Skip to content

Securing Your Network: Top 5 FortiGate Configurations Best Handled by a Managed Service

Your FortiGate firewall is a powerful shield for your network, a cornerstone of your cybersecurity defense. But are you certain it’s configured for maximum protection? In the face of increasingly sophisticated cyber threats, a default or “set-it-and-forget-it” approach to firewall management is a significant risk. The complexity of an optimal setup requires deep expertise and continuous attention.

This is where managed firewall services become a game-changer. It provides the expert oversight needed to transform your firewall from a simple barrier into an intelligent, proactive defense system. For businesses without a large, dedicated security team, its the most effective way to ensure robust protection.

This article explores the top five critical FortiGate configurations that are best entrusted to a certified managed service provider (MSP), ensuring your network is not just protected, but truly secure.

First, What is a FortiGate Managed Service? (And Why It Matters)

A FortiGate managed service is an offering where a third-party team of certified cybersecurity experts takes responsibility for the 24/7 monitoring, management, and maintenance of your FortiGate firewalls. Think of it as having a team of elite Fortinet specialists guarding your digital front door around the clock.

The core benefits extend beyond simple device management:

  • Proactive Threat Hunting: Continuous monitoring for suspicious activity.
  • Expert Configuration: Implementation of security best practices.
  • Regular Maintenance: Crucial firmware updates and performance tuning.
  • Peace of Mind: Knowing your network is protected by industry professionals.

By leveraging an MSP, you gain access to a level of expertise that is difficult and expensive to maintain in-house, allowing you to focus on your core business operations.


The Top 5 Critical FortiGate Configurations for Your Business Security

A managed service doesn’t just watch over your firewall; they unlock its most powerful features. Here are five key configurations they expertly handle to fortify your defenses.

1. Advanced Firewall Policies and Rule Optimization

A firewall’s strength lies in its rules. A poorly configured rule set can leave gaping holes in your defense. A managed service moves beyond basic “allow” and “deny” rules to implement a strategy of least privilege access.

  • What it is: This involves a meticulous review of all firewall policies to ensure that users, devices, and applications only have the absolute minimum level of access required to perform their functions. It includes optimizing rule order for performance and properly configuring Network Address Translation (NAT).
  • Why it’s critical: A cluttered or overly permissive rule set is a common vector for attack. An attacker who compromises a low-level user account could gain broad access to sensitive parts of the network if policies are not restrictive.
  • The MSP Value: Certified engineers continuously audit and refine firewall rules. They remove outdated or redundant policies, ensure new rules are implemented securely, and document everything, which is crucial for performance, security, and compliance audits.

2. Unified Threat Management (UTM) Security Profile Hardening

Modern FortiGate firewalls are equipped with a powerful suite of security features known as Unified Threat Management (UTM). Simply turning them on is not enough; they must be precisely tuned.

  • What it is: This is the fine-tuning of the integrated security profiles that make up Fortinets Security Fabric. This includes:
    • Antivirus: Configuring real-time scanning of traffic entering the network.
    • Web Filtering: Blocking access to malicious websites, phishing links, and enforcing company acceptable-use policies.
    • Intrusion Prevention System (IPS): Proactively identifying and blocking known cyberattack patterns and exploits before they can do damage.
    • Application Control: Granularly managing which applications (like Dropbox, Teams, or social media) are allowed to run on the network and by whom.
  • Why it’s critical: UTM features are your primary defense against malware, ransomware, and other advanced threats. If they are not properly configured, malicious files can slip through, and productivity can be impacted.
  • The MSP Value: A managed service has the expertise to configure these profiles without disrupting legitimate business traffic. They ensure signatures and threat intelligence are constantly updated, applying new protections as soon as they become available to defend against zero-day threats.

3. Secure VPN Access (SSL-VPN and IPsec)

In an era of hybrid work, providing secure remote access is non-negotiable. A misconfigured VPN is like leaving a back door unlocked.

  • What it is: This involves the proper setup and hardening of both SSL-VPNs, which allow individual remote employees to connect securely, and IPsec VPNs, which create secure tunnels between office locations.
  • Why it’s critical: VPNs extend your secure network perimeter to wherever your employees are. A weak configuration can expose your entire internal network to threats if a remote user’s device is compromised.
  • The MSP Value: An MSP will implement robust security on your VPNs, enforcing strong encryption standards, implementing multi-factor authentication (MFA) for access, and configuring split-tunneling policies correctly to ensure that all business traffic is inspected, no matter where the user is.

4. Robust User Authentication and Identity Management

Knowing who is on your network is as important as keeping threats out. Strong authentication ensures that only authorized individuals can access your data and systems.

  • What it is: This configuration focuses on integrating the FortiGate firewall with your company’s directory services, such as Microsoft Active Directory or Azure AD. It involves setting up Single Sign-On (SSO) and, most importantly, enforcing Multi-Factor Authentication (MFA).
  • Why it’s critical: Stolen credentials are one of the most common ways attackers breach a network. MFA is the single most effective defense against this, adding a crucial layer of security that prevents unauthorized access even if a password is compromised.
  • The MSP Value: A managed service handles the complex integration between your FortiGate and identity providers. They can roll out and manage MFA across your user base for firewall and VPN access, ensuring a seamless yet highly secure user experience and providing detailed logs of who is accessing what and when.

5. Proactive Monitoring, Logging, and Firmware Management

The cybersecurity landscape is never static. A firewall requires constant vigilance and maintenance to remain effective.

  • What it is: This is the ongoing, day-to-day work of security. It involves centralizing firewall logs for analysis (often with a tool like FortiAnalyzer), setting up alerts for suspicious events, and methodically testing and applying critical firmware updates released by Fortinet.
  • Why it’s critical: Without comprehensive logging, you have no way of knowing if your firewall is under attack or has been breached. Firmware updates often contain patches for critical vulnerabilities that attackers are actively exploiting. Falling behind on updates is one of the biggest and most common security risks.
  • The MSP Value: This is where an MSP truly shines. Their 24/7 Security Operations Center (SOC) provides the constant monitoring and expert analysis that is impossible for most businesses to replicate. They manage the entire lifecycle of firmware updatesfrom vetting and testing to scheduled deploymentensuring your defenses are always up-to-date without causing business disruption.

Partner with Experts to Maximize Your Security

Your FortiGate firewall is a critical investment in your company’s security. By entrusting its configuration and management to a specialized managed service provider, you ensure that investment yields the highest possible return. You gain not only a hardened security posture but also the freedom to focus on what you do bestrunning your business.

Is your FortiGate firewall configured for complete protection?

Contact us today for a complimentary security assessment. Our certified Fortinet experts will help you understand your current security posture and identify opportunities to strengthen your defenses.

Deploying a FortiGate Firewall VM: An In-Depth Technical Guide

How do you deploy a FortiGate firewall VM?

Deploying a FortiGate firewall VM comes down to five steps: download and verify the correct FortiGate-VM image for your platform, import or launch it, run the first-time console setup to bring up the management interface, apply your license, then build out your interfaces and firewall policies. The exact clicks vary by hypervisor or cloud, but the sequence is the same everywhere. This guide walks through each step for VMware vSphere, Microsoft Hyper-V, KVM, and the major public clouds, using current FortiOS releases.

FortiGate-VM

FortiGate-VM is the virtual-machine edition of Fortinet’s FortiGate next-generation firewall. It runs the same FortiOS as the hardware appliances, so you get firewall policies, IPS, antivirus, web filtering, and VPN inside a virtualized data center or public cloud instead of on a physical box. Licensing is decoupled from the image: you deploy the image, then activate features and performance tiers with a license.

The image is free to download but does nothing useful until licensed. Decide your license model (BYOL, PAYG, or FortiFlex) and your FortiOS branch before you deploy, because on public cloud the license type is fixed for the life of the instance. As a Fortinet Advanced Partner since 2003, we deploy and manage FortiGate firewalls for mid-market clients across the GTA every week; the notes below reflect what actually trips people up.

Which FortiOS version should you deploy in 2026?

For production, deploy on FortiOS 7.4 or 7.6. These are the mature, widely deployed branches; 7.6.7 is the newest 7.6 patch, and many teams standardize on a slightly earlier, well-soaked release such as 7.6.6. FortiOS 8.0 was announced at Accelerate 2026 as the newest feature release, but it is not yet a production recommendation, so keep it in the lab for now.

If you are still on FortiOS 7.2.x, plan your upgrade now: 7.2 reaches end-of-support in September 2026, after which it stops receiving fixes and vulnerability patches. Choosing the right branch at deploy time avoids a forced migration a few months later.

Sept 2026

FortiOS 7.2.x reaches end-of-support; move new and existing FortiGate-VMs to 7.4 or 7.6 before then (Fortinet EOS notice).

