Skip to content

FortiGate SSL VPN Is Going Away: Migrate to IPsec

If your business runs remote access through a FortiGate firewall, the way your team connects from home is about to change, and the deadline is closer than most IT leaders realize. Fortinet is removing SSL VPN tunnel mode from FortiOS, the feature that powers the FortiClient remote access VPN that thousands of Canadian businesses rely on every day. On newer G-series FortiGate appliances, it is already gone.

This post breaks down exactly which FortiOS versions and FortiGate models are affected, the timeline you need to plan around, and how to migrate from SSL VPN to IPsec VPN without locking your remote workforce out.

SSL VPN tunnel mode is being phased out of FortiOS. FortiOS 7.6.2 is the last release to support it on most FortiGate models, and 7.6.3 removes it entirely. New G-series FortiGates do not support SSL VPN at all. If you use FortiClient remote access VPN, you must migrate to IPsec VPN before upgrading to 7.6.3 or moving to G-series hardware. Plan the switch now rather than discovering it during an upgrade.

SSL VPN Tunnel Mode

SSL VPN tunnel mode is the FortiGate remote access method that uses the FortiClient agent to create a full network tunnel over an encrypted HTTPS connection. It lets remote employees access internal company resources as if they were on the office network. Fortinet is deprecating this feature in favour of IPsec VPN, which uses a different, more standardized encryption protocol for the same job.

What Is Changing With FortiGate SSL VPN?

Fortinet is retiring SSL VPN tunnel mode across the FortiOS product line and steering all remote access toward IPsec VPN. This is not a security advisory or an emergency patch. It is a planned architectural change that arrives gradually through normal firmware upgrades, which is exactly why it catches teams off guard. You will not see it until the day you push a firmware update and your remote users can no longer connect.

According to Fortinet’s technical documentation on SSL VPN support across FortiGate models, the removal is happening on two tracks at once. The first track is hardware: the newer G-series FortiGate appliances ship without SSL VPN support, full stop. The second track is firmware: as you move up through the FortiOS 7.6 releases, SSL VPN tunnel mode is removed model by model until it disappears completely in 7.6.3.

Warning:

If you upgrade a FortiGate to FortiOS 7.6.3 or later without migrating first, SSL VPN tunnel mode will stop working and your remote employees will lose access. Confirm your VPN method before scheduling any firmware upgrade to 7.6.3.

FortiOS Version Timeline: When SSL VPN Goes Away

The single most useful thing you can do right now is map your current FortiOS version against the removal timeline. SSL VPN tunnel mode does not vanish in one release. It is pulled progressively, starting with low-memory and entry-level models and ending with a complete removal in FortiOS 7.6.3. Here is how the releases line up.

FortiOS VersionSSL VPN Tunnel Mode Status
7.4.xSupported, except some newer entry-level G-series models in later releases
7.6.0Removed only on certain low-memory (2 GB RAM) models; still available on most others
7.6.1Removed on additional desktop and entry-level models (40F, 60E/F, 80E, 90E, 90G, and similar)
7.6.2Last version with SSL VPN tunnel mode available where supported
7.6.3+SSL VPN tunnel mode removed on all FortiGate models; migrate to IPsec VPN

There is one more date that matters and it is easy to miss. FortiOS 7.4 is scheduled to reach end of support in 2027, which means staying on an older release to keep SSL VPN alive is not a long-term plan. You will run out of security updates on 7.4 around the same time you would otherwise be forced off SSL VPN by the 7.6 line. Either path leads to IPsec, so the practical question is simply when you do the work, not whether.

Good to know:

Not everything SSL-based is disappearing. SSL VPN web mode, the clientless browser portal, survives in a modified form and is renamed Agentless VPN in later FortiOS releases. It is the agent-based tunnel mode (FortiClient remote access) that is being removed.

Why Are G-Series FortiGates Affected First?

G-series FortiGate appliances do not support SSL VPN at all, which makes them the clearest signal of where Fortinet is heading. If you have recently purchased or are about to deploy a G-series firewall, IPsec VPN is your only built-in remote access tunnel option from day one. There is no SSL VPN tunnel mode to fall back on, regardless of which FortiOS version you run.

This matters most during hardware refreshes. A common scenario we see with GTA mid-market firms is a business replacing an aging FortiGate 60E or 90E with current G-series hardware, restoring the configuration, and assuming remote access will carry over. It will not. The SSL VPN configuration has nowhere to land on the new appliance. Any refresh onto G-series hardware needs an IPsec VPN migration baked into the project plan, not treated as a surprise after cutover.

Before approving any FortiGate hardware purchase, confirm whether the model is G-series and plan your remote access around IPsec VPN from the start. Building IPsec into the initial deployment is far cheaper than retrofitting it after users are already connecting through a method that is about to break.

How Do You Migrate From SSL VPN to IPsec VPN?

Migrating from SSL VPN to IPsec VPN is a planned project, not a single config toggle. The encryption protocol, client configuration, and authentication flow all change, and the safest approach is to run both methods in parallel during the transition so you can move users in controlled batches. Here is the sequence we follow.

Inventory your VPN footprint: Identify every FortiGate in your environment, its exact FortiOS version, its model, and how many users connect through SSL VPN tunnel mode today. This tells you who is affected and how urgent the timeline is for each site.

Build the IPsec VPN configuration: Configure dial-up IPsec VPN on the FortiGate with the right encryption proposals, authentication method, and split-tunnel or full-tunnel routing to match your security policy. Integrate it with your existing identity provider and multi-factor authentication.

Run SSL and IPsec in parallel: Keep SSL VPN active while you stand up IPsec alongside it. This gives you a rollback path and lets you migrate users in waves instead of a single high-risk cutover.

Pilot, then roll out in batches: Move a small test group to IPsec first, validate access to every critical resource, then expand. Update the FortiClient configuration and provide clear instructions so end users are not left guessing.

Decommission SSL VPN and upgrade firmware: Once everyone is on IPsec and stable, disable SSL VPN tunnel mode and proceed with your FortiOS upgrade to 7.6.3 or later, confident that remote access will not break.

FortiOS Upgrade Best Practices: Don’t Jump Too Far Ahead

The SSL VPN change is a reminder of a broader discipline: upgrade FortiOS deliberately, not aggressively. Fortinet designates specific releases as recommended, often called the “Gold” or mature release, and that is almost always where a production firewall should live. The newest available version is rarely the right place for a business-critical appliance, and the oldest supported version leaves you exposed. The sweet spot is the recommended release for your specific model.

  • Check Fortinet’s recommended release for your exact FortiGate model before every upgrade. The right version differs by hardware.
  • Follow the supported upgrade path. Jumping multiple major versions in one step can corrupt configurations or strip features like SSL VPN without warning.
  • Read the release notes for the target version, specifically the removed and deprecated features section, before you schedule the work.
  • Test in a maintenance window with a config backup and a rollback plan. Never upgrade a production firewall during business hours on a whim.
  • Start planning for FortiOS 8 now. Knowing what is coming lets you sequence hardware refreshes and feature migrations on your schedule instead of reacting to a forced change.
Important:

The most expensive FortiOS upgrades are the rushed ones. A planned migration with parallel VPN methods and a tested rollback costs a fraction of an emergency response after remote staff are locked out on a Monday morning.

SSL VPN tunnel mode is on its way out of FortiOS, and IPsec VPN is the path forward for every FortiGate remote access deployment. The businesses that handle this well are the ones that inventory their firewalls now, build IPsec alongside SSL VPN, and migrate users in controlled batches before a firmware upgrade forces the issue. The deadline is set by your own upgrade schedule and FortiOS 7.4’s end of support, so the time to plan is today.

At Balanced+, we manage and secure FortiGate environments for mid-market businesses across Toronto and the GTA, including firmware lifecycle planning and VPN migrations that keep remote teams connected through the transition. If you are not sure which FortiOS version your firewall runs or whether SSL VPN removal affects you, our team can audit your environment and build the migration plan for you. Learn more about our cybersecurity and managed firewall services.

Frequently Asked Questions

Is FortiGate SSL VPN being discontinued?

SSL VPN tunnel mode, the agent-based FortiClient remote access VPN, is being removed from FortiOS. FortiOS 7.6.2 is the last release that supports it on most models, and 7.6.3 removes it entirely. SSL VPN web mode survives in a renamed form called Agentless VPN, but the full tunnel feature most businesses use for remote access is being discontinued in favour of IPsec VPN.

