Skip to content

5 Critical Factors When Selecting Your Next FortiGate

Choosing Wisely: 5 Critical Factors for Selecting Your Next FortiGate Firewall

(Subtitle: Don’t Get Burned: Ensure Performance, Security, and Scalability for Your Network)

In today’s rapidly evolving digital landscape, robust network security isn’t just an IT requirement; it’s a fundamental business necessity. Cyber threats are becoming more sophisticated, and your firewall often stands as the crucial first line of defense. Fortinet, a recognized leader in cybersecurity, offers the FortiGate line of Next-Generation Firewalls (NGFWs), known for their powerful performance and integrated security features.

However, Fortinet offers a wide array of FortiGate models, each tailored for different environments and needs. Choosing the right one is critical. Select an underpowered model, and your network grinds to a halt. Overspend on an oversized unit, and your budget takes an unnecessary hit. Make the wrong choice, and you might lack the specific security features needed to protect against modern threats.

So, how do you navigate this complex decision? This guide will walk you through the five most critical factors to consider, ensuring you select the optimal FortiGate firewall for your unique requirements.

Choose the Right FortiGate From The Start

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Modern abstract graphic representing potential or growth

1. Performance & Throughput Requirements

Think of your firewall as the main highway interchange for your network traffic. If it can’t handle the volume, you get gridlock. An underpowered firewall becomes a frustrating bottleneck, slowing down applications and hindering productivity. Conversely, over-provisioning wastes resources.

To choose correctly, you need to understand key performance metrics found on FortiGate datasheets:

  • Firewall Throughput: Measures basic packet filtering speed (stateful inspection). Often the highest number, but not reflective of real-world performance with security features enabled.
  • IPS Throughput: Performance with the Intrusion Prevention System active.
  • NGFW Throughput: Performance with core NGFW features like IPS and Application Control running.
  • Threat Protection Throughput: This is often the most critical metric. It reflects performance with multiple advanced security services running simultaneously (like IPS, Antivirus, Web Filtering, Application Control). Use this as a more realistic benchmark.
  • VPN Throughput (IPSec & SSL): Crucial if you rely heavily on remote access or site-to-site VPNs.
  • Concurrent Sessions: The total number of active connections the firewall can track simultaneously.
  • New Sessions Per Second: How quickly the firewall can establish new connections, important for environments with lots of short-lived connections (like web browsing).

How to Assess Your Needs: Analyze your current peak network traffic, consider your internet circuit speeds, count your users and devices, and importantly, project your growth over the next 3-5 years. Always look for a model that exceeds your current needs to provide headroom.

2. Required Security Services (NGFW/UTM Features)

Gone are the days of simple port blocking. Modern threats require layered security, which FortiGate delivers through its integrated suite of FortiGuard security services (often called Unified Threat Management or UTM). Enabling these services is why you invest in an NGFW, but you need to choose the right services and ensure your chosen model can run them effectively.

Key FortiGuard Services to Consider:

  • Intrusion Prevention System (IPS): Protects against known exploits.
  • Antivirus (AV) / Anti-malware: Scans traffic for malicious files.
  • Web Filtering: Controls access to websites based on category and risk.
  • Application Control: Identifies and controls traffic based on the application, not just port.
  • SSL Inspection: Decrypts and inspects encrypted traffic (vital, as much traffic is now encrypted, but resource-intensive).
  • Sandboxing: Sends suspicious files to a safe environment for analysis to detect zero-day threats.
  • SD-WAN: Many FortiGates include robust Secure SD-WAN capabilities for optimizing and securing WAN connections.

Matching Features to Needs: Identify your organization’s specific risks, compliance requirements (like PCI-DSS or HIPAA), and security policies. Which threats are you most concerned about? Which services are essential versus optional? Remember, enabling more security services impacts performance, directly linking back to Factor 1 ensure the Threat Protection throughput aligns with your needs with your desired services enabled.

3. Scalability and Future-Proofing

Your business and its network needs aren’t static. You’ll likely add more users, adopt new technologies, potentially increase internet speeds, or even expand to new locations. Your firewall needs to be able to grow with you. Choosing a model solely based on today’s requirements can lead to a costly replacement sooner than expected.

Consider these scalability factors:

  • User & Device Growth: How much do you anticipate your user count or the number of connected IoT devices increasing?
  • Bandwidth Increases: Are faster internet connections planned in the next few years?
  • Network Expansion: Will you be adding new branches, connecting to cloud environments (requiring specific VPN performance), or integrating networks after a merger?
  • New Applications: Will you deploy bandwidth-heavy or latency-sensitive applications?
  • High Availability (HA): Is network uptime absolutely critical? If so, you’ll need a pair of FortiGates configured for redundancy (check specific model support for HA modes).

Choosing for Growth: Aim for a model that offers roughly 30-50% more performance capacity (especially Threat Protection throughput) than your current peak needs dictate. This buffer helps ensure smooth operation as your demands increase.