Warning:

Fortinet is removing SSL VPN tunnel mode from FortiOS on the 7.6+ and 8.0 branches. Do not build a new remote-access design around SSL VPN. Use IPsec VPN for tunnel-based remote access and site-to-site connections, and ZTNA for per-application access. If you are migrating an older FortiGate, budget time to convert existing SSL VPN users to IPsec.

What do you need before deploying a FortiGate VM?

Before you start the deployment, make sure you have the following:

  • FortiGate VM License:
    • You need the correct license file (.lic), activation code, or FortiFlex token for your FortiGate VM. This determines the features, performance (how much traffic it can handle), and support you get.
    • Licenses are typically BYOL (Bring Your Own License), meaning you buy the license separately, or PAYG / on-demand (Pay-As-You-Go), found in cloud marketplaces where the software cost is part of the hourly or monthly fee. FortiFlex is a points-based usage model for organizations running many VMs. See the comparison below.
  • Virtualization Platform or Cloud Account:
    • You need access to a supported virtualization platform (like VMware vSphere, Microsoft Hyper-V, KVM) or a public cloud account (like AWS, Azure, GCP).
    • Ensure you have administrative access to create VMs, set up networks, and manage storage.
  • FortiGate VM Image:
    • Download the correct FortiGate VM image file for your platform from the Fortinet Support portal.
    • Common image formats include:
      • VMware: .ova (a single file for easy deployment) or .ovf/.vmdk.
      • Microsoft Hyper-V: .vhd or .vhdx.
      • KVM: .qcow2.
      • Public Clouds: Images are usually available directly in their marketplaces.
    • Important: After downloading, verify the file’s integrity using a checksum (SHA256 is preferred; MD5 is also published). Compare the checksum you calculate with the one provided on the Fortinet Support portal.
  • System Resources:
    • Ensure your virtualization environment or cloud account has enough CPU, RAM, storage, and network interfaces for the VM. Refer to the FortiGate VM datasheet for minimum and recommended specifications.
    • CPU: At least 1 virtual CPU, but 2 or more are recommended for better performance.
    • RAM: At least 2GB, but 4GB or more is often recommended, especially if you plan to use many security features.
    • Storage: A system disk is included with the image. You might need additional virtual disks for logging.
    • Network Interfaces: FortiGate VMs need multiple virtual network interfaces (vNICs) to connect to different parts of your network (e.g., management, internal network, external internet connection).
  • Network Configuration Plan:
    • Before you start, plan your network setup carefully.
    • Decide on IP addresses, subnet masks, default gateways, and DNS servers for each FortiGate interface (e.g., management, internal, external).
    • Consider if you’ll use VLANs (Virtual Local Area Networks) or advanced features like Link Aggregation (LAG) for network redundancy or increased speed.
    • Plan your security zones (e.g., internal, external, DMZ) which will help organize your firewall rules.

BYOL vs PAYG vs FortiFlex: which license do you pick?

On public cloud the license type is fixed for the life of the instance, so choose deliberately. BYOL suits predictable, long-running deployments and unlocks the full feature set and virtual domains; PAYG is fastest to stand up and best for short-lived or bursty workloads; FortiFlex fits organizations juggling many VMs that want pooled, usage-based consumption.

License modelHow you payBest forNotes
BYOLBuy the license up front, apply the .lic file or tokenPredictable, long-running VMs on any platformFull feature set and VDOM support; portable across environments
PAYG / on-demandHourly or monthly via the cloud marketplaceShort-lived, test, or bursty cloud workloadsPackaged as unified threat management; no VDOMs; type is fixed for the instance’s life
FortiFlexPoints-based, consumption metered dailyEnterprises and MSSPs running many VMsApply a FortiFlex token; supports vCPU hot-add up to the entitlement

How do you deploy the FortiGate VM image, step by step?

The deployment process generally involves importing the VM image into your virtualization environment or launching it in the cloud, followed by initial setup. The five steps below take you from download to a licensed, policy-enforcing firewall.

Step 1: Download and Verify the FortiGate VM Image

  1. Log in to the Fortinet Support portal.
  2. Go to ‘Download’ > ‘Firmware Images’.
  3. Select ‘FortiGate’ as the product.
  4. Choose a supported FortiOS version (7.4 or 7.6) and the correct image for your platform (e.g., FGT_VM64 for VMware, FGT_VM64_HV for Hyper-V, FGT_VM64_KVM for KVM, or the relevant cloud image).
  5. Download the VM image file.
  6. Verify the Download: To ensure the file isn’t corrupted, calculate its checksum.# Example for Linux/macOS md5sum /path/to/your/fortigate_vm.ova sha256sum /path/to/your/fortigate_vm.ova
    Compare the result with the checksum listed on the Fortinet Support portal. If they don’t match, download the file again.

Step 2: Deploy the VM Image on Your Platform

The way you deploy the image changes depending on your virtualization or cloud platform.

For VMware vSphere (using OVA)

An OVA file is a bundled package that makes deployment easy.

  1. In the vSphere Client, right-click your Datacenter or Cluster and select ‘Deploy OVF Template…’.
  2. Choose ‘Local file’ and browse to your downloaded .ova file. Click ‘Next’.
  3. Give your virtual machine a name and choose where to store it. Click ‘Next’.
  4. Select the host or cluster where the VM will run. Click ‘Next’.
  5. Review the template details. Click ‘Next’.
  6. Configuration: If the OVA offers different VM sizes (e.g., different CPU/RAM), choose the one that matches your license and resource plan. Click ‘Next’.
  7. Storage: Select the datastore for the VM files.
    • Disk Provisioning: ‘Thin Provision’ is recommended to save disk space, as the disk grows only as data is written.
    • Click ‘Next’.
  8. Network Mapping: This is crucial. Map the networks in the OVA template (like Network 1, Network 2) to your actual network port groups in vSphere (e.g., VM Network, Internal_VLAN10). Ensure that Network 1 from the OVA maps to the network you want to use for the FortiGate’s port1 (the default management interface). Click ‘Next’.
  9. Review all settings and click ‘Finish’ to start the deployment.

Interface order equals port order. Whatever hypervisor or cloud you use, the first vNIC becomes port1, the second becomes port2, and so on. Map your management network to the first interface, and add the rest in the order you want them numbered. Getting this wrong is the most common reason a fresh FortiGate-VM is unreachable after boot.

For Microsoft Hyper-V (using VHD/VHDX)

You’ll create a new VM and attach the downloaded virtual hard disk.

  1. Open Hyper-V Manager.
  2. In the Actions pane, select ‘New’ > ‘Virtual Machine…’. Click ‘Next’.
  3. Give the VM a name. Click ‘Next’.
  4. Specify Generation: FortiGate VMs typically support ‘Generation 1’. Check Fortinet’s documentation for your specific VM version if you’re unsure. Click ‘Next’.
  5. Assign Memory: Set the amount of RAM for the VM. Click ‘Next’.
  6. Configure Networking: Connect the first network adapter (which will be FortiGate’s port1) to a virtual switch that allows access to your management network. You can add more network adapters later. Click ‘Next’.
  7. Connect Virtual Hard Disk: Select ‘Use an existing virtual hard disk’ and browse to your downloaded .vhd or .vhdx file. Click ‘Next’.
  8. Review the summary and click ‘Finish’.

After the VM is created, you might need to go into its settings in Hyper-V Manager to add more network adapters and connect them to your internal or external virtual switches. The order in which you add these adapters will typically determine which FortiGate port they map to (e.g., the second adapter added maps to port2).

For KVM (using QCOW2)

KVM deployment often involves using command-line tools like virt-install.

  1. Make sure you have KVM packages installed (qemu-kvm, libvirt-daemon, libvirt-clients, virt-install).
  2. Copy the downloaded .qcow2 image file to a suitable location on your KVM host (e.g., /var/lib/libvirt/images/).
  3. Use the virt-install command to create the VM. Adjust the values as needed:sudo virt-install --name FortiGateVM --memory 4096 --vcpus 2 --disk path=/var/lib/libvirt/images/fortigate.qcow2,format=qcow2,bus=virtio --network bridge=br0,model=virtio --network bridge=br1,model=virtio --import --os-variant generic --graphics none --console pty,target_type=serial
    • --name: Name of your VM.
    • --memory: RAM in MB.
    • --vcpus: Number of virtual CPUs.
    • --disk: Path to the QCOW2 image. bus=virtio improves disk performance.
    • --network: Configures network interfaces. bridge=br0 connects to your host’s network bridge. model=virtio improves network performance. Add more --network lines for additional interfaces. The order of these lines matters for FortiGate port mapping (first is port1, second is port2, etc.).
    • --import: Tells it to use an existing disk image.
    • --os-variant generic: A safe, portable value; run osinfo-query os if you want to pick a closer match for your host.
    • --graphics none: Disables graphical console.
    • --console pty,target_type=serial: Sets up a serial console, which is how you’ll initially access the FortiGate CLI on KVM.

