From manual tracking to automated visibility
We’d been managing licence and certificate renewals through a combination of database records and manual review cycles. It worked well enough; when a client purchased a new firewall, the licence expiry went into the system, and monthly reviews flagged what was becoming due. But “well enough” has a shelf life, particularly when you’re managing an estate that spans hundreds of devices across multiple clients.
The shift happened when our Zabbix monitoring platform showed us it could interrogate FortiGate firewalls directly for licence status through their REST API. The question became obvious: why maintain a separate tracking process when the firewall itself can tell you what’s expiring?
Once we built that capability for licences, the natural follow-up was certificates. SSL VPN certificates, DPI certificates, any certificate sitting on a managed firewall now gets monitored with tiered notification thresholds. Thirty days before expiry, the first informational alert appears on our TRC™ (Trusted Response Centre) dashboard. At fourteen days, this becomes a proactive warning alert. At seven days this is a critical alert until it’s resolved.
Those intervals aren’t arbitrary. They come from years of experience with how clients actually respond. Contact someone ninety days before a domain renewal and they’ll forget about it. Contact them thirty days before a licence renewal and most will add it to their list. Some will leave it until the week before regardless of how early you start. The tiered approach means nobody falls through the cracks, even the ones who need multiple reminders.
Default-on, opt-out by exception
The philosophy behind this is deliberately opinionated. Every client gets notified about everything by default. If a client decides they don’t want thirty-day warnings for licence renewals, they tell us, and we adjust their thresholds up or down to whatever suits them. But the starting position is full visibility.
The reasoning is straightforward. We want clients to understand the breadth of what we manage on their behalf. Many know us for connectivity or managed cyber security, but aren’t aware of the detail we go into across their entire environment. Proactive notifications about certificate expiry dates, licence renewals, and firewall health aren’t just operational housekeeping. They’re a regular, visible demonstration that someone is genuinely paying attention to their infrastructure.
Policy hygiene: the quiet security win
Certificate and licence monitoring was the starting point, but the REST API opened up another capability that has arguably more strategic value: firewall policy hygiene analysis.
We can now pull data on the percentage of policies that are disabled on any given firewall, and identify policies with zero hit counts over configurable time periods. Most of our clients’ firewalls are reasonably clean because we’ve always reviewed policies during scheduled changes. But that was an ad hoc process, noticed and addressed when engineers happened to be working on something else.
Now it’s systematic. When 20% of a firewall’s policies haven’t registered a hit in the last ninety days, that’s a trigger to investigate. Some of those will be policies that only fire annually (think year-end reporting access or seasonal integrations), but others will be legacy rules that should have been removed when the business process they supported was decommissioned. Dead policies aren’t just clutter. They’re potential security gaps, because every unnecessary rule is an unnecessary path through the firewall that shouldn’t exist.
Three tiers of operational attention
The way we’ve structured this within the Trusted Response Centre reflects how we think about operational priority. Critical alerts require immediate action: a link is down, a firewall’s resources are maxed out. Proactive alerts need investigation when capacity allows: repeated packet loss patterns that might indicate a developing problem. Informational alerts, where licence and certificate notifications sit, need to be tracked and followed up, but not at the expense of the things that are actively affecting clients right now.
That distinction matters, because treating everything as urgent means nothing is. Engineers should be working on what genuinely affects client operations first, improving future resilience second, and managing administrative lifecycle third. The monitoring system now reflects that priority structure rather than presenting everything as equal.
When your IT partner tells you about an expiring certificate thirty days before it becomes a problem, that’s not just good housekeeping — it’s proof that someone is genuinely watching your infrastructure rather than waiting for it to break.