4. Management and Integration (Security Fabric)

How you manage your firewall significantly impacts operational efficiency, security posture, and troubleshooting time. Fortinet offers several options:

  • On-box Management: Using the intuitive Web GUI or powerful Command Line Interface (CLI) directly on the device. Ideal for single-firewall deployments.
  • FortiManager: A centralized management platform essential for organizations deploying multiple Fortinet devices (FortiGates, FortiSwitches, FortiAPs, etc.). It simplifies policy deployment, monitoring, and configuration across the board.
  • FortiCloud: A cloud-based management option offering convenience, particularly for distributed sites or smaller businesses wanting simplified oversight.

Beyond basic management, consider Fortinet’s Security Fabric. This is Fortinet’s architectural approach where various Fortinet products integrate seamlessly, sharing threat intelligence and enabling automated responses. If you already use or plan to use other Fortinet products (like switches, access points, or FortiAnalyzer for logging), selecting a FortiGate ensures tight integration, unified visibility, and a stronger overall security posture.

5. Licensing, Support, and Total Cost of Ownership (TCO)

The price tag on the hardware is just the beginning. To unlock the advanced security features (Factor 2) and receive essential support, you need subscriptions. Understanding these recurring costs is vital for calculating the Total Cost of Ownership (TCO).

Key Cost Components:

  • Hardware Cost: The initial purchase price of the physical appliance or virtual license.
  • FortiGuard Subscriptions: These bundles activate the security services. Common bundles include:
    • UTM Protection: Includes core protections like NGFW (App Control, IPS), AV, Web Filtering, and Anti-Spam.
    • Enterprise Protection: Typically includes everything in UTM plus features like Security Rating, Industrial Security, and potentially FortiCASB.
    • ATP (Advanced Threat Protection): Focuses on advanced threats, often including Sandboxing.(Bundle contents can evolve, always check current Fortinet documentation). Licenses are usually sold in 1, 3, or 5-year terms.
  • FortiCare Support: This subscription provides technical support, firmware updates, and hardware replacement options (with different Service Level Agreements – SLAs). It’s essential for maintaining uptime and getting help when needed.

Making the Right Choice: Carefully match the FortiGuard bundle to the security services you identified in Factor 2. Don’t overpay for services you won’t use, but absolutely ensure you license the protections you need. Factor in the cost of hardware, multi-year subscriptions, and support renewals when comparing models to understand the true TCO over the firewall’s expected lifespan (typically 3-5 years).

Bonus Considerations

While the five factors above are critical, also keep these in mind:

  • Form Factor: Desktop models for small offices, rackmount units for server rooms/data centers, virtual machines (VMs) for virtualized environments, or cloud-native versions for public cloud deployments (AWS, Azure, GCP).
  • Port Density and Types: Ensure the model has the right number and type of ports (Copper, Fiber) at the speeds you need (1GbE, 10GbE, 40GbE+). Some models offer Power over Ethernet (PoE) ports.
  • Specific Use Cases: Different models might be optimized for roles like a small branch office, a large campus edge, internal network segmentation, a high-performance data center, securing cloud environments, or even specialized OT/ICS environments.

Conclusion: Making the Right Choice for You

Selecting your next FortiGate firewall is a significant decision that impacts your network’s performance, security, and your organization’s bottom line. By carefully evaluating your needs against these five critical factors Performance, Security Services, Scalability, Management/Integration, and Licensing/TCO you can make an informed choice that provides robust protection and value for years to come.

Feeling ready to choose, or still weighing the options? Balancing performance metrics, security bundles, and future growth can feel complex. To simplify the process and get a personalized recommendation based on your specific needs, try our quick and easy quiz!

Ready to find the perfect fit?

?? Take the “Find the Right FortiGate For You” Quiz Now! ??

By investing a few minutes now in careful consideration (and perhaps taking our helpful quiz!), you can deploy your next FortiGate with confidence.

How To Troubleshoot Common FortiGate Configuration Issues

Most FortiGate configuration problems trace back to a short list of predictable culprits: a missing or wrong route, a firewall policy that does not match the traffic (or matches a broader policy first), NAT enabled on the wrong side, or a VPN proposal mismatch. Work the problem in order (interface, route, policy, NAT, then service or VPN parameters) and confirm each layer with the FortiGate’s own diagnostic tools before you change anything.

This guide gives you a practical, systematic approach to the issues we see most often as a managed firewall provider, current for FortiOS 7.4 and 7.6. FortiGate firewalls are powerful Next-Generation Firewalls (NGFWs), but that feature depth means small misconfigurations can produce confusing network behavior.

FortiGate

A FortiGate is Fortinet’s Next-Generation Firewall (NGFW), a security appliance that combines stateful firewalling, NAT, VPN termination (IPsec and, on older releases, SSL VPN), and UTM inspection (antivirus, web filtering, IPS, and application control) in a single platform running the FortiOS operating system. Configuration is done through the web GUI or the CLI, and both expose diagnostic tools for troubleshooting.