Make sure your KVM host has the necessary network bridges (br0, br1, etc.) configured and connected to your physical networks or VLANs.

For Public Clouds (AWS, Azure, GCP)

Deployment in the cloud involves launching an instance from the marketplace and configuring its networking and security.

  1. Log in to your cloud provider’s management console (AWS, Azure, or Google Cloud).
  2. Go to the service for launching virtual machines (e.g., EC2 in AWS, Virtual Machines in Azure, Compute Engine in GCP).
  3. Start the process to launch a new instance/VM.
  4. Choose Image: Search the Marketplace for “FortiGate” and select the appropriate image (BYOL or PAYG). Remember the license type is fixed once the instance is running.
  5. Choose Instance Type: Select a VM size (instance type) that meets the CPU and RAM requirements for your FortiGate VM and expected traffic.
  6. Network Configuration:
    • Select the Virtual Private Cloud (VPC) or Virtual Network (VNet) where the FortiGate will be.
    • Choose the Subnet for the primary network interface (this will typically be FortiGate’s port1 for management).
    • Add more Network Interfaces and assign them to subnets for your internal, external, or DMZ networks. Pay close attention to the order you add interfaces, as this maps to FortiGate’s port numbering (e.g., eth0 in the cloud VM maps to port1 on FortiGate, eth1 maps to port2, etc.).
    • Configure Security Groups (AWS), Network Security Groups (NSGs) (Azure), or Firewall Rules (GCP) to allow necessary access to the FortiGate’s management interface (HTTPS, SSH, Ping) from your administrative network. Limit access as much as possible.
    • Configure Route Tables in your VPC/VNet to direct network traffic through the FortiGate. This is essential for the FortiGate to act as a firewall/gateway.
  7. Storage: Configure the size and type of the main disk.
  8. Review and launch the instance.

Cloud deployments often require more careful planning for networking and security rules compared to on-premises setups.

Step 3: Power On the VM and Initial Configuration

After the VM is deployed, power it on and access its console for the first-time setup.

  1. Power On: Start the virtual machine from your virtualization platform’s or cloud provider’s console.
  2. Access Console:
    • VMware: Open the VM console tab.
    • Hyper-V: Right-click the VM and select ‘Connect’.
    • KVM: Use virsh console <VM_Name> from your KVM host’s command line.
    • Public Clouds: Use the cloud provider’s serial console feature (e.g., EC2 Serial Console, Azure Serial Console, GCP Serial Port).
  3. Initial Login: The FortiGate VM will boot up. When you see the login prompt:FortiGate-VM login:
    Type admin and press Enter.FortiGate-VM login: admin Password:
    Press Enter again (there’s no default password).
  4. Set New Password: You will be immediately asked to set a new password for the admin user. This is required.You are required to change your password immediately. New password:
    Enter a strong password and press Enter. Confirm it when prompted.
  5. Initial Network Configuration (CLI): It’s best to configure the management interface (port1) using the command-line interface (CLI) first.config system interface edit port1 set mode static set ip 192.168.1.99/24 # Replace with your desired IP and subnet set allowaccess ping http https ssh fgfm # Enable access for web, SSH, etc. set description "Management Interface" next end config router static edit 1 set gateway 192.168.1.1 # Replace with your network's default gateway set device port1 next end config system dns set primary 8.8.8.8 # Replace with your primary DNS server set secondary 8.8.4.4 # Replace with your secondary DNS server end # Save the configuration end
    • set allowaccess: Allows protocols like HTTP/HTTPS (for the web interface), SSH (for CLI), and Ping.
    • config router static: Sets up a default route so the FortiGate can reach other networks, including the internet for licensing.
    • config system dns: Configures DNS servers for name resolution.
  6. Access Web-based Manager: Once port1 has an IP address and a default route, you can access the FortiGate’s web interface from a web browser.https://<FortiGate_Management_IP>
    You might see a certificate warning, which you can safely bypass for now. Log in with admin and the password you just set.

Step 4: Upload the License File

Applying the license activates all features and enables FortiGuard updates (for threat intelligence) and support.

  1. Access the FortiGate web-based manager via HTTPS.
  2. Go to System > Dashboard > Status. You’ll see the license status (e.g., “Unlicensed”).
  3. Click the ‘Upload License’ button or link. For FortiFlex, enter your token instead of a file.
  4. Browse to the .lic license file you downloaded from the Fortinet Support portal.
  5. Upload the file. The FortiGate will verify it.
  6. The FortiGate will usually need to reboot after the license is applied. Confirm the reboot.
  7. After rebooting, log back into the web interface. The Dashboard should now show your license details.

If you have an activation code (common in some cloud or subscription licenses), you might activate it via the GUI or CLI:

# Example CLI command to register with FortiCare (requires internet access)
execute license update <activation_code>

Step 5: Basic Network and Security Configuration

With the license active, you can now configure the FortiGate to protect your network.

  1. Interface Configuration:
    • Go to Network > Interfaces.Configure the other interfaces (port2, port3, etc.) that connect to your internal networks, the internet, and any DMZs.Set their IP addresses, subnet masks, and allowed access protocols.If you’re using VLANs, configure VLAN sub-interfaces.Consider assigning interfaces to Zones (Network > Zones) to simplify your firewall policies.


    config system interface edit port2 set mode static set ip 10.10.10.1/24 set allowaccess ping https ssh set description "Internal LAN" next edit port3 set mode static set ip 203.0.113.2/29 # Example Public IP set allowaccess ping https ssh # Less access typically on external interfaces set description "External WAN" next # Example: Configure VLAN sub-interface if needed edit port2.10 set vlanid 10 set mode static set ip 10.10.20.1/24 set allowaccess ping https set description "Internal VLAN 10" next end

  2. Firewall Policies:
    • Go to Policy & Objects > Firewall Policy.Create rules (policies) to control which traffic is allowed or denied between your interfaces/zones. Policies are processed from top to bottom.For each policy, define:
      • Source Interface/Zone and Destination Interface/ZoneSource Address(es) and Destination Address(es)Service(s) (ports/protocols)Action (Accept or Deny)
      Apply Security Profiles (like Antivirus, Web Filter, Intrusion Prevention System) to policies to enable advanced threat protection.

    config firewall policy edit 0 # 0 means create a new policy at the top set name "LAN_to_WAN_Outbound" set srcintf "Internal LAN" # Or the specific port, e.g., port2 set dstintf "External WAN" # Or the specific port, e.g., port3 set srcaddr "all" set dstaddr "all" set service "ALL" # Be more specific in a production environment set action accept set nat enable # Enable Network Address Translation for outbound internet access set profile-protocol-options "default" set av-profile "default" # Apply Antivirus scanning set webfilter-profile "default" # Apply Web Filtering set ips-sensor "default" # Apply Intrusion Prevention set application-list "default" # Apply Application Control set ssl-ssh-profile "certificate-inspection" # Basic SSL inspection set logtraffic all # Log all traffic matching this policy next # Example: A general deny policy (often placed at the bottom of the list) edit 0 set name "Deny_All_Implicit" set srcintf "any" set dstintf "any" set srcaddr "all" set dstaddr "all" set service "ALL" set action deny set logtraffic all next end

  3. Routing:
    • Go to Network > Static Routes.
    • Verify the default route you configured. Add any other static routes needed to reach specific networks not directly connected to the FortiGate.
    • If you need dynamic routing (like OSPF or BGP), configure it under Router.
  4. System Settings:
    • Configure System > Settings (e.g., hostname, time zone, operation mode).
    • Set up System > FortiGuard for security updates.
    • Configure System > NTP for accurate time synchronization.
    • Set up Log & Report > Log Settings to send logs to a FortiAnalyzer, FortiManager, or syslog server for monitoring.

What should you configure after the FortiGate VM is running?

You have deployed and performed the initial configuration of your FortiGate Firewall VM: you got the image, set up its resources, configured basic network access through the CLI, licensed the device, and set up essential interfaces and firewall rules. The real value of the FortiGate comes from the security features you build on top of this base.

Recommended next steps:

  • Configure more detailed security profiles (Antivirus, IPS, Web Filter, Application Control).
  • Implement SSL/SSH Inspection for encrypted traffic.
  • Set up VPNs for secure connectivity. Use IPsec VPN for remote access and site-to-site tunnels, and ZTNA for per-application access. Do not build on SSL VPN tunnel mode, which Fortinet is removing from FortiOS 7.6+ and 8.0.
  • Configure user authentication (e.g., Local users, RADIUS, LDAP).
  • Set up centralized logging and monitoring (e.g., with FortiAnalyzer).
  • Consider configuring High Availability (HA) if you need redundancy (requires two FortiGate VMs).
  • Keep FortiOS and FortiGuard definitions current, and stay on a supported branch (7.4 or 7.6) so you continue receiving patches.