Which FortiOS version removes SSL VPN?

FortiOS 7.6.3 removes SSL VPN tunnel mode on all FortiGate models. Removal begins earlier on certain low-memory and entry-level models in 7.6.0 and 7.6.1, but 7.6.2 is the last version where it remains available where supported. You must migrate to IPsec VPN before upgrading to 7.6.3 or later.

Do G-series FortiGate firewalls support SSL VPN?

No. G-series FortiGate appliances do not support SSL VPN tunnel mode at all, regardless of FortiOS version. If you deploy or refresh onto G-series hardware, IPsec VPN is your only built-in remote access tunnel option, so plan your remote access around IPsec from the start.

Is IPsec VPN better than SSL VPN on FortiGate?

For FortiGate remote access going forward, IPsec VPN is the supported and recommended method, which makes it the practical choice. IPsec uses a standardized encryption protocol and is built into current and future FortiGate hardware, including G-series models. SSL VPN tunnel mode is being removed, so even if your team prefers it today, IPsec is where remote access is heading.

Sources

The Real Cost of Running Outdated FortiGate Models

The firewall humming away in your server closet might be the most expensive piece of equipment in your office. Not because of what you paid for it years ago, but because of what it’s costing you right now while appearing to cost nothing at all.

It still powers on. Lights still blink. Traffic still flows. Your IT person says it’s fine. So you leave it alone, because you have actual fires to fight and a business to run.

But “still working” and “still protecting you” are two very different things. And the gap between them is where the real costs hide.

The Comfort of “It Still Works”

There’s a certain logic to keeping equipment running as long as possible. You paid for it. It functions. Replacing something that isn’t broken feels wasteful, especially when budgets are tight and a dozen other priorities compete for every dollar.

So the FortiGate you bought five or six years ago stays in place. Maybe your IT person has mentioned upgrading, but it wasn’t urgent. Maybe you looked at replacement costs and decided next year made more sense. Maybe nobody’s mentioned it at all, and you assumed no news meant good news.

This is how most businesses end up running outdated firewalls. Not through neglect, but through reasonable decisions that made sense at the time. The problem is that firewall security doesn’t age gracefully. What protected you in 2019 isn’t equipped for what’s attacking you in 2025.

What “End of Support” Actually Means

Every FortiGate model follows a lifecycle. Fortinet announces end-of-sale dates, then end-of-support dates, then end-of-vulnerability-support dates. These aren’t arbitrary deadlines designed to sell more hardware. They mark real transitions in what that device can do for you.

When a FortiGate reaches end of support, Fortinet stops releasing firmware updates for it. When it reaches end of vulnerability support, they stop patching security flaws entirely. Your firewall still powers on. It still passes traffic. But it’s frozen in time, running software that will never improve while threats continue evolving.

That model that felt cutting-edge when you bought it is now running firmware designed for a threat landscape that no longer exists. New attack techniques, new malware variants, new exploitation methods. None of them accounted for in the code protecting your network.

The firewall doesn’t know it’s obsolete. It just keeps doing what it was programmed to do. The gap between that and what you actually need grows wider every month.

The Security Gaps You Can’t See

Modern firewalls don’t just block traffic based on ports and protocols. They inspect encrypted connections, analyze application behavior, check files against threat intelligence feeds, and identify patterns that suggest compromise. At least, current ones do.

Older FortiGate models lack the processing power to inspect modern encrypted traffic volumes without crippling your network speed. Their threat intelligence subscriptions have expired or no longer update. Their inspection engines don’t recognize attack patterns that emerged after their last firmware update.

You’re essentially running antivirus from 2020 against malware from 2025. The firewall is still checking, still filtering, still doing its job as it understands it. But its understanding is years out of date.

The threats targeting SMBs today look nothing like they did when your firewall was current:

  • Ransomware that evades signature-based detection entirely
  • Encrypted command-and-control traffic that older inspection can’t analyze
  • Living-off-the-land attacks that don’t trigger traditional firewall rules
  • Credential theft techniques that bypass perimeter controls completely

Your outdated FortiGate isn’t failing. It’s succeeding at an outdated job.

The Performance Tax You’re Paying Daily

Security gaps aside, older hardware simply can’t keep up with modern network demands. When your FortiGate was sized, your team probably worked mostly on-site. Video calls were occasional. Cloud applications were supplementary. Encrypted traffic was a fraction of total volume.

Now encrypted traffic is nearly everything. Video conferencing runs constantly. Cloud applications are primary business tools. Remote workers VPN in from home offices. And that firewall sized for 2019 workloads is choking on 2025 reality.

The symptoms show up in ways that rarely get traced back to the firewall:

  • VPN connections that lag or drop during peak hours
  • Video calls that freeze or pixelate
  • Cloud applications that feel sluggish
  • File transfers that crawl
  • Remote workers complaining about “the internet” being slow

Your IT person troubleshoots the ISP, the switches, the WiFi, the endpoints. Sometimes they find something. Sometimes they just shrug. But the bottleneck sitting at your network’s front door rarely gets questioned because it’s “still working.”

Meanwhile, productivity drains away in ten-second delays and frozen screens, none of which show up on any invoice.

The Compliance Exposure Nobody Mentioned

If your business handles customer data, processes payments, or serves clients with security requirements, your firewall age isn’t just a technical concern. It’s a compliance exposure.

Auditors asking about your security controls will want to know if your firewall receives current patches. Running end-of-support hardware is a finding. It goes in the report. It raises questions about what other corners you’ve cut.

Cyber insurance carriers are getting more sophisticated about what they’ll cover. Application questionnaires now ask about infrastructure age, patch status, and end-of-life equipment. A claim denial because you were running unsupported hardware is not a theoretical risk. It’s happening to businesses right now.

Customer security questionnaires increasingly ask about firewall patch currency. Enterprise clients doing vendor risk assessments want to know your perimeter is current. Losing a deal because you couldn’t answer those questions honestly hurts more than a hardware refresh ever would.

The compliance cost of outdated equipment rarely announces itself until you’re sitting across from an auditor, an insurance adjuster, or a customer’s security team.

The Hidden Costs That Don’t Show Up on Invoices

Every workaround has a cost. Every limitation creates friction. Every band-aid consumes time that could go elsewhere.

Your IT person spending hours troubleshooting performance issues that trace back to underpowered hardware. That’s a cost. Projects delayed because the firewall can’t support new requirements. That’s a cost. The emergency premium you’ll pay when the device finally fails and you need replacement hardware overnight. That’s a cost.

Planned replacements happen on your timeline, with competitive pricing, proper configuration, and minimal disruption. Emergency replacements happen on the equipment’s timeline, with expedite fees, rushed implementation, and whatever’s available in stock.

The businesses that budget for infrastructure refreshes spend less over time than the businesses that run equipment until it fails. The math isn’t intuitive, but it’s consistent.

When “Saving Money” Becomes the Most Expensive Decision

The calculus feels simple on the surface. Replacement costs money. Keeping current equipment costs nothing. Except that’s not actually true.

Keeping outdated equipment costs you in security exposure, in performance degradation, in compliance risk, in insurance complications, in deals you can’t close, in productivity you can’t measure, and eventually in emergency replacement premiums.

The firewall that costs nothing on your monthly budget might be the most expensive line item you’re not tracking.

This isn’t about fear. It’s about seeing the full picture. The equipment you trust most deserves the most scrutiny, because you’ve built your entire network security assumption on its capabilities.

Understanding Your Options

If your FortiGate is approaching end of life, or passed it without anyone noticing, the path forward isn’t necessarily complicated. It starts with understanding where your current hardware sits in its lifecycle and what a refresh would actually involve.

BALANCED+ is a Fortinet Gold Partner, which means we work directly with Fortinet and can help you get the best pricing available on new FortiGate hardware. Whether you need a straightforward replacement or want to right-size your firewall for where your business is headed, we can help you understand the options without the pressure.

Your firewall should be an asset, not a liability hiding in plain sight.

SSL VPN vs IPsec VPN: What Fortinet Users Must Know

Fortinet is removing SSL VPN tunnel mode from FortiOS and pushing every remote-access deployment toward IPsec VPN. The feature is already gone in FortiOS 7.6.3 and later, and tunnel mode was pulled from entry-level G-series and 2GB-RAM models even earlier. If your FortiGate still terminates remote workers over SSL VPN tunnel mode, you need a migration plan to IPsec (and, for app-level access, ZTNA) before your next firmware upgrade. Here is what changed, how the two protocols actually compare, and how to move without breaking remote access.