We’ll cover:

  • Essential FortiGate troubleshooting tools and techniques.
  • Solving common connectivity problems (no internet, can’t reach servers).
  • Fixing firewall policy misconfigurations (traffic incorrectly blocked or allowed).
  • Diagnosing VPN tunnel issues (IPsec and, on legacy releases, SSL-VPN).
  • Choosing between GUI and CLI troubleshooting approaches.

What tools do you use to troubleshoot a FortiGate?

FortiGate ships with a full diagnostic toolkit in both the GUI and the CLI. Start in the GUI with the Log Viewer and Policy Lookup for fast checks, then drop to the CLI (diagnose debug flow and diagnose sniffer packet) when you need to see exactly how a packet is processed. Before you touch anything, cover the basics.

  • Backups: Always back up your FortiGate configuration before making any changes. This is your safety net.
  • Change Control: Follow your organization’s change control procedures. Document what you’re changing and why.
  • Understand the Goal: Clearly define what the configuration should be doing. What traffic needs to be allowed or blocked? What should the VPN connect?

GUI Tools:

  • Log Viewer: Your first stop. Check Forward Traffic, Event Logs (System, VPN, User), and UTM logs (Web Filter, IPS, etc.). Learn to filter effectively.
  • Policy Lookup: Found under Policy & Objects -> Firewall Policy. Enter source/destination IPs, port, and protocol to see which policy should match the traffic.
  • FortiView: Dashboards and visualizations of traffic, sources, destinations, and threats. Great for identifying top talkers or unusual patterns.
  • Routing Monitor: Network -> Routing Monitor. View the active routing table.
  • Packet Capture: Network -> Packet Capture. A GUI way to capture traffic on specific interfaces (though the CLI often offers more flexibility).

CLI Tools (The Powerhouse):

Access the CLI via SSH or the console widget in the GUI. The diagnose and get commands are essential:

  • diagnose debug flow: The cornerstone of packet-level troubleshooting. Shows how a packet traverses the FortiGate, which policy it hits, and why it might be dropped. Set a filter (diagnose debug flow filter saddr <ip>, daddr <ip>, dport <port>), start the trace (diagnose debug flow trace start <n>), and enable output (diagnose debug enable). Remember to disable it (diagnose debug disable, diagnose debug reset) when done.
  • diagnose sniffer packet any 'host <ip_address> and port <port_number>' 4 0 l: A powerful CLI packet sniffer. Replace any with a specific interface if needed. The filters (like host and port) are crucial.
  • get system status: Basic device information (firmware version, serial number, uptime). Confirm which FortiOS build you’re on before you start.
  • get system performance status: CPU/memory usage and session count. Useful for identifying resource exhaustion.
  • diagnose sys session list: View active sessions in the session table. Can be filtered.
  • diagnose vpn ike log filter name <phase1_name> followed by diagnose debug application ike -1 and diagnose debug enable: Debugs IPsec Phase 1 negotiation.

Always scope your debug with a filter and disable it the moment you have your answer. Running diagnose debug flow unfiltered on a busy firewall floods the console and adds CPU load. The reset-and-disable habit (diagnose debug disable, diagnose debug reset) also prevents a forgotten debug session from quietly taxing the device.

General Approach: troubleshoot systematically, from the bottom of the stack up.

  1. Verify Layer 1/2: Is the interface physically up? Link lights? Correct VLAN?
  2. Check Logs: Look for relevant deny or error messages.
  3. Test Basic Connectivity: Use ping and traceroute (from clients and the FortiGate CLI: execute ping <destination>, execute traceroute <destination>).
  4. Use Diagnostic Tools: Employ Policy Lookup, diagnose debug flow, or packet sniffing.
  5. Verify Configuration Details: Double-check IPs, policies, routes, and VPN settings meticulously.

Struggling To Choose The Right Fortigate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Modern abstract graphic representing potential or growth

Why can’t users reach the internet or internal resources?

When traffic stops flowing, walk the path in order: interface, route, policy, NAT, then DNS. Nine times out of ten it’s a missing default route, a firewall policy that doesn’t match, or NAT that isn’t enabled on the outbound policy. Confirm the failing step with Policy Lookup or diagnose debug flow before changing anything.

Symptoms: Users report no internet access, inability to reach specific websites, or failure to connect to internal servers and applications.

Troubleshooting Steps:

  1. Check Interface: In the GUI (Network -> Interfaces) or CLI (get system interface physical), verify the relevant interface (e.g., WAN, LAN) is up. Check IP addressing, netmask, and gateway (if applicable). Ensure cables are connected and functional.
  2. Check Routing:
    • Internet: Does the FortiGate have a default route (0.0.0.0/0) pointing to the correct WAN interface/gateway? Use Routing Monitor (GUI) or get router info routing-table all (CLI).
    • Internal: Does the FortiGate have a route (static or dynamic) to the destination internal network?
  3. Check Firewall Policies:
    • Go to Policy & Objects -> Firewall Policy.
    • Is there an enabled policy allowing the traffic from the source interface/zone/IP to the destination interface/zone/IP using the correct Service (port/protocol)?
    • NAT: For outbound internet access policies (e.g., LAN -> WAN), is NAT enabled and set to use the Outgoing Interface Address?
    • Policy Lookup Tool: Use this GUI tool first to see which policy ID should match.
    • diagnose debug flow: If Policy Lookup isn’t clear, use this CLI command (filtered for the specific traffic) to see exactly what’s happening: which policy ID is hit, or why it’s denied (e.g., denied by forward policy check (policy ID 0) often means no matching policy).
  4. Check DNS:
    • Can the FortiGate resolve external domains? (Network -> DNS, check servers.) Use execute ping google.com from the CLI.
    • Are clients configured to use a working DNS server (often the FortiGate itself or internal DNS servers)? Check client IP configuration.
  5. Check Logs: Filter Forward Traffic logs by the source IP. Look for “Action: Deny”. The “Reason” column or log details often indicate the cause (e.g., “Policy Deny”, “Reverse Path Check Failed”, “Blocked – Web Filter”).