If you would rather have this designed, deployed, and monitored for you, our managed firewall services and Fortinet solutions cover the full lifecycle, from sizing and licensing to policy tuning and 24/7 monitoring. Always refer to the official FortiGate documentation for your specific FortiOS version and deployment environment.

Sources

How to Properly Size a FortiGate for Optimal Performance

Choosing the right FortiGate firewall is crucial for maintaining a secure and efficient network. An undersized unit can become a bottleneck, leading to slow performance and a frustrating user experience. Conversely, an oversized unit means you’ve overspent on hardware you don’t fully utilize. At BALANCED+, we believe in finding that perfect equilibrium. This guide will walk you through the essential considerations for properly sizing your FortiGate to ensure optimal performance and robust security.

Why Proper Sizing Matters

Before diving into the “how,” let’s understand the “why.” A correctly sized FortiGate ensures:

  • Optimal Security: The device can handle the processing demands of all necessary security services (like Intrusion Prevention, Antivirus, Application Control, and SSL Inspection) without bogging down.
  • Peak Performance: Your network users experience fast and reliable connectivity, without the firewall becoming a chokepoint.
  • Cost-Effectiveness: You invest in a solution that meets your current and near-future needs without overspending on unnecessary capacity.
  • Future Scalability: A well-sized unit, with some room for growth, allows for easier adaptation as your business and network demands evolve.

Key Factors to Consider When Sizing Your FortiGate

Sizing a FortiGate isn’t just about matching your internet speed. It’s a multifaceted process. Here are the critical metrics and features to evaluate:

1. Throughput More Than Just a Single Number:

FortiGate datasheets list various throughput figures. It’s vital to understand what each represents:

  • Firewall Throughput (UDP/TCP): This is the raw packet processing capability of the firewall, typically measured with User Datagram Protocol (UDP) traffic, which has less overhead than Transmission Control Protocol (TCP). While a useful baseline, it doesn’t reflect real-world performance with security services enabled.
  • Next-Generation Firewall (NGFW) Throughput: This metric reflects performance with key security services like Intrusion Prevention System (IPS) and Application Control enabled. This is often a more realistic number to consider for typical deployments.
  • Threat Protection Throughput: This is arguably the most critical throughput number for most businesses. It indicates the performance when multiple advanced security services (like IPS, Antivirus, Application Control, and often sandboxing) are active simultaneously. This is the figure you should most closely align with your actual internet bandwidth and internal traffic inspection needs.
  • SSL/TLS Inspection Throughput: If you plan to decrypt and inspect encrypted traffic (which is increasingly important for security), this figure is paramount. SSL/TLS inspection is resource-intensive, and the dedicated throughput for it will be significantly lower than other throughput metrics.
  • IPSec VPN Throughput: If you rely heavily on site-to-site or remote access VPNs, ensure the FortiGate model can handle your encrypted VPN traffic demands.

BALANCED+ Tip: Always focus on the “Threat Protection Throughput” and “SSL/TLS Inspection Throughput” (if applicable) as your primary guides, rather than just the basic firewall throughput.

2. Concurrent Sessions:

This refers to the total number of active connections passing through the firewall at any given moment. Every time a user accesses a website, sends an email, or uses a network application, one or more sessions are created.

  • Consider: The number of users, the types of applications they use (some applications, like peer-to-peer, open many sessions), and the number of IoT or always-on devices on your network.
  • BALANCED+ Tip: It’s wise to choose a model with a concurrent session capacity that comfortably exceeds your current peak usage to accommodate growth and unexpected spikes.

3. New Sessions Per Second (CPS):

This metric indicates how quickly the FortiGate can establish new connections. A low CPS rate can lead to delays in opening new web pages or starting new applications, especially in environments with many users or services initiating connections frequently.

  • Consider: High-traffic environments, web servers, or applications that rapidly open and close connections.
  • BALANCED+ Tip: Don’t underestimate this metric, especially if you have a dynamic environment with many users initiating new tasks simultaneously.

4. Interface Requirements:

Consider the number and types of network interfaces you need:

  • Ports: How many LAN, WAN, DMZ, and other segments do you need to connect?
  • Speed: Do you require 1Gbps, 10Gbps, or even faster ports?
  • Type: Do you need copper (RJ45) or fiber (SFP/SFP+) interfaces?
  • Power over Ethernet (PoE): Will you be powering devices like access points or IP phones directly from the firewall?

5. VPN Requirements:

If you use Virtual Private Networks (VPNs):

  • Site-to-Site Tunnels: How many persistent VPN connections to other offices or cloud environments do you need?
  • Remote Access Users: How many concurrent remote users will connect via SSL VPN or IPsec VPN?
  • BALANCED+ Tip: Ensure the chosen model has sufficient VPN throughput and tunnel capacity for your needs.

6. Other Feature Impacts:

Certain features can significantly impact resource utilization:

  • SD-WAN: If you plan to leverage FortiGate’s robust SD-WAN capabilities, factor in the overhead for link monitoring and traffic steering.
  • Logging and Reporting: Extensive logging requires storage and processing power. If you’re sending logs to a FortiAnalyzer or SIEM, this is less of a burden on the FortiGate itself.
  • High Availability (HA): If you require a redundant setup, you’ll typically need two identical FortiGate units.

7. Future Growth:

Always plan for the future. Consider:

  • User Growth: Will your number of employees or network users increase?
  • Bandwidth Increases: Do you anticipate upgrading your internet connection?
  • New Applications/Services: Will you be deploying new technologies that increase network load?

BALANCED+ Recommendation: Aim to size your FortiGate to handle your current needs plus 20-30% capacity for future growth over the next 3-5 years.

Common Sizing Pitfalls to Avoid

  • Focusing Solely on Firewall Throughput: Ignoring NGFW, Threat Protection, and SSL Inspection throughput.
  • Underestimating Concurrent Sessions: Leading to dropped connections and poor user experience.
  • Forgetting SSL Inspection Impact: This is a major performance hit if not accounted for.
  • Not Planning for Peak Loads: Sizing only for average use can cause issues during busy periods.
  • Ignoring Future Growth: Leading to a premature and costly upgrade.
  • Not Understanding Your Traffic: Perform a network assessment to understand your actual usage patterns before making a decision.

Optimizing Performance Beyond Sizing

Once you have your FortiGate, remember that configuration plays a vital role in performance:

  • Firmware Updates: Keep your FortiOS firmware up-to-date for the latest performance improvements and security patches.
  • Policy Optimization: Streamline firewall policies and remove unused or redundant rules.
  • Selective SSL Inspection: Only inspect traffic that needs it. Create exemptions for trusted, high-volume traffic where appropriate.
  • Resource Monitoring: Regularly monitor CPU, memory, and session load to identify potential bottlenecks.
  • Hardware Session Offloading: Ensure features like hardware acceleration are enabled where appropriate.

Get a Free Expert Sizing Assessment

Properly sizing a FortiGate firewall is a critical step in building a secure and high-performing network. It requires a careful analysis of your current environment, security needs, and future growth plans.

Ready to find the perfect FortiGate for your organization? Let the experts at BALANCED+ help! We offer a free, no-obligation sizing assessment. Fill out our form, and one of our certified engineers will help you determine the ideal FortiGate model to meet your specific requirements.

Choose the Right FortiGate From The Start

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Modern abstract graphic representing potential or growth

How To Troubleshoot Common FortiGate Configuration Issues

Most FortiGate configuration problems trace back to a short list of predictable culprits: a missing or wrong route, a firewall policy that does not match the traffic (or matches a broader policy first), NAT enabled on the wrong side, or a VPN proposal mismatch. Work the problem in order (interface, route, policy, NAT, then service or VPN parameters) and confirm each layer with the FortiGate’s own diagnostic tools before you change anything.

This guide gives you a practical, systematic approach to the issues we see most often as a managed firewall provider, current for FortiOS 7.4 and 7.6. FortiGate firewalls are powerful Next-Generation Firewalls (NGFWs), but that feature depth means small misconfigurations can produce confusing network behavior.

FortiGate

A FortiGate is Fortinet’s Next-Generation Firewall (NGFW), a security appliance that combines stateful firewalling, NAT, VPN termination (IPsec and, on older releases, SSL VPN), and UTM inspection (antivirus, web filtering, IPS, and application control) in a single platform running the FortiOS operating system. Configuration is done through the web GUI or the CLI, and both expose diagnostic tools for troubleshooting.

We’ll cover:

  • Essential FortiGate troubleshooting tools and techniques.
  • Solving common connectivity problems (no internet, can’t reach servers).
  • Fixing firewall policy misconfigurations (traffic incorrectly blocked or allowed).
  • Diagnosing VPN tunnel issues (IPsec and, on legacy releases, SSL-VPN).
  • Choosing between GUI and CLI troubleshooting approaches.