SSL VPN tunnel mode

SSL VPN tunnel mode is FortiGate’s client-based remote-access method that builds a full network tunnel over TLS (TCP 443) using FortiClient. It differs from SSL VPN web mode (now renamed Agentless VPN), which is a clientless HTTPS reverse proxy to internal web apps. Fortinet has replaced tunnel mode with IPsec VPN; web/Agentless mode continues on supported models.

Is Fortinet really removing SSL VPN from FortiGate?

Yes. Fortinet has removed SSL VPN tunnel mode from FortiOS 7.6.3 onward, and it is no longer available in either the GUI or CLI on affected models. The rollout was phased: FortiOS 7.6.0 dropped SSL VPN (web and tunnel) from models with 2GB of RAM or less, FortiOS 7.4.8 removed it from the G-series entry-level FortiGates (50G, 70G, 90G and variants), and 7.6.3 completed the removal of tunnel mode across the lineup. Your SSL VPN tunnel-mode configuration will not carry forward through the upgrade, so it must be migrated to IPsec before you move to 7.6.3 or later.

The driver is risk. SSL VPN appliances across the industry have been a repeated target for exploitation, and a listening SSL VPN portal is internet-exposed attack surface. Fortinet’s answer is to standardize remote access on IPsec, which can run over TCP 443 to keep the firewall-friendly behavior that made SSL VPN convenient, while removing the web-portal exposure.

Warning:

Do not upgrade a FortiGate straight to FortiOS 7.6.3+ if it still relies on SSL VPN tunnel mode. The upgrade does not convert your settings, so remote workers can lose access the moment the firmware reboots. Build and test the IPsec configuration first, then upgrade. Also note FortiOS 7.2.x reaches end of support in September 2026, so plan the firmware move and the VPN migration together.

What is the difference between SSL VPN and IPsec VPN?

The core difference is the layer each protocol works at. SSL VPN operates at the application layer over TLS, so it can tunnel through a browser or a light client and passes through firewalls easily on TCP 443. IPsec VPN operates at the network (IP) layer and encrypts the entire packet, which gives it stronger, more standardized cryptography and better performance at scale, at the cost of needing a configured client. In FortiGate’s case, IPsec can now also be configured to use TCP port 443, so it keeps the NAT and firewall traversal that used to be SSL VPN’s main advantage.

IPsec VPN

IPsec VPN is a network-layer VPN standard that authenticates and encrypts IP packets using IKE (Internet Key Exchange) for negotiation and ESP for encryption. On FortiGate remote-access deployments, FortiClient connects as a dialup IPsec client, typically with IKEv2, and can encapsulate ESP inside TCP on port 443 to cross carrier-grade NAT and networks that block native IPsec.

SSL VPN vs IPsec VPN: which is more secure and faster?

IPsec is the stronger and faster choice for ongoing remote access, which is why Fortinet standardized on it. IPsec encrypts at the network layer with mature, widely audited cryptography (AES-GCM, IKEv2) and typically delivers higher throughput because encryption is offloaded to hardware on FortiGate. SSL VPN’s advantages were operational, not security: easy setup and clean firewall traversal on TCP 443. With IPsec-over-443 now available, IPsec keeps that convenience while closing the exposure gap. The table below compares them across the dimensions that matter when you plan a migration.

DimensionSSL VPN (tunnel mode)IPsec VPN
OSI layerApplication layer (TLS)Network layer (IP)
EncryptionTLS ciphers; portal exposureIKEv2 / ESP, AES-GCM; no web portal
PerformanceHigher CPU overhead, lags at scaleHardware-offloaded, scales for enterprise load
Client experienceFortiClient or browser (web mode)FortiClient 7.4.1+ (IKEv2 for 7.4.4+)
NAT / firewall traversalNative on TCP 443NAT-T, or TCP-encapsulated on custom port 443
Best forLegacy clientless web-app access (Agentless VPN)Full remote-access tunnels, site-to-site, scale
FortiOS statusRemoved from tunnel mode in 7.6.3+Supported and recommended replacement

7.6.3

FortiOS release where SSL VPN tunnel mode is fully removed and replaced by IPsec VPN (Fortinet release notes)

How do I migrate from SSL VPN to IPsec VPN on a FortiGate?

Migrate before you upgrade, not after. Build the IPsec dialup configuration on your current firmware, validate it with a pilot group, then push FortiClient and cut over. Fortinet’s recommended remote-access design is an IPsec dialup tunnel using IKEv2 with TCP encapsulation on a custom port 443, which mirrors the connectivity users had under SSL VPN. Here is the practical sequence.

Audit current SSL VPN usage: Identify who connects, from where, which internal resources they reach, and which FortiClient versions are deployed. This defines your firewall policies and split-tunnel scope.

Check firmware and hardware: Confirm the model’s FortiOS branch (mature production branches are 7.4 and 7.6; 7.6.6 is widely recommended) and move off 7.2.x before its September 2026 end of support. Right-size the appliance if the unit is undersized for full IPsec load.

Build the IPsec dialup tunnel: Use the FortiGate VPN wizard to create a remote-access IPsec tunnel with IKEv2, TCP encapsulation, and a custom listening port of 443 so it traverses restrictive networks and carrier-grade NAT.

Update FortiClient and push the profile: Deploy FortiClient 7.4.1 or later (use IKEv2 for FortiClient 7.4.4+), distribute the IPsec profile via EMS, and pilot with a small group before the full rollout.

Cut over and decommission: Move users to IPsec, confirm access to every required resource, then disable the SSL VPN portal to remove the exposed attack surface before upgrading to FortiOS 7.6.3+.

Run SSL VPN and IPsec in parallel during the pilot. FortiGate can serve both at once, so you can move users in waves and keep a rollback path. Only disable the SSL VPN portal once the last group is confirmed working on IPsec. For step-by-step FortiGate VPN setup, see our guide on how to set up a VPN using Fortinet’s FortiGate.

Where does ZTNA fit, and what happens to SSL VPN web mode?

IPsec replaces the full-tunnel use case; ZTNA replaces per-application access, and SSL VPN web mode survives as Agentless VPN for clientless browser access to internal web apps. The strongest long-term posture is to move general remote connectivity to IPsec and shift specific application access to Zero Trust Network Access, which grants access per session based on device posture and identity instead of dropping every user onto the network. If your users only need a handful of internal web apps, Agentless VPN or ZTNA may remove the need for a full tunnel entirely.

Think in three lanes: IPsec VPN for full network access, ZTNA for granular per-app access with posture checks, and Agentless VPN (formerly SSL VPN web mode) for clientless web-app access. SSL VPN tunnel mode is the only piece being retired. Note that when ports overlap, ZTNA and SSL VPN take precedence over IPsec, so plan listener ports before you deploy both.

As a Fortinet Advanced Partner, BALANCED+ plans and executes these migrations end to end: auditing current SSL VPN usage, sizing the right FortiGate, building and testing IPsec, and layering in ZTNA where it reduces exposure. For the deeper why-and-when, read FortiGate SSL VPN is going away: migrate to IPsec. If you want a hand, our managed firewall services cover the whole transition.

Sources

FortiGate High Availability: A Strategy for Uninterrupted Business

The modern business operates at the speed of data. Whether you’re in financial services, manufacturing, or running a SaaS platform, a single moment of downtime can unravel months of progress. Business continuity is no longer just a buzzword; it’s a strategic imperative. The risk of a service outage is a fundamental business challenge that demands a strategic solution.

The High Cost of Downtime

Even a brief outage can trigger a cascade of negative consequences. Transactions stop, production halts, and service delivery breaks down, leading to immediate financial loss. The long-term damage, however, is often more severe. Customer confidence erodes, data integrity becomes questionable, and a company’s reputation can decline, making it difficult to recover lost ground.

For any organization embracing digital transformation, business continuity isn’t just a convenienceit’s a strategic necessity. Companies processing millions of secure transactions, those running real-time production lines, and cloud-based service providers all share a single, non-negotiable requirement: continuous access without interruption.

The FortiGate Foundation

FortiGate next-generation firewalls are recognized leaders in integrated cybersecurity. They provide a unified platform with comprehensive protection, including firewall capabilities, VPN access, intrusion prevention, application control, web filtering, and anti-malware defense. This all-in-one approach simplifies management while delivering robust security against a constantly evolving threat landscape.