Common Solutions:

  • Adding or correcting static/default routes.
  • Creating or modifying firewall policies (correcting interfaces, addresses, services, enabling the policy).
  • Enabling NAT on the outbound internet policy.
  • Configuring correct DNS servers on the FortiGate (Network -> DNS).
  • Fixing client-side DNS settings.

Why is FortiGate blocking (or allowing) the wrong traffic?

FortiGate evaluates firewall policies top-down and applies the first match, so unexpected block or allow behavior is usually a policy-order or policy-scope problem, or a UTM security profile silently dropping the session. Identify the traffic, run Policy Lookup, then confirm with diagnose debug flow, which prints the exact policy ID that matched.

Symptoms: Legitimate traffic is unexpectedly blocked, or conversely, unwanted traffic is being allowed through.

Troubleshooting Steps:

  1. Identify the Traffic: Note the Source IP, Destination IP, and Destination Port/Service involved.
  2. Use Policy Lookup (GUI): Enter the traffic parameters. Does it match the policy you expect it to? Does it match a different policy unexpectedly?
  3. Use diagnose debug flow (CLI): This is invaluable for policy issues. Filter (diagnose debug flow filter saddr <source_ip> daddr <dest_ip> dport <dest_port>) and run the trace (diagnose debug flow trace start 10, diagnose debug enable). The output shows msg="Allowed by Policy-ID=<id>" or the reason for denial. Remember to disable debug afterwards (diagnose debug disable, diagnose debug reset).
  4. Review Policy Order: Policies are evaluated top-down and the first matching policy is applied. Is a broader policy placed above your specific policy, catching the traffic first? Re-order policies carefully.
  5. Check Policy Details: Scrutinize the matching (or intended) policy:
    • Interfaces/Zones: Are the Incoming and Outgoing Interfaces correct?
    • Source/Destination Addresses: Are the Address Objects accurate? Do they contain the correct IPs or subnets? Avoid using “all” unless absolutely necessary.
    • Service: Is the correct port/protocol defined? Is it TCP, UDP, or ICMP? Avoid using “ALL”. Create custom services if needed.
    • Action: Is it set to Allow or Deny?
    • Security Profiles: If UTM features (Antivirus, Web Filter, IPS, Application Control, DNS Filter) are enabled on the policy, they could be blocking the traffic. Check the corresponding logs (e.g., Web Filter logs) for block events related to this traffic.
  6. Check Logs: Filter Forward Traffic logs by source/destination IP and check the “Policy ID” column. Is it hitting the policy you expect? If denied, what’s the reason? Check UTM logs if Security Profiles are applied to the policy ID being hit.
Tip:

Since FortiOS 7.4, most UTM inspection runs in flow-based mode by default rather than proxy-based. If traffic is dropped by a security profile, the block often will not appear in the Forward Traffic policy log alone. Always cross-check the specific UTM log (Web Filter, IPS, Application Control, or DNS Filter) for the matching event.

Common Solutions:

  • Re-ordering firewall policies.
  • Correcting Source/Destination Address objects or Service definitions.
  • Changing the policy Action (Allow/Deny).
  • Adjusting or disabling specific Security Profiles on the policy (or creating exceptions within the profile).
  • Making policies more specific (avoiding “all”).

How do you troubleshoot FortiGate VPN tunnels (IPsec and SSL-VPN)?

For IPsec, verify Phase 1 and Phase 2 come up (get vpn ipsec tunnel summary), then run the IKE debug to catch proposal, PSK, or selector mismatches. Confirm you have firewall policies in both directions with NAT disabled, and a route to the remote subnet. For SSL VPN, note that it is being phased out (see the warning below) and migrate remote access to IPsec.

Symptoms: VPN tunnels (site-to-site or remote access) fail to establish, disconnect frequently, or establish but don’t pass traffic.

Warning:

SSL VPN tunnel mode is being removed. Starting in FortiOS 7.6.3, Fortinet replaced SSL VPN tunnel mode with standards-based IPsec VPN (which can be configured on TCP port 443). It is gone from the GUI and CLI, settings are not migrated automatically on upgrade, and the new G-series FortiGates do not support SSL VPN at all. If you still run SSL VPN tunnel mode, plan your migration to IPsec (or ZTNA for application access) before upgrading. See our guide: FortiGate SSL VPN Is Going Away: Migrate to IPsec.