What tools do you use to troubleshoot a FortiGate?

FortiGate ships with a full diagnostic toolkit in both the GUI and the CLI. Start in the GUI with the Log Viewer and Policy Lookup for fast checks, then drop to the CLI (diagnose debug flow and diagnose sniffer packet) when you need to see exactly how a packet is processed. Before you touch anything, cover the basics.

  • Backups: Always back up your FortiGate configuration before making any changes. This is your safety net.
  • Change Control: Follow your organization’s change control procedures. Document what you’re changing and why.
  • Understand the Goal: Clearly define what the configuration should be doing. What traffic needs to be allowed or blocked? What should the VPN connect?

GUI Tools:

  • Log Viewer: Your first stop. Check Forward Traffic, Event Logs (System, VPN, User), and UTM logs (Web Filter, IPS, etc.). Learn to filter effectively.
  • Policy Lookup: Found under Policy & Objects -> Firewall Policy. Enter source/destination IPs, port, and protocol to see which policy should match the traffic.
  • FortiView: Dashboards and visualizations of traffic, sources, destinations, and threats. Great for identifying top talkers or unusual patterns.
  • Routing Monitor: Network -> Routing Monitor. View the active routing table.
  • Packet Capture: Network -> Packet Capture. A GUI way to capture traffic on specific interfaces (though the CLI often offers more flexibility).

CLI Tools (The Powerhouse):

Access the CLI via SSH or the console widget in the GUI. The diagnose and get commands are essential:

  • diagnose debug flow: The cornerstone of packet-level troubleshooting. Shows how a packet traverses the FortiGate, which policy it hits, and why it might be dropped. Set a filter (diagnose debug flow filter saddr <ip>, daddr <ip>, dport <port>), start the trace (diagnose debug flow trace start <n>), and enable output (diagnose debug enable). Remember to disable it (diagnose debug disable, diagnose debug reset) when done.
  • diagnose sniffer packet any 'host <ip_address> and port <port_number>' 4 0 l: A powerful CLI packet sniffer. Replace any with a specific interface if needed. The filters (like host and port) are crucial.
  • get system status: Basic device information (firmware version, serial number, uptime). Confirm which FortiOS build you’re on before you start.
  • get system performance status: CPU/memory usage and session count. Useful for identifying resource exhaustion.
  • diagnose sys session list: View active sessions in the session table. Can be filtered.
  • diagnose vpn ike log filter name <phase1_name> followed by diagnose debug application ike -1 and diagnose debug enable: Debugs IPsec Phase 1 negotiation.

Always scope your debug with a filter and disable it the moment you have your answer. Running diagnose debug flow unfiltered on a busy firewall floods the console and adds CPU load. The reset-and-disable habit (diagnose debug disable, diagnose debug reset) also prevents a forgotten debug session from quietly taxing the device.

General Approach: troubleshoot systematically, from the bottom of the stack up.

  1. Verify Layer 1/2: Is the interface physically up? Link lights? Correct VLAN?
  2. Check Logs: Look for relevant deny or error messages.
  3. Test Basic Connectivity: Use ping and traceroute (from clients and the FortiGate CLI: execute ping <destination>, execute traceroute <destination>).
  4. Use Diagnostic Tools: Employ Policy Lookup, diagnose debug flow, or packet sniffing.
  5. Verify Configuration Details: Double-check IPs, policies, routes, and VPN settings meticulously.

Struggling To Choose The Right Fortigate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Modern abstract graphic representing potential or growth

Why can’t users reach the internet or internal resources?

When traffic stops flowing, walk the path in order: interface, route, policy, NAT, then DNS. Nine times out of ten it’s a missing default route, a firewall policy that doesn’t match, or NAT that isn’t enabled on the outbound policy. Confirm the failing step with Policy Lookup or diagnose debug flow before changing anything.

Symptoms: Users report no internet access, inability to reach specific websites, or failure to connect to internal servers and applications.

Troubleshooting Steps:

  1. Check Interface: In the GUI (Network -> Interfaces) or CLI (get system interface physical), verify the relevant interface (e.g., WAN, LAN) is up. Check IP addressing, netmask, and gateway (if applicable). Ensure cables are connected and functional.
  2. Check Routing:
    • Internet: Does the FortiGate have a default route (0.0.0.0/0) pointing to the correct WAN interface/gateway? Use Routing Monitor (GUI) or get router info routing-table all (CLI).
    • Internal: Does the FortiGate have a route (static or dynamic) to the destination internal network?
  3. Check Firewall Policies:
    • Go to Policy & Objects -> Firewall Policy.
    • Is there an enabled policy allowing the traffic from the source interface/zone/IP to the destination interface/zone/IP using the correct Service (port/protocol)?
    • NAT: For outbound internet access policies (e.g., LAN -> WAN), is NAT enabled and set to use the Outgoing Interface Address?
    • Policy Lookup Tool: Use this GUI tool first to see which policy ID should match.
    • diagnose debug flow: If Policy Lookup isn’t clear, use this CLI command (filtered for the specific traffic) to see exactly what’s happening: which policy ID is hit, or why it’s denied (e.g., denied by forward policy check (policy ID 0) often means no matching policy).
  4. Check DNS:
    • Can the FortiGate resolve external domains? (Network -> DNS, check servers.) Use execute ping google.com from the CLI.
    • Are clients configured to use a working DNS server (often the FortiGate itself or internal DNS servers)? Check client IP configuration.
  5. Check Logs: Filter Forward Traffic logs by the source IP. Look for “Action: Deny”. The “Reason” column or log details often indicate the cause (e.g., “Policy Deny”, “Reverse Path Check Failed”, “Blocked – Web Filter”).

Common Solutions:

  • Adding or correcting static/default routes.
  • Creating or modifying firewall policies (correcting interfaces, addresses, services, enabling the policy).
  • Enabling NAT on the outbound internet policy.
  • Configuring correct DNS servers on the FortiGate (Network -> DNS).
  • Fixing client-side DNS settings.

Why is FortiGate blocking (or allowing) the wrong traffic?

FortiGate evaluates firewall policies top-down and applies the first match, so unexpected block or allow behavior is usually a policy-order or policy-scope problem, or a UTM security profile silently dropping the session. Identify the traffic, run Policy Lookup, then confirm with diagnose debug flow, which prints the exact policy ID that matched.

Symptoms: Legitimate traffic is unexpectedly blocked, or conversely, unwanted traffic is being allowed through.

Troubleshooting Steps:

  1. Identify the Traffic: Note the Source IP, Destination IP, and Destination Port/Service involved.
  2. Use Policy Lookup (GUI): Enter the traffic parameters. Does it match the policy you expect it to? Does it match a different policy unexpectedly?
  3. Use diagnose debug flow (CLI): This is invaluable for policy issues. Filter (diagnose debug flow filter saddr <source_ip> daddr <dest_ip> dport <dest_port>) and run the trace (diagnose debug flow trace start 10, diagnose debug enable). The output shows msg="Allowed by Policy-ID=<id>" or the reason for denial. Remember to disable debug afterwards (diagnose debug disable, diagnose debug reset).
  4. Review Policy Order: Policies are evaluated top-down and the first matching policy is applied. Is a broader policy placed above your specific policy, catching the traffic first? Re-order policies carefully.
  5. Check Policy Details: Scrutinize the matching (or intended) policy:
    • Interfaces/Zones: Are the Incoming and Outgoing Interfaces correct?
    • Source/Destination Addresses: Are the Address Objects accurate? Do they contain the correct IPs or subnets? Avoid using “all” unless absolutely necessary.
    • Service: Is the correct port/protocol defined? Is it TCP, UDP, or ICMP? Avoid using “ALL”. Create custom services if needed.
    • Action: Is it set to Allow or Deny?
    • Security Profiles: If UTM features (Antivirus, Web Filter, IPS, Application Control, DNS Filter) are enabled on the policy, they could be blocking the traffic. Check the corresponding logs (e.g., Web Filter logs) for block events related to this traffic.
  6. Check Logs: Filter Forward Traffic logs by source/destination IP and check the “Policy ID” column. Is it hitting the policy you expect? If denied, what’s the reason? Check UTM logs if Security Profiles are applied to the policy ID being hit.
Tip:

Since FortiOS 7.4, most UTM inspection runs in flow-based mode by default rather than proxy-based. If traffic is dropped by a security profile, the block often will not appear in the Forward Traffic policy log alone. Always cross-check the specific UTM log (Web Filter, IPS, Application Control, or DNS Filter) for the matching event.

Common Solutions:

  • Re-ordering firewall policies.
  • Correcting Source/Destination Address objects or Service definitions.
  • Changing the policy Action (Allow/Deny).
  • Adjusting or disabling specific Security Profiles on the policy (or creating exceptions within the profile).
  • Making policies more specific (avoiding “all”).