However, relying on any single, standalone system introduces a single point of failure. A hardware fault or a power outage can disrupt the entire network. This is where High Availability (HA) clustering becomes a critical strategy, eliminating this vulnerability by ensuring instant failover and seamless business continuity.

How High Availability Clusters Ensure Uptime

A FortiGate HA cluster combines multiple firewall appliances into a synchronized system designed to prevent downtime. In a typical configuration, one unit operates as the primary, actively managing all network traffic and security policies. The other units function as secondaries, continuously monitoring the primary’s health and synchronizing its configuration.

Should the primary device experience any kind of failurewhether it’s a hardware malfunction or a software issuea secondary unit immediately and automatically takes over. This failover happens in an instant, keeping all active sessions and connections intact so users experience no service interruption.

Choosing the Right Configuration

There are two primary modes of deployment for a FortiGate HA cluster, each suited for different business needs:

  • Active-Passive: This is the most common and recommended approach for the majority of enterprises. One FortiGate appliance actively handles all traffic while a second unit remains in a fully synchronized, standby state. If the primary device fails, the standby takes over instantly, providing maximum reliability without adding management complexity.
  • Active-Active: This configuration is designed for high-performance scenarios where both appliances process network traffic simultaneously. This offers greater throughput and load balancing but requires a more intricate setup and more detailed management to ensure traffic is distributed effectively and securely.

Key Features for Continuous Operations

Beyond the primary/secondary architecture, FortiGate HA clusters maintain uptime through a set of powerful features:

  • Heartbeat and Configuration Synchronization: A continuous heartbeat ensures that secondary units are always aware of the primary’s status. All security policies, configurations, and network settings are synchronized in real-time, allowing for an instant takeover with identical policies.
  • Session Preservation: This is a crucial feature that ensures all active connectionsincluding VPN tunnels, VoIP calls, and data transfersremain uninterrupted during a failover event. Users won’t have to re-authenticate or restart their work.

Strategic Benefits for Your Enterprise

Deploying a FortiGate HA cluster delivers a range of measurable and strategic advantages:

  • Eliminated Single Points of Failure: By removing the weakest link, you guarantee business continuity.
  • Minimized Financial Loss: Downtime is a direct hit to the bottom line; HA clusters prevent this.
  • Increased Operational Resilience: Your network becomes a more robust foundation for all digital transformation initiatives.
  • Strengthened Customer Trust: Reliable, uninterrupted service builds loyalty and confidence.
  • Zero-Downtime Maintenance: You can perform essential firmware upgrades or hardware repairs without impacting service.
  • Simplified Regulatory Compliance: You can confidently meet uptime and data availability requirements, especially in highly regulated sectors.

Ready to Build Your Resilience?

Deploying and optimizing FortiGate HA clusters requires a level of expertise that goes beyond a standard hardware installation. At BALANCED+, we provide a full lifecycle of support, from initial assessments and architecture design to implementation, monitoring, and continuous optimization. We help you align your FortiGate deployment with your overall IT strategy, leveraging analytics and intelligence to keep your network resilient and adaptive.

With FortiGate HA clusters, your business can achieve a state of true resilience, ensuring that no outage disrupts your growth, security, or trust.

FortiGate Logging: Decode Your Defenses

The Data Deluge: Why FortiGate Logs Matter

Every single action on your network leaves a digital footprint. From a user logging in, to data moving between servers, to an attempted cyberattack your FortiGate firewall captures an immense amount of this information. Without understanding these logs, businesses are essentially “flying blind” regarding their network’s health and security posture. This is precisely where FortiGate Security Logging becomes critical. It’s the raw evidence that tells the story of what’s happening in your digital environment.

What Your FortiGate is Recording: Types of Logs

Your FortiGate is constantly working, generating different types of logs, each providing unique insights for effective FortiGate reporting:

  • Traffic Logs: These are like the flight manifest for your network. They tell you who is communicating with whom, what applications are being used, which ports and protocols are involved, and how much data is being transferred.
  • UTM (Unified Threat Management) Logs: These logs detail the actions of your FortiGate’s security features. They record when viruses are blocked, intrusions are detected, websites are filtered, or specific applications are controlled.
  • Event Logs: Think of these as your FortiGate’s diary. They capture system-level activities, such as configuration changes, administrative logins, device reboots, and overall hardware health.
  • VPN Logs: If you use VPNs for remote access or site-to-site connections, these logs provide crucial information on connection attempts, user authentications, and tunnel status.

These diverse logs are the raw data that, when properly understood, form the basis of powerful FortiGate reporting.

From Raw Data to Actionable Insights: Interpreting FortiGate Logs

So, you have all this data. How do you make sense of it? Interpreting FortiGate logs means looking for patterns and anomalies. Key fields to pay attention to include:

  • Source IP / Destination IP: Where is the traffic coming from and where is it going?
  • Action: Was the traffic allowed, denied, or blocked?
  • Service / Application: What kind of communication is it (e.g., web browsing, email, a specific business application)?
  • Policy ID: Which firewall rule was applied to this traffic?
  • Threat Name: If a threat was detected, what was it?

For example, seeing many failed login attempts from an unusual country in your VPN logs could indicate a brute-force attack. Or, a sudden spike in outbound traffic to an unknown destination in your traffic logs might signal data exfiltration. Manually sifting through millions of lines of logs, however, is a huge challenge.

Elevating Your Analysis: The Role of FortiAnalyzer in FortiGate Reporting

To truly unlock the power of your FortiGate Security Logging, a dedicated platform like FortiAnalyzer is invaluable. FortiAnalyzer centralizes and enhances your log analysis:

  • Centralized Collection: Gathers logs from all your FortiGate devices (and other Fortinet products) into one place, giving you a holistic view.
  • Correlation: It doesn’t just show you individual events; it automatically links related events across different devices and timeframes to identify complex attack chains that might otherwise go unnoticed.
  • Advanced Reporting: Generates customizable reports for various needs from executive summaries of your security posture to detailed compliance reports for regulations like PCI DSS or HIPAA.
  • Interactive Dashboards: Provides visual overviews of network activity, threat trends, and device health, making complex data easy to understand at a glance.
  • Threat Hunting: Enables your security team to proactively search through historical data for subtle indicators of compromise, moving beyond just reacting to alerts.

While FortiManager helps with centralized policy management, FortiAnalyzer is the powerhouse for deep analysis of your FortiGate security logging.

Why Comprehensive FortiGate Logging & Reporting is Crucial

Leveraging your FortiGate’s data effectively provides immense benefits:

  • Network Health Monitoring: Understand what “normal” looks like on your network, making it easier to spot when something is off.
  • Faster Troubleshooting: Quickly pinpoint the root cause of network or security issues.
  • Proactive Threat Detection & Response: Identify active threats sooner and respond effectively, minimizing potential damage.
  • Compliance & Auditing: Generate the necessary records and reports to meet regulatory requirements and pass audits with confidence.
  • Continuous Security Improvement: Use insights from past events to refine your security policies and strengthen your overall defenses.

Don’t Let Your Data Go Unseen.

The true power of your FortiGate lies not only in its ability to protect your network but also in the rich intelligence it gathers. Effective FortiGate Security Logging and reporting transforms raw data into actionable insights, empowering you to make informed decisions and build a more resilient defense.

Partner with BALANCED+ for Expert FortiGate Logging & Reporting.

Are you truly leveraging the intelligence your FortiGate generates? Unlock deeper insights into your network’s security and performance. BALANCED+ specializes in optimizing FortiGate security logging and reporting, from FortiAnalyzer deployment to custom dashboards and expert analysis. Schedule a consultation with our experts to transform your data into a powerful defense.

Tips for Scaling Your Fortigate

The Growth Paradox: Scaling Your Business Can Strain Your Security

The excitement of business growth is undeniable. More customers, more employees, more data, more locations it all points to success. Yet, this very growth often presents a hidden challenge for your IT infrastructure, particularly your network security. What happens when your security solution, once perfectly adequate, can no longer keep pace?

An improperly designed or unscalable FortiGate architecture can quickly transform from a powerful protector into a critical bottleneck. This can lead to frustrating performance degradation, increased management complexity, and, most dangerously, new security vulnerabilities that expose your expanding operations to unnecessary risk. Don’t let your security become the barrier to your next big leap.

