questions

What's the difference between decommissioning and deregistering a Fortinet device?

Decommissioning moves a device to a special administrative view (Decommissioned Units) where it's removed from active services but remains in your account. Deregistration permanently removes the device from your account entirely. Decommissioning is reversible (units can be restored to the Product List), while deregistration is permanent unless the device is re-registered.

Can I decommission a Fortinet virtual machine (VM)?

Yes, you can decommission Fortinet virtual machines, but they cannot be deregistered. Only physical hardware devices are eligible for the final deregistration step that purges them from your account. VMs will remain in the Decommissioned Units view indefinitely.

What happens to my support contracts when I decommission a device?

Support contracts remain visible in the portal, but you cannot create new support tickets for decommissioned devices. To view complete contract history for a decommissioned unit, you must temporarily remove it from the Decommissioned Units list.

How long does a device need to be registered before I can deregister it?

Physical devices must be registered for at least three years before becoming eligible for deregistration. If a device has been re-registered, you must wait one additional year before deregistering it again. Devices registered for less than three years require assistance from Fortinet Customer Support for deregistration.

Can I recover a device if I decommission or deregister it by mistake?

Decommissioned devices can be restored to the Product List using the "Move Back to Product List" option in the Decommissioned Units view. If you deregister a device by mistake, Fortinet documentation states you can "re-register it again right away," though this may require going through the standard registration process.

What permissions are needed to decommission or deregister devices?

To decommission devices, you need access to the Products > Product List. For deregistration, you must be a master user, IAM user with Admin permissions, or external IdP role with Admin permissions. Regular users without these privileges cannot perform deregistration actions.

Is there a way to temporarily disconnect a device from FortiCloud without decommissioning?

Yes, you can logout from FortiCloud services directly on the FortiGate device by navigating to System > FortiGuard > FortiGate Cloud in the GUI and selecting Logout. This maintains the device's registration and licenses while disconnecting it from cloud logging and central management services.