How do you troubleshoot FortiGate VPN tunnels (IPsec and SSL-VPN)?

For IPsec, verify Phase 1 and Phase 2 come up (get vpn ipsec tunnel summary), then run the IKE debug to catch proposal, PSK, or selector mismatches. Confirm you have firewall policies in both directions with NAT disabled, and a route to the remote subnet. For SSL VPN, note that it is being phased out (see the warning below) and migrate remote access to IPsec.

Symptoms: VPN tunnels (site-to-site or remote access) fail to establish, disconnect frequently, or establish but don’t pass traffic.

Warning:

SSL VPN tunnel mode is being removed. Starting in FortiOS 7.6.3, Fortinet replaced SSL VPN tunnel mode with standards-based IPsec VPN (which can be configured on TCP port 443). It is gone from the GUI and CLI, settings are not migrated automatically on upgrade, and the new G-series FortiGates do not support SSL VPN at all. If you still run SSL VPN tunnel mode, plan your migration to IPsec (or ZTNA for application access) before upgrading. See our guide: FortiGate SSL VPN Is Going Away: Migrate to IPsec.

IPsec Site-to-Site Troubleshooting:

  1. Phase 1 (IKE): This establishes the secure management tunnel.
    • Check Status: GUI (Dashboard -> Network -> IPsec, or Monitor) or CLI (get vpn ipsec tunnel summary). Is it up?
    • Debug: Use CLI: diagnose vpn ike log filter name <your_phase1_name>, diagnose debug application ike -1, diagnose debug enable. Initiate the tunnel (e.g., with traffic) and watch the logs.
    • Common Errors: Proposal mismatches (Encryption, Authentication, DH Group, Key Lifetime must match exactly on both sides), Pre-Shared Key (PSK) mismatch, incorrect Remote Gateway IP or Peer ID. Modern deployments should use IKEv2 with AES-GCM and a strong DH group where both peers support it.
    • Verify: Double-check Phase 1 settings on both FortiGates (or the remote peer).
  2. Phase 2 (IPsec): This negotiates the data tunnel parameters.
    • Check Status: GUI IPsec monitor (expand the tunnel details).
    • Debug: The IKE debug often shows Phase 2 negotiation too.
    • Common Errors: Proposal mismatches (Encryption/Authentication algorithms, PFS enablement, Key Lifetime) and selector mismatches (Local Address/Subnet and Remote Address/Subnet must be exact opposites, e.g., Local 192.168.1.0/24 <-> Remote 10.1.1.0/24). Using 0.0.0.0/0 can cause issues if not matched identically.
    • Verify: Check Phase 2 selectors and proposals on both peers.
  3. Firewall Policies: You need policies to allow traffic into and out of the tunnel.
    • Policy: LAN -> tunnel_interface, Source=Local Subnet, Dest=Remote Subnet, Service=ALL (or specific), Action=Allow.
    • Policy: tunnel_interface -> LAN, Source=Remote Subnet, Dest=Local Subnet, Service=ALL (or specific), Action=Allow.
    • Important: Ensure these policies do not have NAT enabled.
  4. Routing: The FortiGate needs a route pointing the remote subnet(s) toward the IPsec tunnel interface. This is often created automatically if configured in Phase 2, but verify using Routing Monitor or get router info routing-table all. The remote peer also needs a route back to your local subnet.
  5. NAT Traversal: Required if either peer is behind a NAT device. Usually set to ‘Enable’ or ‘Forced’ on both ends (Network -> IPsec Tunnels -> Edit Phase 1).
  6. Logs: Check VPN Events in the Event Log and Forward Traffic logs for traffic attempting to cross the VPN.

SSL-VPN Troubleshooting (legacy releases, FortiOS 7.6.2 and earlier): If you are on a release that still supports SSL VPN tunnel mode, the checks below apply. Treat this as a stopgap and prioritize the IPsec migration above.

  1. Connectivity: Can the remote client reach the FortiGate’s public IP on the configured SSL VPN port (usually TCP/443 or TCP/10443)? Check any upstream firewalls. Check the FortiGate’s WAN interface Local-in Policy if restricting access.
  2. Authentication:
    • Verify user credentials (local user, RADIUS, LDAP).
    • Check User & Authentication -> User Groups: Is the user in the correct group?
    • Check VPN -> SSL-VPN Settings: Are the correct groups assigned to the correct Portal in the Authentication/Portal Mapping?
    • Test backend servers: diagnose test authserver ldap <server_name> <username> <password>, diagnose test authserver radius <server_name> <username> <password>.
    • Check Logs: Event -> VPN Events or User Events.
  3. Portal and Tunnel Settings: Confirm Tunnel Mode is enabled, split tunneling is configured correctly, and Source IP Pools are assigned and not exhausted (VPN -> Monitor -> SSL-VPN Monitor). You need a firewall policy from the SSL VPN tunnel interface (ssl.root by default) to the internal network(s), with NAT disabled.
  4. Logs and Debug: Check Event Logs (VPN Events) and use SSL VPN debugs (diagnose debug application sslvpn -1, diagnose debug enable). Check Forward Traffic logs for traffic from the ssl.root interface.

Common Solutions:

  • IPsec: Correcting mismatched Phase 1/2 proposals, PSKs, or selectors. Adding correct firewall policies and routes. Enabling NAT Traversal.
  • SSL-VPN (legacy): Fixing authentication issues, correcting portal assignments, adding a firewall policy from ssl.root to LAN, and ensuring IP pool availability. Longer term, migrate to IPsec.

Should you troubleshoot a FortiGate from the GUI or the CLI?

Use both. Start in the GUI for fast, visual checks (Log Viewer, Policy Lookup, monitors), then move to the CLI when you need to see exactly how a packet is processed or debug a specific daemon. The GUI is faster for orientation; the CLI is where you get definitive answers.

FeatureGUI TroubleshootingCLI Troubleshooting
Ease of UseGenerally easier, visual feedbackSteeper learning curve, command knowledge required
Real-time FlowLimited (Policy Lookup is static)Excellent (diagnose debug flow) shows packet processing step-by-step
Packet CaptureBasic setup, visual resultsMore powerful filtering options, detailed output formats
Detailed DebugVery limitedExtensive daemon-specific debugging (diagnose debug application ...)
LoggingVisual log viewing, easy filteringCan parse raw logs, harder for large volumes without filtering
ConfigurationVisual, structuredFaster for experienced users, scripting possible
MonitoringDashboards (FortiView), monitorsget commands for status, diagnose for real-time stats
  • Start with the GUI: Use Log Viewer, Policy Lookup, and monitors for initial investigation and quick checks.
  • Move to CLI for deep dives: When you need to see exactly how a packet is processed (diagnose debug flow), capture specific traffic (diagnose sniffer packet), or debug a specific process like IKE, the CLI is indispensable.
  • Combine both: The most effective approach uses the GUI to identify potential issues (like a policy ID from logs), then the CLI to confirm the exact behavior or gather more detailed debug information.

Stay current: FortiOS versions and upgrade planning

A surprising number of “bugs” are resolved simply by running a mature, patched FortiOS build. As of mid-2026, the recommended production branches are FortiOS 7.4 and 7.6 (7.6.6 is widely recommended, with 7.6.7 available). FortiOS 8.0 was announced at Accelerate 2026 but is not yet recommended for production. Critically, FortiOS 7.2 reaches end-of-support in September 2026, so if you’re still on 7.2, plan your upgrade now.

Before upgrading, always read the release notes for your exact target build, back up your configuration, and check two things that commonly break on newer FortiOS: SSL VPN tunnel mode (removed from 7.6.3, migrate to IPsec first) and any UTM profiles relying on proxy-based inspection (now flow-based by default from 7.4). Systematic troubleshooting plus a current, supported firmware baseline prevents most FortiGate issues from recurring.

FortiGate configuration issues can be frustrating, but they are rarely insurmountable. Adopt a systematic approach, lean on the built-in GUI and CLI diagnostics, and understand the common pitfalls around connectivity, policies, and VPNs. If you’d rather hand off day-to-day firewall management and monitoring, that’s exactly what our managed firewall services cover.

Sources

FortiGate Models: Key Differences Explained

FortiGate models differ mainly in three things: performance (how much traffic they can inspect with security services on), capacity (how many users and sessions they support), and connectivity (the number and speed of ports). The number in the model name tracks roughly to performance tier, and the letter suffix (E, F, or G) marks the hardware generation. For most Canadian mid-market offices the decision is a desktop model in the current G-series (30G, 50G, 70G, 90G); larger sites and data centres move up to the rack and chassis lines.