Recognizing FortiGate Scalability Issues in Your Network

How can you tell if your current FortiGate deployment is struggling to keep up with your business growth? Look for these common symptoms of FortiGate scalability issues:

  • Network Slowdowns and Latency: Users complain about sluggish application performance, slow internet access, or delays in accessing internal resources, especially during peak hours.
  • Frequent CPU/Memory Spikes: Your FortiGate devices consistently show high CPU or memory utilization, even during what should be normal operational periods, indicating they are being overworked.
  • Management Complexity Overload: It becomes increasingly difficult to manage a growing number of security policies, VPN tunnels, or user access rules, leading to errors and inefficiencies.
  • Challenges with New Integrations: Integrating new cloud services, opening new branch offices, or onboarding a large number of remote users becomes a painful, performance-impacting process.
  • Increased Operational Costs: You might be overspending on bandwidth or other resources to compensate for an underperforming security appliance, or constantly troubleshooting issues that stem from architectural limitations.

If any of these sound familiar, it’s a strong indicator that your FortiGate architecture needs a strategic review.

Common FortiGate Scalability Pitfalls to Avoid

Many businesses inadvertently create FortiGate scalability issues by overlooking key planning considerations:

  • Under-Sizing from the Start: Choosing a FortiGate model based only on current needs, without forecasting future growth in user count, traffic volume, or the adoption of new bandwidth-intensive applications.
  • Monolithic Design: Relying on a single FortiGate device to handle all security functions for an entire, rapidly expanding organization. This creates a single point of failure and can easily overwhelm the device’s capacity.
  • Lack of Network Segmentation: As your network grows, failing to properly segment it into smaller, isolated zones. This increases the “blast radius” of a potential breach and makes policy management unwieldy.
  • Inefficient Policy Management: Allowing your security policy database to become a sprawling, unoptimized mess. Too many redundant or overly broad rules can significantly impact FortiGate performance.
  • Ignoring Cloud Integration: Neglecting to plan for secure, scalable integration with public or private cloud resources and SaaS applications as your business increasingly adopts them.

Designing for Growth: Key Principles for FortiGate Scalability

Addressing FortiGate scalability issues requires a proactive and strategic approach. Here are the core principles for designing a FortiGate deployment that truly grows with your business:

  • Strategic Sizing & Forecasting: Always select FortiGate models with ample headroom. Work with experts to forecast your expected growth (e.g., 3-5 years out) in users, devices, traffic, and security feature usage to ensure your chosen appliances can handle future demands.
  • High Availability (HA) & Redundancy: Implement FortiGate devices in High Availability (HA) clusters (active-passive or active-active). This not only ensures business continuity in case of a device failure but also allows for better load distribution and seamless upgrades.
  • Network Segmentation & Micro-segmentation: Break down your network into smaller, isolated zones using FortiGate’s Virtual Domains (VDOMs) or internal segmentation firewall capabilities. This limits the lateral movement of threats and simplifies policy management for specific user groups or applications.
  • Leveraging FortiManager & FortiAnalyzer: For growing and complex deployments, these centralized management and analytics platforms are non-negotiable.
    • FortiManager provides unified policy orchestration across multiple FortiGates, simplifying configuration and ensuring consistency.
    • FortiAnalyzer offers scalable logging, advanced analytics, and threat intelligence, crucial for monitoring performance and identifying emerging threats across your expanded network.
  • Secure SD-WAN for Distributed Environments: If your business has multiple branch offices or a significant remote workforce, FortiGate’s integrated Secure SD-WAN capabilities are vital. They efficiently and securely connect distributed environments, optimizing application performance across diverse connections and reducing reliance on expensive MPLS lines.
  • Cloud-Native Integration (FortiGate-VM): For businesses embracing cloud infrastructure, deploy FortiGate-VM (Virtual Machines). This extends consistent FortiGate security policies and centralized management into public and private cloud environments, ensuring seamless scalability and protection for your cloud workloads.

Don’t Let Your Security Become a Barrier to Growth.

The journey of business expansion is exciting, but it shouldn’t be hampered by an outdated or unscalable security infrastructure. Proactive planning for FortiGate scalability issues is an investment in your future success, ensuring that your network security evolves in lockstep with your business ambitions.

Partner with BALANCED+ for Future-Proof FortiGate Architecture.

At BALANCED+, we understand the unique challenges growing businesses face. Our experts specialize in designing, implementing, and optimizing FortiGate solutions that are built for tomorrow’s demands, not just today’s.

Is your FortiGate ready for your business’s next growth phase? Ensure your security scales with your success. BALANCED+ specializes in FortiGate architecture review and scalability planning. Schedule a consultation with our experts to future-proof your network security.

FortiGate Cloud Optimization: Boost VM Performance

Your Cloud Infrastructure Demands More Than Just Basic Security.

As businesses increasingly migrate to cloud environments, the traditional security perimeter dissolves, creating new challenges and opportunities for protection. Simply lifting and shifting on-premises security solutions won’t suffice. To ensure robust defense and efficient operations in public or private clouds, a purpose-built virtual firewall like FortiGate-VM is not just an option, but an essential component for consistent security across hybrid and multi-cloud architectures.

Why FortiGate-VM for Cloud Security?

Extending your security posture into the cloud requires a solution that’s as agile and scalable as the cloud itself. FortiGate-VM brings the full power of FortiGate’s advanced security features directly into your cloud infrastructure:

  • Comprehensive Security: Leverage Next-Generation Firewall (NGFW) capabilities, Unified Threat Management (UTM) services (like IPS, antivirus, web filtering, application control), and integrated Secure SD-WAN directly within your cloud deployments.
  • Consistency and Centralization: Maintain consistent security policies and management across your on-premises FortiGate devices and your cloud-based FortiGate-VM instances, often managed from a single pane of glass (e.g., FortiManager).
  • Scalability and Flexibility: Easily scale your security resources up or down to match cloud workload demands, paying only for what you use, a core principle of effective FortiGate Cloud Optimization.

Critical Considerations for FortiGate-VM Deployment

Effective FortiGate Cloud Optimization begins with thoughtful deployment planning.

Right-Sizing Your FortiGate-VM

Choosing the correct virtual machine instance type and resource allocation (vCPUs, RAM) is paramount. It’s not a one-size-fits-all. Consider:

  • Expected Traffic Volume: How much data will flow through the FortiGate-VM?
  • Security Profiles Enabled: Will you be using deep packet inspection (SSL/TLS inspection), IPS, or other resource-intensive features?
  • Throughput Requirements: Match the chosen FortiGate-VM model (e.g., FortiGate-VM01, VM02, VM04) to your desired throughput, ensuring it aligns with your cloud provider’s instance capabilities. Over-provisioning wastes resources, under-provisioning creates bottlenecks.

Network Architecture Design

Integrating FortiGate-VM seamlessly into your cloud network requires careful design:

  • Virtual Private Clouds (VPCs) / Virtual Networks: Position FortiGate-VM strategically within your cloud VPCs to act as a security gateway for traffic entering and leaving your protected subnets.
  • Subnets and Routing: Configure subnets and routing tables to direct relevant traffic through the FortiGate-VM for inspection and policy enforcement. This is crucial for ensuring all desired traffic is secured.

Licensing Models

Understand the licensing options for FortiGate-VM in the cloud:

  • Bring Your Own License (BYOL): If you have existing FortiGate licenses, you might be able to use them in the cloud.
  • Pay-as-you-go (On-Demand): Cloud marketplaces often offer FortiGate-VM as a service, billed hourly or monthly, which can be ideal for flexible scaling and cost management. Choosing the right model is key for FortiGate Cloud Optimization from a financial perspective.

Best Practices for FortiGate-VM Configuration & Performance

Once deployed, optimizing your FortiGate-VM‘s configuration is vital for peak performance and security.

Resource Allocation & Performance Features

  • Cloud-Native Network Features: Leverage cloud provider-specific network enhancements (e.g., SR-IOV in Azure, Enhanced Networking in AWS, or equivalent features) to boost throughput and reduce latency for your virtual network interfaces.
  • Virtual Network Interface Sizing: Ensure your virtual network interfaces are appropriately sized and configured to handle expected traffic loads.

Policy Optimization

  • Granular Security Policies: Create specific, granular security policies that define exactly what traffic is allowed or denied. Avoid broad “any/any” rules, which can increase processing overhead and security risks.
  • Policy Ordering: Place the most frequently hit or most specific policies at the top of your rule base for faster processing.