IPsec Site-to-Site Troubleshooting:

  1. Phase 1 (IKE): This establishes the secure management tunnel.
    • Check Status: GUI (Dashboard -> Network -> IPsec, or Monitor) or CLI (get vpn ipsec tunnel summary). Is it up?
    • Debug: Use CLI: diagnose vpn ike log filter name <your_phase1_name>, diagnose debug application ike -1, diagnose debug enable. Initiate the tunnel (e.g., with traffic) and watch the logs.
    • Common Errors: Proposal mismatches (Encryption, Authentication, DH Group, Key Lifetime must match exactly on both sides), Pre-Shared Key (PSK) mismatch, incorrect Remote Gateway IP or Peer ID. Modern deployments should use IKEv2 with AES-GCM and a strong DH group where both peers support it.
    • Verify: Double-check Phase 1 settings on both FortiGates (or the remote peer).
  2. Phase 2 (IPsec): This negotiates the data tunnel parameters.
    • Check Status: GUI IPsec monitor (expand the tunnel details).
    • Debug: The IKE debug often shows Phase 2 negotiation too.
    • Common Errors: Proposal mismatches (Encryption/Authentication algorithms, PFS enablement, Key Lifetime) and selector mismatches (Local Address/Subnet and Remote Address/Subnet must be exact opposites, e.g., Local 192.168.1.0/24 <-> Remote 10.1.1.0/24). Using 0.0.0.0/0 can cause issues if not matched identically.
    • Verify: Check Phase 2 selectors and proposals on both peers.
  3. Firewall Policies: You need policies to allow traffic into and out of the tunnel.
    • Policy: LAN -> tunnel_interface, Source=Local Subnet, Dest=Remote Subnet, Service=ALL (or specific), Action=Allow.
    • Policy: tunnel_interface -> LAN, Source=Remote Subnet, Dest=Local Subnet, Service=ALL (or specific), Action=Allow.
    • Important: Ensure these policies do not have NAT enabled.
  4. Routing: The FortiGate needs a route pointing the remote subnet(s) toward the IPsec tunnel interface. This is often created automatically if configured in Phase 2, but verify using Routing Monitor or get router info routing-table all. The remote peer also needs a route back to your local subnet.
  5. NAT Traversal: Required if either peer is behind a NAT device. Usually set to ‘Enable’ or ‘Forced’ on both ends (Network -> IPsec Tunnels -> Edit Phase 1).
  6. Logs: Check VPN Events in the Event Log and Forward Traffic logs for traffic attempting to cross the VPN.

SSL-VPN Troubleshooting (legacy releases, FortiOS 7.6.2 and earlier): If you are on a release that still supports SSL VPN tunnel mode, the checks below apply. Treat this as a stopgap and prioritize the IPsec migration above.

  1. Connectivity: Can the remote client reach the FortiGate’s public IP on the configured SSL VPN port (usually TCP/443 or TCP/10443)? Check any upstream firewalls. Check the FortiGate’s WAN interface Local-in Policy if restricting access.
  2. Authentication:
    • Verify user credentials (local user, RADIUS, LDAP).
    • Check User & Authentication -> User Groups: Is the user in the correct group?
    • Check VPN -> SSL-VPN Settings: Are the correct groups assigned to the correct Portal in the Authentication/Portal Mapping?
    • Test backend servers: diagnose test authserver ldap <server_name> <username> <password>, diagnose test authserver radius <server_name> <username> <password>.
    • Check Logs: Event -> VPN Events or User Events.
  3. Portal and Tunnel Settings: Confirm Tunnel Mode is enabled, split tunneling is configured correctly, and Source IP Pools are assigned and not exhausted (VPN -> Monitor -> SSL-VPN Monitor). You need a firewall policy from the SSL VPN tunnel interface (ssl.root by default) to the internal network(s), with NAT disabled.
  4. Logs and Debug: Check Event Logs (VPN Events) and use SSL VPN debugs (diagnose debug application sslvpn -1, diagnose debug enable). Check Forward Traffic logs for traffic from the ssl.root interface.

Common Solutions:

  • IPsec: Correcting mismatched Phase 1/2 proposals, PSKs, or selectors. Adding correct firewall policies and routes. Enabling NAT Traversal.
  • SSL-VPN (legacy): Fixing authentication issues, correcting portal assignments, adding a firewall policy from ssl.root to LAN, and ensuring IP pool availability. Longer term, migrate to IPsec.

Should you troubleshoot a FortiGate from the GUI or the CLI?

Use both. Start in the GUI for fast, visual checks (Log Viewer, Policy Lookup, monitors), then move to the CLI when you need to see exactly how a packet is processed or debug a specific daemon. The GUI is faster for orientation; the CLI is where you get definitive answers.