FortiGate

FortiGate is Fortinet’s line of next-generation firewalls (NGFWs). Each model combines firewalling, intrusion prevention (IPS), antivirus, application control, web filtering, and VPN in one appliance, accelerated by Fortinet’s custom security processors (SPUs). Models scale from small fanless desktop units to multi-terabit chassis systems, all managed with the same FortiOS operating system.

Do not shop on the “firewall throughput” headline number. Match the model to your real internet bandwidth and user count using threat protection throughput (performance with IPS, antivirus, and application control turned on), then leave 30 to 50 percent headroom for growth. For new multi-year purchases, price the current G-series rather than the older F-series.

Struggling To Choose The Right FortiGate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
FortiGate firewall lineup graphic

How does FortiGate model numbering work?

The number tells you the performance class and the trailing letter tells you the hardware generation. A higher number means more throughput, more ports, and more session capacity: an 80-class unit outperforms a 60-class unit, and a 400-class rack unit outperforms both. The letter is the generation marker, and it moves forward over time: E preceded F, and F is now being succeeded by G on Fortinet’s newest security processor.

  • The number = tier. 30 to 90 class are desktop units for small and branch offices. 100 to 900 class are rack-mount units for mid-market and campus. 1000 class and up are high-end enterprise and data-centre platforms; the 7000 series is chassis-based for carriers and hyperscale.
  • The letter = generation. E, then F, then G. Each generation brings a new security processor and a large jump in threat-protection performance at a similar price and power draw.
  • Suffixes and variants. A FortiWiFi (FWF) model is the same hardware with built-in Wi-Fi. A POE variant adds Power over Ethernet ports to run phones, cameras, and access points. Rugged and industrial models carry different naming for harsh environments.

What are the current FortiGate model tiers?

Fortinet groups FortiGate into four broad tiers by network size and traffic load. Match your organization to a tier first, then pick the specific model on the specs that matter to you.

  • Entry / SMB desktop (30G, 50G, 70G, 90G): Fanless desktop units for small businesses, retail sites, and branch offices. Core NGFW security with Gigabit and, higher up, multi-gig and SFP ports. This is where most GTA small offices land.
  • Mid-range rack (100F, 200F, 400F class): Rack-mount units for growing and medium organizations. Higher throughput, more concurrent sessions, 10GbE interfaces, and redundant power options.
  • High-end enterprise (1000F, 2000F class): Large enterprise, campus, and data-centre firewalls. Very high throughput, 10/25/40GbE interfaces, dual power supplies, and virtual domains (VDOMs).
  • Chassis / ultra-high-end (7000 series): Chassis-based systems for service providers and hyperscale data centres, delivering terabit-scale throughput and 100/400GbE density.

FortiGate SMB desktop models compared: 30G, 50G, 70G, 90G

For most small and branch offices, the choice comes down to the current G-series desktop lineup. All four run on the FortiSP5 security processor and share the same FortiOS features; they differ in throughput, ports, and user headroom. Threat protection throughput is the realistic day-to-day number because it reflects security services turned on.

ModelThreat protectionFirewall throughputIPsec VPNBest fit
FortiGate 30G500 Mbps4 Gbps~4 GbpsVery small office / micro-branch
FortiGate 50G1.1 Gbps5 Gbps~5 GbpsSmall office, fibre internet
FortiGate 70G1.3 Gbps10 Gbps~11 GbpsBusy small office / larger branch
FortiGate 90G2.2 Gbps28 Gbps25 GbpsGrowing SMB, heavy VPN or SSL inspection
Figures from Fortinet G-series datasheets (July 2026). Threat protection = enterprise traffic mix with IPS, antivirus, and application control enabled.

If you are weighing the older SMB units instead, our detailed FortiGate 40F vs 60F vs 80F comparison breaks down the previous generation the G-series replaces.

What is the difference between the FortiGate F-series and G-series?

The G-series is the current generation and the F-series is the previous one. G-series desktop models run on the FortiSP5, Fortinet’s fifth-generation security processor, which delivers roughly two to three times the threat-protection throughput of the equivalent F-series model at a similar price, in a smaller fanless form factor that draws less power. The F-series (40F, 60F, 80F) is still sold and supported with no end-of-life announced, so existing units are fine to keep running, but new multi-year purchases should price the G-series.

2-3x

threat-protection throughput of the FortiSP5 G-series over the equivalent F-series model (Fortinet 90G / 80F datasheets)

The practical upgrade path maps almost one to one:

  • 40F is succeeded by the 30G (similar tier) or 50G (a step up).
  • 60F is succeeded by the 70G.
  • 80F is succeeded by the 90G, which delivers more than double the 80F’s threat protection.
Important:

Firmware matters as much as hardware. Run a mature FortiOS branch (7.4 or 7.6; 7.6.6+ is widely recommended) and do not deploy 8.0 in production yet. If you are still on FortiOS 7.2, plan your upgrade now: 7.2 reaches end-of-support in September 2026. Fortinet is also removing SSL VPN tunnel mode in newer FortiOS releases, so design remote access around IPsec VPN (and ZTNA for application access) rather than SSL VPN.

Which specs actually matter when comparing FortiGate models?

Beyond the tier, five specifications separate the models. Read them in this order and the right size becomes obvious.

  1. Threat protection throughput. Performance with IPS, antivirus, and application control on. This is the number to size against, not raw firewall throughput.
  2. SSL inspection throughput. Performance while decrypting and inspecting HTTPS. It is computationally heavy and drops fastest under load, so if you inspect encrypted traffic (most networks should), check this figure closely.
  3. Interfaces. Count and speed of ports: enough 1GbE for endpoints, plus 10GbE or SFP+ uplinks if you have fast internet or server segments. Confirm POE ports if you run phones, cameras, or access points off the firewall.
  4. Session capacity. Concurrent sessions (how many connections it tracks at once) and new sessions per second (how fast it opens them). Make sure concurrent sessions comfortably exceed your user and device count.
  5. Redundancy and scalability. High availability (HA) pairing for failover, redundant power supplies (mid-range and up), and VDOMs to split one appliance into several virtual firewalls (high-end).

Size against your projected internet bandwidth with SSL inspection enabled, not your current speed with it off. Enabling deep inspection can cut usable throughput by more than half on entry models, so a firewall that looks oversized on the firewall-throughput line is often exactly right once real security services are running.

How do I choose the right FortiGate model?

Work from your network reality to a specific model in five steps.

Start with scale: match your site size to a tier. Small or branch office points to a G-series desktop unit; a growing head office points to a 100F-class rack unit or higher.

Assess your reality: note your current and projected internet bandwidth, your user and device count, and the security services you will run (IPS, web filtering, SSL inspection, VPN).

Check the right specs: on the datasheets, compare threat protection and SSL inspection throughput, and confirm concurrent sessions exceed your device count.

Verify connectivity: confirm the port mix (1GbE, 10GbE, SFP/SFP+, POE) covers what you need now and in the near future.

Factor in growth: pick a model with 30 to 50 percent headroom over today’s needs so it lasts the full refresh cycle, and buy the current G-series generation for a longer support runway.

Choosing the right FortiGate is about matching the appliance to your real traffic, not buying the biggest box. As a Fortinet Advanced Partner, we size, deploy, and run these firewalls every day; our managed firewall services take model selection, licensing, firmware, and 24/7 monitoring off your plate.

Sources

How to setup VPN Using Fortinet’s Fortigate

To set up remote-access VPN on a Fortinet FortiGate in 2026, build an IPsec dial-up VPN and connect users with FortiClient. IPsec is now the path Fortinet recommends: starting in FortiOS 7.6.3, Fortinet removed SSL VPN tunnel mode from the GUI and CLI and replaced it with standards-based IPsec, which can even run over TCP port 443. This guide walks through the IPsec setup first (the recommended route), then covers where SSL VPN still fits and why you should migrate off it.

Struggling To Choose The Right FortiGate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Fortinet FortiGate firewall VPN configuration graphic

IPsec VPN vs SSL VPN

IPsec VPN is a standards-based tunnel that secures all traffic between a remote device and your network at the network layer, using IKE for key exchange. SSL VPN is Fortinet’s proprietary tunnel that ran over HTTPS. Fortinet has removed SSL VPN tunnel mode from current FortiOS and now steers remote access to IPsec, with ZTNA as the longer-term model for application-level access.

Configure an IPsec dial-up VPN, not SSL VPN. Fortinet replaced SSL VPN tunnel mode with IPsec in FortiOS 7.6.3, and settings are not carried over on upgrade. If you are still on 7.2.x, plan your migration now: FortiOS 7.2 reaches end of support in September 2026.

Should you use IPsec or SSL VPN on a FortiGate in 2026?

Use IPsec. As of FortiOS 7.6.3, SSL VPN tunnel mode is gone from the FortiGate GUI and CLI, and Fortinet directs all remote-access VPN to standards-based IPsec. IPsec can run over UDP, TCP, or Auto mode (which falls back from UDP to TCP), so you can still reach clients on restrictive networks, including over TCP port 443, without the proprietary SSL tunnel.