Security Profile Tuning

  • Balance Efficacy and Performance: While enabling all security profiles offers maximum protection, it also consumes more resources. Tune IPS, Antivirus, Web Filtering, and Application Control profiles to balance security efficacy with performance impact, focusing on the most critical threats for your environment.
  • Exclusions: Implement judicious exclusions for trusted traffic or applications that don’t require deep inspection, but do so cautiously.

Logging & Monitoring

  • Robust Logging: Configure your FortiGate-VM to send comprehensive logs to a centralized FortiAnalyzer instance (whether in the cloud or on-premises). This is critical for security analytics, troubleshooting, and FortiGate Threat Hunting.
  • Continuous Monitoring: Regularly monitor your FortiGate-VM’s performance metrics (CPU utilization, memory usage, session count, throughput) using cloud provider monitoring tools and FortiGate dashboards to identify and address bottlenecks proactively.

High Availability (HA) in the Cloud

For business continuity and resilience, deploy FortiGate-VM in High Availability (HA) configurations. Cloud providers offer mechanisms to support active-passive or active-active HA setups, ensuring your security gateway remains operational even if an instance fails.

SD-WAN for Cloud Connectivity

Leverage FortiGate-VM‘s integrated Secure SD-WAN capabilities to optimize connectivity to SaaS applications, other cloud resources, and distributed branches. This improves user experience, reduces latency, and provides intelligent path selection for critical business traffic.

Cloud-Specific Security Integrations

  • Cloud-Native Security Services: Integrate FortiGate-VM with cloud-native security services like security groups, network access control lists (NACLs), and Identity and Access Management (IAM) roles to create a layered, defense-in-depth strategy.
  • Auto-Scaling: Explore options for auto-scaling FortiGate-VM instances based on demand, ensuring performance scales dynamically with your cloud workloads.

The BALANCED+ Advantage in FortiGate Cloud Optimization

Optimizing FortiGate-VM in complex cloud environments requires specialized expertise. BALANCED+ is your trusted partner in maximizing your FortiGate investment and ensuring robust cloud security. We can assist your business with:

  • Strategic Planning and Design: Expertly architecting your FortiGate-VM deployments for optimal security and performance.
  • Expert Configuration and Performance Tuning: Fine-tuning your FortiGate-VM instances for peak efficiency and security efficacy.
  • Ongoing Managed Services: Providing continuous monitoring, maintenance, and threat intelligence for your cloud security infrastructure.
  • Guidance on Cloud Security Best Practices: Ensuring your cloud environment adheres to the highest security standards and compliance requirements.

Don’t let the complexities of cloud security compromise your business. With proper FortiGate Cloud Optimization, you can achieve powerful, scalable, and efficient protection for your cloud-based assets.

Ready to boost your FortiGate-VM performance in the cloud?

Contact BALANCED+ today for a consultation and discover how we can help you achieve seamless FortiGate Cloud Optimization and robust security.

Mastering FortiGate Performance: Memory & Conserve Mode Guide

When a FortiGate enters conserve mode, it is protecting itself: memory usage has crossed a preset threshold, so FortiOS starts changing how it handles new traffic to avoid a crash. It is a symptom of memory pressure, not a hardware fault. To fix it you need to confirm memory is the real bottleneck, find what is consuming it, and either tune the load or move to a firewall sized for your traffic. This guide walks through diagnosing and clearing conserve mode on FortiOS 7.4 and 7.6 using the CLI.

Conserve mode

Conserve mode is a self-protection state in FortiOS. When memory usage crosses the “red” threshold (88% of RAM by default), the FortiGate stops accepting new sessions into proxy-based inspection and takes other steps to relieve memory pressure. If usage keeps climbing to the “extreme” threshold (95% by default), it starts dropping new sessions outright. The firewall exits conserve mode automatically once memory falls back below the “green” threshold (82% by default).

Conserve mode is FortiOS telling you it is out of memory headroom. Diagnose it with get system performance status and diagnose hardware sysinfo conserve memory, relieve the pressure by trimming memory-heavy features, and if the box hits conserve mode under normal load it is undersized for your traffic.

What is FortiGate conserve mode and why does it matter?

Conserve mode is a built-in safety net, not a failure. Think of your FortiGate as a security guard that keeps working even when overloaded: when memory runs low, FortiOS deliberately sheds work to stay stable rather than crashing. The trade-off is that some new traffic is no longer inspected or admitted the way it normally would be, so users can feel it as slow or refused connections.

It matters because conserve mode sits directly in the path of your security posture. While the firewall is conserving memory, it may bypass or block the very inspection you deployed it for. Left unaddressed, a FortiGate that dips into conserve mode during busy periods is a warning that your inspection load has outgrown the hardware.

What triggers conserve mode on a FortiGate?

Conserve mode is triggered by memory usage crossing defined thresholds, measured as a percentage of total RAM. FortiOS 7.4 and 7.6 ship with three defaults that you can tune:

  • Red threshold (88%): the firewall enters conserve mode and stops sending new sessions to proxy-based inspection.
  • Extreme threshold (95%): the panic line. The FortiGate drops new sessions outright, regardless of inspection. This is where users will definitely notice.
  • Green threshold (82%): the recovery point. Memory must fall below this before the firewall exits conserve mode and returns to normal.

You can adjust these thresholds to suit your environment under config system global:

config system global
    set memory-use-threshold-extreme 95
    set memory-use-threshold-red 88
    set memory-use-threshold-green 82
end
Warning:

Raising the thresholds does not add memory, it just delays the alarm. If your FortiGate reaches 88% memory under normal daily load, widening the thresholds hides the symptom while the box runs closer to the edge. Treat threshold tuning as a temporary measure, not a fix, and investigate the underlying memory consumption.

What happens to my traffic during conserve mode?

In conserve mode, new sessions that require memory-heavy inspection are affected first, and at the extreme threshold new sessions are dropped entirely. There is also a quieter mechanism that acts even before conserve mode: memory tension drops. If FortiOS needs memory it cannot allocate, it silently drops the oldest sessions to free resources, with no “conserve mode” banner to warn you.

To check whether tension drops are happening, look at the session statistics:

BALANCED+ (global) # diagnose sys session stat
misc info:  session_count=75 setup_rate=3 exp_count=0 clash=0
     memory_tension_drop=0 ephemeral=0/126976 removeable=0 extreme_low_mem=0
     npu_session_count=21
     nturbo_session_count=21
delete=10, flush=13, dev_down=274/41 ses_walkers=0
TCP sessions:
     26 in ESTABLISHED state
     1 in TIME_WAIT state

The memory_tension_drop counter is the one to watch. A non-zero value means sessions have already been dropped under memory pressure, often the earliest hard evidence that the firewall is running short on RAM.

How do I diagnose a FortiGate memory or performance problem?

Diagnose conserve mode from the CLI in a fixed order: confirm memory is the bottleneck, then drill into what is consuming it. These commands are read-only and safe to run on a production FortiGate.

Step 1 – Get a system snapshot: run get system performance status to see CPU per core, memory used and freeable, session counts, and network load in one view.

Step 2 – Confirm conserve state and thresholds: run diagnose hardware sysinfo conserve memory to see current memory use against the red, extreme, and green thresholds and whether conserve mode is active.

Step 3 – Watch processes in real time: run diagnose sys top to find which processes are burning CPU or memory (press m to sort by memory, q to quit).

Step 4 – Break down memory by type: run diagnose hardware sysinfo memory for a detailed breakdown, and diagnose hardware sysinfo slab for slab (session and NAT) allocation.

A typical get system performance status snapshot looks like this:

BALANCED+ (global) # get system performance status
CPU0 states: 20% user 1% system 0% nice 79% idle 0% iowait 0% irq 0% softirq
CPU1 states: 8% user 2% system 0% nice 90% idle 0% iowait 0% irq 0% softirq
CPU6 states: 67% user 1% system 0% nice 32% idle 0% iowait 0% irq 0% softirq
Memory: 1964036k total, 1346896k used (68.6%), 369604k free (18.8%), 247536k freeable (12.6%)
Average sessions: 45 sessions in 1 minute, 45 sessions in 10 minutes, 44 sessions in 30 minutes
Uptime: 41 days, 5 hours, 18 minutes

Read it top to bottom. High “user” or “system” percentages with low “idle” point to CPU load; a high memory “used” percentage with little “freeable” points to memory pressure and possible conserve mode. FortiGate memory falls into distinct categories, and knowing which is growing tells you where to look:

  • Kernel memory: used by the operating system and drivers.
  • Shared memory: shared across processes, often for databases like IPS.
  • User space: memory consumed by individual processes (for example, httpsd).
  • Cached memory: disk caching to speed up operations.
  • Slab memory: pre-allocated for structures like sessions and NAT entries.