FeatureGUI TroubleshootingCLI Troubleshooting
Ease of UseGenerally easier, visual feedbackSteeper learning curve, command knowledge required
Real-time FlowLimited (Policy Lookup is static)Excellent (diagnose debug flow) shows packet processing step-by-step
Packet CaptureBasic setup, visual resultsMore powerful filtering options, detailed output formats
Detailed DebugVery limitedExtensive daemon-specific debugging (diagnose debug application ...)
LoggingVisual log viewing, easy filteringCan parse raw logs, harder for large volumes without filtering
ConfigurationVisual, structuredFaster for experienced users, scripting possible
MonitoringDashboards (FortiView), monitorsget commands for status, diagnose for real-time stats
  • Start with the GUI: Use Log Viewer, Policy Lookup, and monitors for initial investigation and quick checks.
  • Move to CLI for deep dives: When you need to see exactly how a packet is processed (diagnose debug flow), capture specific traffic (diagnose sniffer packet), or debug a specific process like IKE, the CLI is indispensable.
  • Combine both: The most effective approach uses the GUI to identify potential issues (like a policy ID from logs), then the CLI to confirm the exact behavior or gather more detailed debug information.

Stay current: FortiOS versions and upgrade planning

A surprising number of “bugs” are resolved simply by running a mature, patched FortiOS build. As of mid-2026, the recommended production branches are FortiOS 7.4 and 7.6 (7.6.6 is widely recommended, with 7.6.7 available). FortiOS 8.0 was announced at Accelerate 2026 but is not yet recommended for production. Critically, FortiOS 7.2 reaches end-of-support in September 2026, so if you’re still on 7.2, plan your upgrade now.

Before upgrading, always read the release notes for your exact target build, back up your configuration, and check two things that commonly break on newer FortiOS: SSL VPN tunnel mode (removed from 7.6.3, migrate to IPsec first) and any UTM profiles relying on proxy-based inspection (now flow-based by default from 7.4). Systematic troubleshooting plus a current, supported firmware baseline prevents most FortiGate issues from recurring.

FortiGate configuration issues can be frustrating, but they are rarely insurmountable. Adopt a systematic approach, lean on the built-in GUI and CLI diagnostics, and understand the common pitfalls around connectivity, policies, and VPNs. If you’d rather hand off day-to-day firewall management and monitoring, that’s exactly what our managed firewall services cover.

Sources

What is FortiGate NGFW? Next-Generation Firewall Features

Network perimeters face a constant barrage of sophisticated threats, rendering older security methods increasingly ineffective. Simple packet filtering, the foundation of traditional firewalls, can no longer adequately protect against modern attacks that hide within applications or encrypted traffic. Organizations now demand security solutions with deeper intelligence and broader capabilities. This need sparked the development of Next-Generation Firewalls (NGFWs), marking a critical evolution in network defense. Fortinet’s FortiGate stands out as a prominent solution in this advanced security landscape. Let’s explore what defines a FortiGate NGFW and makes it “next-generation.”

From Traditional Firewalls to NGFWs

Traditional firewalls primarily operated at Layers 3 and 4 (Network and Transport) of the OSI model. They made decisions based on source/destination IP addresses, ports, and protocols. While effective for basic network segmentation, they lacked visibility into the actual content of the traffic.

NGFWs evolved to address these limitations. They incorporate the capabilities of traditional firewalls but add crucial features like:

  • Application Awareness: Identifying and controlling specific applications (e.g., Facebook, Dropbox, Salesforce) regardless of the port or protocol used.
  • Intrusion Prevention Systems (IPS): Detecting and blocking known exploits and malicious network activity based on signatures and anomaly detection.
  • Deep Packet Inspection (DPI): Examining the actual data payload of network packets, not just the headers, to identify threats, control applications, and enforce policies.
  • User Identity Awareness: Integrating with directory services (like Active Directory) to enforce policies based on user identity or group membership, not just IP addresses.

Introducing FortiGate NGFW

Struggling To Choose The Right Fortigate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Modern abstract graphic representing potential or growth

FortiGate is the flagship NGFW product line from Fortinet, a global leader in cybersecurity solutions. FortiGate appliances (available as hardware, virtual machines, and cloud instances) are built around Fortinet’s custom Security Processing Units (SPUs) and the FortiOS operating system. This combination allows them to deliver high-performance security services without creating network bottlenecks.

Key Features of FortiGate NGFW

FortiGate NGFWs offer a comprehensive suite of security features integrated into a single platform:

  1. High-Performance Firewalling: Core stateful firewall capabilities with high throughput, leveraging SPUs for acceleration.
  2. Intrusion Prevention System (IPS): Industry-leading IPS technology protects against known and zero-day threats using signature-based detection, protocol anomaly detection, and heuristics. FortiGuard Labs provides continuous threat intelligence updates.
  3. Application Control: Granular visibility and control over thousands of applications, allowing administrators to block, allow, or shape traffic based on the application, regardless of port or encryption.
  4. Web Filtering: Blocks access to malicious, inappropriate, or non-productive websites based on categories, URLs, and content ratings. Supports SSL inspection to examine encrypted traffic.
  5. VPN (IPsec & SSL): Secure remote access and site-to-site connectivity using both IPsec and SSL VPN technologies, ensuring data confidentiality and integrity for remote users and branch offices.
  6. Antivirus/Anti-malware: Scans traffic for viruses, spyware, and other malware using FortiGuard Labs’ threat intelligence.
  7. Advanced Threat Protection (ATP): Includes features like sandboxing (often integrated with FortiSandbox) to analyze suspicious files in a safe, isolated environment, detecting previously unknown malware.
  8. SSL Inspection: Decrypts and inspects encrypted traffic (HTTPS, SMTPS, POP3S, etc.) to ensure threats aren’t hiding within encrypted tunnels. This is critical as most web traffic is now encrypted.
  9. Security Fabric Integration: FortiGate NGFWs act as the core of the Fortinet Security Fabric, integrating with other Fortinet products (like FortiAnalyzer, FortiManager, FortiSwitch, FortiAP) for broader visibility, automated threat response, and centralized management across the entire network infrastructure.
  10. SD-WAN Capabilities: Many FortiGate models include built-in Secure SD-WAN functionality, optimizing application performance and providing secure direct internet access for branch offices.

Benefits of Using FortiGate NGFW

  • Consolidated Security: Reduces complexity and cost by integrating multiple security functions into a single device.
  • Enhanced Visibility & Control: Provides deep insight into network traffic, applications, users, and threats.
  • Improved Threat Protection: Offers multi-layered security against a wide range of attacks, including advanced persistent threats (APTs).
  • High Performance: Purpose-built hardware (SPUs) ensures security functions operate at line speed without degrading network performance.
  • Scalability: Available in various models to suit different network sizes and performance requirements, from small businesses to large enterprises and service providers.
  • Simplified Management: Can be managed individually via a web UI/CLI or centrally through FortiManager, especially when deployed as part of the Security Fabric.

Conclusion

FortiGate NGFWs represent a significant advancement over traditional firewalls. By integrating critical security technologies like IPS, application control, web filtering, and advanced threat protection onto a high-performance platform, they provide the comprehensive security needed to defend modern networks. As cyber threats continue to evolve, deploying a robust NGFW like FortiGate is no longer just an optionit’s a necessity for organizations serious about protecting their valuable data and infrastructure.

FortiGate Models: Key Differences Explained

FortiGate models differ mainly in three things: performance (how much traffic they can inspect with security services on), capacity (how many users and sessions they support), and connectivity (the number and speed of ports). The number in the model name tracks roughly to performance tier, and the letter suffix (E, F, or G) marks the hardware generation. For most Canadian mid-market offices the decision is a desktop model in the current G-series (30G, 50G, 70G, 90G); larger sites and data centres move up to the rack and chassis lines.

FortiGate

FortiGate is Fortinet’s line of next-generation firewalls (NGFWs). Each model combines firewalling, intrusion prevention (IPS), antivirus, application control, web filtering, and VPN in one appliance, accelerated by Fortinet’s custom security processors (SPUs). Models scale from small fanless desktop units to multi-terabit chassis systems, all managed with the same FortiOS operating system.

Do not shop on the “firewall throughput” headline number. Match the model to your real internet bandwidth and user count using threat protection throughput (performance with IPS, antivirus, and application control turned on), then leave 30 to 50 percent headroom for growth. For new multi-year purchases, price the current G-series rather than the older F-series.

Struggling To Choose The Right FortiGate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
FortiGate firewall lineup graphic

How does FortiGate model numbering work?

The number tells you the performance class and the trailing letter tells you the hardware generation. A higher number means more throughput, more ports, and more session capacity: an 80-class unit outperforms a 60-class unit, and a 400-class rack unit outperforms both. The letter is the generation marker, and it moves forward over time: E preceded F, and F is now being succeeded by G on Fortinet’s newest security processor.

  • The number = tier. 30 to 90 class are desktop units for small and branch offices. 100 to 900 class are rack-mount units for mid-market and campus. 1000 class and up are high-end enterprise and data-centre platforms; the 7000 series is chassis-based for carriers and hyperscale.
  • The letter = generation. E, then F, then G. Each generation brings a new security processor and a large jump in threat-protection performance at a similar price and power draw.
  • Suffixes and variants. A FortiWiFi (FWF) model is the same hardware with built-in Wi-Fi. A POE variant adds Power over Ethernet ports to run phones, cameras, and access points. Rugged and industrial models carry different naming for harsh environments.

What are the current FortiGate model tiers?

Fortinet groups FortiGate into four broad tiers by network size and traffic load. Match your organization to a tier first, then pick the specific model on the specs that matter to you.

  • Entry / SMB desktop (30G, 50G, 70G, 90G): Fanless desktop units for small businesses, retail sites, and branch offices. Core NGFW security with Gigabit and, higher up, multi-gig and SFP ports. This is where most GTA small offices land.
  • Mid-range rack (100F, 200F, 400F class): Rack-mount units for growing and medium organizations. Higher throughput, more concurrent sessions, 10GbE interfaces, and redundant power options.
  • High-end enterprise (1000F, 2000F class): Large enterprise, campus, and data-centre firewalls. Very high throughput, 10/25/40GbE interfaces, dual power supplies, and virtual domains (VDOMs).
  • Chassis / ultra-high-end (7000 series): Chassis-based systems for service providers and hyperscale data centres, delivering terabit-scale throughput and 100/400GbE density.