To inspect shared memory specifically, use diagnose hardware sysinfo shm:

BALANCED+ (global) # diagnose hardware sysinfo shm
SHM FS total:  1379164168  (1315 MB)
SHM FS free:   1376931840  (1313 MB)
SHM FS avail:  1376931848  (1313 MB)
SHM FS alloc:  2232320     (2 MB)

Is it a memory problem or a CPU problem?

Conserve mode is always a memory problem, but a slow FortiGate is not always in conserve mode, so separate the two before you act. Use get system performance status: if memory “used” is high and climbing toward the red threshold, treat it as a memory issue and follow the conserve-mode path. If memory is comfortable but one or more CPU cores sit near 0% idle, the bottleneck is CPU, usually a single core pinned by proxy inspection or a busy process you can spot in diagnose sys top.

On multi-core FortiGates, look at each core individually, not the average. Proxy-based inspection and some daemons are single-threaded, so one core can be pinned at 100% while the average still looks healthy. A single saturated core is a common cause of “the firewall feels slow” reports that a whole-box average would hide.

How do I fix and prevent conserve mode?

To clear conserve mode you need to reduce memory usage below the green threshold, then keep it there. Work from the least disruptive change to the most:

Step 1 – Identify the consumer: use diagnose sys top and the memory breakdown commands to pin down which process or feature is driving usage before changing anything.

Step 2 – Trim memory-heavy features: review the biggest offenders, WAN optimization, proxy-based inspection, verbose logging and report generation, and threat feed updates. Switch policies to flow-based inspection where proxy features are not required.

Step 3 – Add resources where you can: on FortiGate VMs, allocate more RAM. On physical appliances, confirm hardware acceleration (NP and CP offload) is enabled so inspection is offloaded from the CPU.

Step 4 – Engage Fortinet TAC for tuning: worker process counts and per-daemon tuning should be adjusted with TAC guidance, not guessed at. If conserve mode recurs after tuning, it is a sizing problem, not a configuration one.

You may read advice to kill a runaway process (diagnose sys process pidof <name> then diagnose sys kill <signal> <PID>, using signal 15 for a graceful stop). Reserve this for controlled test environments or explicit Fortinet TAC direction. Killing a process on a production firewall can drop services and rarely addresses the root cause.

When does conserve mode mean my FortiGate is undersized?

If your FortiGate hits conserve mode during normal business hours, with features configured sensibly, the hardware is undersized for your inspection load. Enabling full SSL inspection, IPS, and application control multiplies memory and CPU demand, and the throughput on a spec sheet assumes lighter processing than a fully inspecting mid-market network runs. Tuning buys headroom; it does not add capacity.

For SMB and mid-market deployments, the current generation is the FortiGate G-series (30G, 50G, 70G, 90G) built on the FortiSP5 security processor, succeeding the F-series (40F, 60F, 80F). The F-series is still sold and supported with no end-of-life announced, but any new multi-year purchase should be priced on the G-series, which delivers meaningfully higher threat-protection throughput for the inspection features that push a FortiGate into conserve mode in the first place.

2-3x

Higher threat-protection throughput on the FortiSP5-based G-series versus the F-series it replaces (Fortinet)

F-series (previous)G-series successorSecurity processor
FortiGate 40F30G / 50GFortiSP5
FortiGate 60F70GFortiSP5
FortiGate 80F90GFortiSP5

If you are refreshing FortiGate hardware, size the replacement on your real inspection throughput (SSL inspection plus IPS enabled), not on firewall throughput alone. Our managed firewall services cover FortiGate sizing, deployment, and ongoing performance tuning so the box you buy carries your traffic with headroom to spare.

Get expert help with FortiGate performance

BALANCED+ is a Fortinet Advanced Partner with deep experience tuning and right-sizing FortiGate firewalls for mid-market networks across Toronto and the GTA. If your firewall keeps dipping into conserve mode, or you want a sizing check before your next hardware refresh, we can analyze your environment and give you a clear answer. Reach out to discuss keeping your FortiGate fast, inspecting, and stable.

Sources

Is Your FortiGate Underperforming? How a Managed Service Can Optimize It

Is your network feeling sluggish? Are users complaining about slow application response times, or are you noticing delays in your critical business processes? If you’re relying on a FortiGate firewall, an underperforming device could be the silent culprit. While FortiGate appliances are powerful security solutions, a slow FortiGate firewall isn’t just an annoyance it’s a potential security risk and a drag on your business’s productivity.

Many organizations invest in top-tier security like FortiGate, only to find it doesn’t quite live up to its full potential. The good news is, you don’t have to settle for “good enough.” A specialized managed service can be the game-changer you need to optimize FortiGate performance and ensure your network is both fast and secure.

Why Your FortiGate Might Be Dragging Its Feet

Before diving into solutions, let’s understand why your FortiGate might be underperforming. It’s often not the hardware itself, but how it’s configured and maintained. Common culprits include:

  • Improper Configuration: Out-of-the-box settings are rarely optimized for unique business needs. Overly complex or redundant firewall rules, inefficient routing, or misconfigured security profiles (like IPS, antivirus, or web filtering) can choke performance.
  • Outdated Firmware: Running older firmware versions can lead to performance bottlenecks, missing critical bug fixes, and a lack of access to the latest optimizations.
  • Resource Bottlenecks: High CPU or memory utilization, especially during peak traffic, indicates that your FortiGate might be struggling to keep up with the demands placed upon it.
  • Excessive Logging: While essential for security, overly granular logging can consume significant resources and storage, slowing down the device.
  • Inefficient Security Policies: Broad “allow all” rules, or a sheer volume of unoptimized rules, force the FortiGate to work harder than necessary to process traffic.
  • Unmanaged Growth: As your network expands and traffic patterns change, your initial FortiGate setup might no longer be adequate without continuous adjustments.

The Power of a Managed Service: Your FortiGate Performance Partner

This is where a dedicated managed service provider (MSP) steps in. They’re not just reacting to problems; they’re proactively managing, monitoring, and optimizing your FortiGate to prevent issues before they impact your operations.

Here’s how a managed service can help optimize FortiGate performance:

Expert Configuration & FortiGate Best Practices

One of the primary benefits of an MSP is their deep expertise in FortiGate best practices. They understand the intricacies of FortiOS and can fine-tune your appliance for optimal speed and security. This includes:

  • Rule Set Optimization: Streamlining firewall policies, removing redundant or shadowed rules, and ordering them efficiently to minimize processing time.
  • UTM/Security Profile Tuning: Configuring Intrusion Prevention Systems (IPS), Application Control, Web Filtering, and Antivirus settings to provide robust security without unnecessary overhead.
  • VPN Performance: Optimizing VPN tunnels for maximum throughput and stability.
  • Routing & SD-WAN Optimization: Ensuring traffic takes the most efficient path, especially critical for multi-site organizations.

Proactive Monitoring & Troubleshooting

A slow FortiGate firewall often gives subtle hints before a complete meltdown. MSPs employ advanced monitoring tools to keep a constant eye on your FortiGate’s health. They track key metrics like CPU and memory utilization, session counts, interface throughput, and log data. This allows them to:

  • Identify Bottlenecks: Pinpoint exactly where performance issues are originating, whether it’s a specific security profile, a high-traffic application, or a misbehaving network segment.
  • Alert & Remediate: Receive immediate alerts for anomalies and take swift action to resolve issues, often before you even notice them.
  • Trend Analysis: Analyze historical data to predict potential future problems and implement preventative measures.

Firmware Management & Updates

Staying current with FortiGate firmware is crucial for performance, security, and stability. An MSP takes the burden of firmware management off your shoulders, ensuring your device always runs the latest, most secure, and performant version. They manage the update process carefully, including testing and rollback plans, to avoid service disruptions.

Resource Optimization

Over time, your FortiGate might be burdened by unnecessary processes or configurations that consume valuable CPU and memory. An MSP can identify and eliminate these inefficiencies, freeing up resources to handle legitimate traffic and security inspections more effectively. This could involve optimizing logging, disabling unused features, or even recommending hardware upgrades if genuinely necessary.

Advanced Security Policy Management

Effective security doesn’t have to come at the cost of performance. MSPs help you implement granular, least-privilege security policies that protect your network without creating unnecessary overhead. They ensure that your policies are not only secure but also optimized for speed, balancing protection with efficiency.

Reporting & Compliance

With a managed service, you gain clear insights into your FortiGate’s performance and security posture through regular reports. This not only helps you understand the value you’re getting but also assists with compliance audits by providing documented evidence of your security controls and their effectiveness.

The Clear Advantages of a Managed FortiGate

Partnering with an MSP to optimize FortiGate performance offers significant advantages beyond just speed:

  • Reduced Downtime: Proactive management minimizes the risk of outages due to firewall issues.
  • Enhanced Security Posture: Expert configuration means fewer vulnerabilities and better protection against threats.
  • Cost Savings: Avoid costly breaches, reduce internal IT workload, and extend the lifespan of your existing FortiGate hardware.
  • Peace of Mind: Focus on your core business knowing your critical network security is in expert hands.
  • Access to Expertise: Leverage a team of certified FortiGate specialists without the overhead of hiring them in-house.

Stop Settling for “Slow” Get Optimized!

An underperforming FortiGate isn’t just a technical glitch; it’s a bottleneck that can hinder your entire operation. By entrusting your FortiGate management to a specialized MSP, you’re not just fixing a problem you’re investing in a faster, more secure, and more reliable network foundation.

Are you ready to unlock the full potential of your FortiGate firewall? Contact us today for a consultation and discover how our managed services can help you optimize FortiGate performance and ensure your network runs at peak efficiency.

How a Managed Service Simplifies Your WAN Transformation

In today’s fast-paced digital landscape, businesses are increasingly reliant on their Wide Area Networks (WANs) to connect distributed workforces, facilitate cloud application access, and support dynamic operational needs. However, traditional WAN architectures often struggle to keep pace, presenting challenges in terms of complexity, escalating costs, and critical security gaps. This is where FortiGate SD-WAN emerges as a powerful solution, offering a modern, agile, and secure approach to network connectivity.

While the benefits of FortiGate SD-WAN are clear, the complexities of deployment, configuration, and ongoing management can be a significant hurdle for many organizations. This article explores how embracing a managed FortiGate SD-WAN service can dramatically simplify your WAN transformation journey, unlocking the full spectrum of Fortinet SD-WAN benefits and ensuring robust, secure SD-WAN solutions for your business.

The Evolution of WAN and the SD-WAN Imperative

For decades, Multi-Protocol Label Switching (MPLS) was the gold standard for enterprise WANs, offering reliability and predictability. However, the rise of cloud computing, SaaS applications, and a globally distributed workforce has exposed the limitations of this traditional model:

  • Backhauling Traffic: Routing all internet-bound traffic back through a central data center for security inspection (known as “backhauling”) introduces latency and bottlenecks, especially for cloud applications.
  • High Costs: MPLS circuits can be expensive, and scaling bandwidth often incurs significant additional costs.
  • Lack of Agility: Traditional WANs are rigid and slow to adapt to new business requirements or unexpected changes in network traffic patterns.
  • Limited Visibility & Control: Gaining granular insight into application performance and traffic routing across diverse links is challenging.

Software-Defined Wide Area Networking (SD-WAN) addresses these challenges by abstracting network control from hardware, allowing for intelligent traffic management, application-aware routing, and the ability to leverage multiple transport types (broadband, MPLS, LTE/5G).

FortiGate SD-WAN: A Secure Foundation for Modern Networks

Fortinet stands out in the SD-WAN landscape with its security-driven networking approach. At its core, FortiGate SD-WAN consolidates networking and industry-leading security functions into a single, integrated appliance. This convergence means:

  • Built-in Next-Generation Firewall (NGFW): FortiGate appliances include advanced security features like intrusion prevention, web filtering, anti-malware, and deep packet inspection, providing a comprehensive defense against cyber threats at every edge.
  • Advanced Application Awareness: FortiGate can identify thousands of applications on the first packet, enabling intelligent routing decisions based on application performance requirements and business criticality.
  • WAN Optimization & Remediation: Features like data deduplication, compression, and forward error correction improve application performance and mitigate the impact of network issues.
  • Centralized Management: FortiManager provides a single pane of glass for orchestrating, configuring, and monitoring the entire SD-WAN fabric, simplifying policy enforcement and deployment.

By integrating security directly into the SD-WAN fabric, FortiGate ensures that your network remains protected without compromising performance, a crucial distinction in the modern threat landscape.

Why a Managed FortiGate SD-WAN Service? The Simplification Factor

While FortiGate SD-WAN offers significant capabilities, its full potential is best realized with expert management. Implementing and maintaining a complex SD-WAN environment requires specialized skills, significant time investment, and continuous vigilance. This is where a managed FortiGate SD-WAN service becomes invaluable.

A managed service provider (MSP) takes on the burden of:

  • Design and Planning: Tailoring the SD-WAN solution to your specific business needs, network topology, and security requirements.
  • Deployment and Provisioning: Handling the installation, configuration, and zero-touch provisioning of FortiGate appliances across all your sites.
  • 24/7 Monitoring and Support: Proactively monitoring network health, identifying and resolving issues, and providing continuous support to ensure optimal performance and uptime.
  • Security Policy Management: Regularly updating security policies, threat intelligence, and patches to protect against evolving cyber threats.
  • Performance Optimization: Continuously tuning routing policies and WAN optimization features to ensure critical applications always have the best path.
  • Reporting and Analytics: Providing comprehensive insights into network performance, security events, and application usage.

By offloading these responsibilities to experts, your organization can significantly accelerate its WAN transformation without straining internal IT resources.

Key Benefits of Managed FortiGate SD-WAN

Partnering with a managed service provider for your FortiGate SD-WAN deployment delivers a multitude of Fortinet SD-WAN benefits:

  1. Enhanced Security Posture: A managed service ensures that FortiGate’s robust NGFW capabilities are always optimized and up-to-date. This includes proactive threat intelligence updates, consistent security policy enforcement across all branches, and expert incident response. You gain the peace of mind that your network is protected by comprehensive, secure SD-WAN solutions against sophisticated cyber threats.
  2. Optimized Application Performance & User Experience: Expert-managed FortiGate SD-WAN intelligently prioritizes business-critical applications (e.g., VoIP, video conferencing, SaaS applications) and dynamically selects the best available path. This eliminates latency and packet loss, resulting in a superior and consistent user experience, boosting productivity across your entire organization.
  3. Operational Efficiency & Reduced Complexity: The core promise of a managed service is simplification. Your IT teams are freed from the day-to-day complexities of managing the WAN infrastructure, allowing them to focus on higher-value strategic initiatives that drive business innovation. Centralized management handled by experts streamlines operations and minimizes human error.
  4. Significant Cost Savings (Total Cost of Ownership): A managed FortiGate SD-WAN solution can lead to substantial cost reductions. By leveraging less expensive broadband links alongside or in place of costly MPLS, and optimizing bandwidth utilization, operational expenditures are significantly lowered. Furthermore, reducing the need for extensive in-house expertise and infrastructure management contributes to a lower total cost of ownership (TCO).
  5. Scalability, Agility, and Future-Proofing: As your business grows or adapts to new markets, a managed FortiGate SD-WAN solution can easily scale to accommodate new sites, users, and applications. The agility of SD-WAN, combined with expert management, ensures your network remains flexible and ready for future technological advancements, including seamless integration with SASE (Secure Access Service Edge) frameworks.

What to Look for in a Managed Service Provider

When considering a managed FortiGate SD-WAN service, look for a provider with:

  • Proven expertise in Fortinet technologies.
  • A strong track record in delivering managed network and security services.
  • 24/7 monitoring and support capabilities.
  • A clear understanding of your business needs and industry-specific requirements.
  • Transparent reporting and clear communication.

Conclusion

The transformation of your Wide Area Network is no longer an option but a necessity for modern businesses. While FortiGate SD-WAN offers a powerful and secure foundation for this transformation, the journey can be complex. By choosing a managed FortiGate SD-WAN service, you gain access to expert knowledge, continuous support, and proactive security, all while benefiting from optimized performance and reduced costs. Simplify your WAN transformation and empower your business with robust, secure SD-WAN solutions that truly deliver.