FortiGate SMB desktop models compared: 30G, 50G, 70G, 90G

For most small and branch offices, the choice comes down to the current G-series desktop lineup. All four run on the FortiSP5 security processor and share the same FortiOS features; they differ in throughput, ports, and user headroom. Threat protection throughput is the realistic day-to-day number because it reflects security services turned on.

ModelThreat protectionFirewall throughputIPsec VPNBest fit
FortiGate 30G500 Mbps4 Gbps~4 GbpsVery small office / micro-branch
FortiGate 50G1.1 Gbps5 Gbps~5 GbpsSmall office, fibre internet
FortiGate 70G1.3 Gbps10 Gbps~11 GbpsBusy small office / larger branch
FortiGate 90G2.2 Gbps28 Gbps25 GbpsGrowing SMB, heavy VPN or SSL inspection
Figures from Fortinet G-series datasheets (July 2026). Threat protection = enterprise traffic mix with IPS, antivirus, and application control enabled.

If you are weighing the older SMB units instead, our detailed FortiGate 40F vs 60F vs 80F comparison breaks down the previous generation the G-series replaces.

What is the difference between the FortiGate F-series and G-series?

The G-series is the current generation and the F-series is the previous one. G-series desktop models run on the FortiSP5, Fortinet’s fifth-generation security processor, which delivers roughly two to three times the threat-protection throughput of the equivalent F-series model at a similar price, in a smaller fanless form factor that draws less power. The F-series (40F, 60F, 80F) is still sold and supported with no end-of-life announced, so existing units are fine to keep running, but new multi-year purchases should price the G-series.

2-3x

threat-protection throughput of the FortiSP5 G-series over the equivalent F-series model (Fortinet 90G / 80F datasheets)

The practical upgrade path maps almost one to one:

  • 40F is succeeded by the 30G (similar tier) or 50G (a step up).
  • 60F is succeeded by the 70G.
  • 80F is succeeded by the 90G, which delivers more than double the 80F’s threat protection.
Important:

Firmware matters as much as hardware. Run a mature FortiOS branch (7.4 or 7.6; 7.6.6+ is widely recommended) and do not deploy 8.0 in production yet. If you are still on FortiOS 7.2, plan your upgrade now: 7.2 reaches end-of-support in September 2026. Fortinet is also removing SSL VPN tunnel mode in newer FortiOS releases, so design remote access around IPsec VPN (and ZTNA for application access) rather than SSL VPN.

Which specs actually matter when comparing FortiGate models?

Beyond the tier, five specifications separate the models. Read them in this order and the right size becomes obvious.

  1. Threat protection throughput. Performance with IPS, antivirus, and application control on. This is the number to size against, not raw firewall throughput.
  2. SSL inspection throughput. Performance while decrypting and inspecting HTTPS. It is computationally heavy and drops fastest under load, so if you inspect encrypted traffic (most networks should), check this figure closely.
  3. Interfaces. Count and speed of ports: enough 1GbE for endpoints, plus 10GbE or SFP+ uplinks if you have fast internet or server segments. Confirm POE ports if you run phones, cameras, or access points off the firewall.
  4. Session capacity. Concurrent sessions (how many connections it tracks at once) and new sessions per second (how fast it opens them). Make sure concurrent sessions comfortably exceed your user and device count.
  5. Redundancy and scalability. High availability (HA) pairing for failover, redundant power supplies (mid-range and up), and VDOMs to split one appliance into several virtual firewalls (high-end).

Size against your projected internet bandwidth with SSL inspection enabled, not your current speed with it off. Enabling deep inspection can cut usable throughput by more than half on entry models, so a firewall that looks oversized on the firewall-throughput line is often exactly right once real security services are running.

How do I choose the right FortiGate model?

Work from your network reality to a specific model in five steps.

Start with scale: match your site size to a tier. Small or branch office points to a G-series desktop unit; a growing head office points to a 100F-class rack unit or higher.

Assess your reality: note your current and projected internet bandwidth, your user and device count, and the security services you will run (IPS, web filtering, SSL inspection, VPN).

Check the right specs: on the datasheets, compare threat protection and SSL inspection throughput, and confirm concurrent sessions exceed your device count.

Verify connectivity: confirm the port mix (1GbE, 10GbE, SFP/SFP+, POE) covers what you need now and in the near future.

Factor in growth: pick a model with 30 to 50 percent headroom over today’s needs so it lasts the full refresh cycle, and buy the current G-series generation for a longer support runway.

Choosing the right FortiGate is about matching the appliance to your real traffic, not buying the biggest box. As a Fortinet Advanced Partner, we size, deploy, and run these firewalls every day; our managed firewall services take model selection, licensing, firmware, and 24/7 monitoring off your plate.

Sources