As a Fortinet Advanced Partner since 2003, we now build every new FortiGate remote-access deployment on IPsec. For a deeper side-by-side, see SSL VPN vs IPsec VPN: what Fortinet users must know.

FactorIPsec VPN (recommended)SSL VPN tunnel mode
Status in current FortiOSSupported and recommendedRemoved from GUI/CLI in 7.6.3
StandardOpen standard (IKEv2)Fortinet proprietary
TransportUDP, TCP, or Auto (incl. TCP 443)HTTPS (TCP 443)
ClientFortiClient (IKEv2)FortiClient or browser
Future directionPrimary VPN path, plus ZTNAEnd of life

What do you need before setting up a FortiGate IPsec VPN?

You need three things before you start: administrative access to the FortiGate, a reachable public IP or domain on the WAN interface, and the user accounts (or user group) that will connect. Confirm your FortiOS version too, since the steps below assume a current 7.4 or 7.6 build.

  • Administrative access to the FortiGate firewall.
  • A public IP address or domain name on the FortiGate’s external (WAN) interface.
  • User credentials and a user group for VPN access.
  • FortiClient 7.4.4 or later on each remote device (IKEv1 is no longer supported on the client, so IPsec uses IKEv2).

How do you set up an IPsec dial-up (remote access) VPN on a FortiGate?

The fastest path is the built-in VPN Wizard. In the FortiGate GUI, go to VPN > VPN Wizard, choose the Remote Access template, and step through the endpoint, authentication, and policy screens. The wizard creates the Phase 1/Phase 2 tunnel, the firewall policy, and the address objects for you.

Start the wizard: Go to VPN > VPN Wizard, enter a Tunnel name, set the template to Remote Access, and click Begin.

Set the remote device: Choose FortiClient as the remote device type, then select the incoming (WAN) interface that faces the internet.

Choose authentication: Set the authentication method to Pre-shared Key (or Certificate) and select the user group allowed to connect. IKEv2 is used by default.

Define policy and addressing: Set the local (internal) subnet users should reach and the client address range the FortiGate hands out. Enable split tunneling if remote users should only route corporate traffic through the tunnel.

Review and submit: Confirm the summary and click Submit. The wizard builds Phase 1, Phase 2, the firewall policy, and the address objects automatically.

Verify the tunnel: Go to Dashboard > Network, expand the IPsec widget, and confirm the Phase 1 and Phase 2 selectors come up once a client connects.

On restrictive guest or hotel networks where UDP 500/4500 is blocked, set the IPsec transport to Auto or TCP so the tunnel can fall back to TCP port 443. This is the IPsec equivalent of the reachability SSL VPN used to give you, without the proprietary tunnel.

How do you connect FortiClient to a FortiGate IPsec VPN?

On the endpoint, open FortiClient, go to Remote Access, and add a new connection set to IPsec VPN. Point it at the FortiGate and authenticate with the same pre-shared key and credentials you configured on the firewall.

  1. Install FortiClient 7.4.4 or later, then open it and go to Remote Access.
  2. Click Add a new connection and set VPN to IPsec VPN.
  3. Set the Remote Gateway to the FortiGate’s public IP or domain.
  4. Set the Authentication Method to Pre-Shared Key and enter the key (match Phase 1 Local ID if you set one in the wizard).
  5. Save, select the connection, enter the username and password, and click Connect.

Is SSL VPN still an option on FortiGate?

No, not as a tunnel. On FortiOS 7.6.3 and later, SSL VPN tunnel mode is removed from both the GUI and CLI, and its settings are not upgraded from earlier versions. If you upgrade a FortiGate that still relies on SSL VPN without migrating first, remote users lose access. The old SSL VPN steps below are kept only for readers still on legacy 7.0/7.2 builds.

Warning:

SSL VPN tunnel mode is being removed from FortiOS. Fortinet replaced it with IPsec in 7.6.3, and configurations do not migrate automatically. Move your remote access to IPsec (and evaluate ZTNA for application-level access) before you upgrade. For the full migration path, read FortiGate SSL VPN is going away: migrate to IPsec.

If you must run SSL VPN on a legacy build for now: log in to the FortiGate GUI, go to VPN > SSL-VPN Settings, set the listen interface and port, assign a server certificate and client IP range, and map user groups to a portal. Then create a firewall policy from the SSL-VPN tunnel interface to your internal network. Treat this as temporary and schedule the IPsec cutover.

Beyond IPsec, Fortinet’s longer-term direction is ZTNA (Zero Trust Network Access), which grants access to specific applications based on device posture rather than opening a full network tunnel. For most teams, the practical 2026 plan is IPsec for network access now, ZTNA for sensitive apps as you mature.

Which FortiOS version should you run for VPN?

Run a current 7.4 or 7.6 release for production VPN. FortiOS 7.6 is the mature feature branch (7.6.6 is widely recommended, 7.6.7 is the latest), and 7.4 remains a solid long-term-support choice. FortiOS 8.0 was announced at Accelerate 2026 but is not yet recommended for production. If you are on 7.2.x, plan your upgrade: FortiOS 7.2 reaches end of support in September 2026, and the SSL-VPN-to-IPsec change lands in the 7.6 line.

Important:

Do not jump straight to FortiOS 8.0 in production. Standardize on a stable 7.6 build (7.6.6/7.6.7) or 7.4, and migrate any SSL VPN config to IPsec before you cross into 7.6.3 or later.

FortiGate VPN best practices

  • Enforce MFA: require multi-factor authentication on every VPN user, not just admins.
  • Restrict access: scope firewall policies to the specific subnets and services each group needs, not “all”.
  • Patch on schedule: keep FortiOS and FortiClient current, and track Fortinet PSIRT advisories.
  • Monitor and log: review VPN event logs and tunnel status for anomalies. Our managed firewall service handles this for FortiGate fleets end to end.

Sources

How to Perform a Speed Test with Fortinet

To run a speed test on a FortiGate, use Network > Interfaces, edit the WAN interface, and click Speed Test in the GUI, or run execute speed-test <interface> from the CLI. That built-in test measures the raw internet link speed at the interface. It does not tell you how much traffic the firewall can actually inspect and forward, which is the number that matters when performance feels slow. This guide covers both: how to run the tests correctly, and how to read the results so you know whether the problem is your ISP, your configuration, or a FortiGate that your business has simply outgrown.

FortiGate speed test vs. throughput

A speed test measures the bandwidth of the link on a single interface (for example, your WAN to the internet). Throughput is how much traffic the FortiGate can actually process and forward with your security features running. A 60F can show a 1 Gbps speed test on its WAN and still bottleneck well below that once SSL inspection and IPS are enabled, because throughput, not link speed, is the real ceiling.

Struggling To Choose The Right Fortigate?

Take our quick quiz to get a personalized suggestion for your business.

Start Quiz
Modern abstract graphic representing potential or growth

How do you run a speed test on a FortiGate?

You can test link speed two ways: the GUI speed test on an interface, or the execute speed-test command in the CLI. Both use Fortinet’s speed test servers and require the SD-WAN monitor capability to be licensed and reachable. The GUI is fastest for a one-off check; the CLI gives you repeatable, scriptable results and finer control over TCP streams and latency thresholds.

GUI method

Log in: Open a browser, enter your FortiGate management IP, and sign in with an admin account.

Open interfaces: Go to Network > Interfaces and select the WAN interface you want to test.

Run the test: Edit the interface (pencil icon) and click Speed Test. The FortiGate picks the nearest server and measures upload and download.

Apply results (optional): Click Apply results to write the measured values into the interface’s estimated bandwidth fields, which SD-WAN rules can then use for path selection.

Confirm FortiGuard reachability: Under System > FortiGuard, verify the SD-WAN network monitor license is valid and the device can reach the test servers, or results will fail or read as zero.

CLI method

Optionally tune the test first. latency-threshold caps the acceptable RTT in milliseconds, and multiple-tcp-stream sets how many parallel TCP streams the test opens (more streams usually fill a fast link more completely):

config system speed-test-setting
    set latency-threshold 60
    set multiple-tcp-stream 4
end

Then run the test against an interface. You can let the FortiGate pick a server or name one explicitly, and choose Auto, TCP, or UDP:

execute speed-test <interface>

# Or, equivalently, via netlink with an explicit server and protocol:
diagnose netlink interface speed-test <interface> <server> {Auto | TCP | UDP}

The results print transfer rate and latency in the terminal. The speed test server list expires after 24 hours, and the tool is built on an iPerf3-compatible engine (iPerf 3.6 with SSL support), which matters for the more accurate through-the-firewall test below.

Good to know:

The built-in speed test measures the link on one interface, typically WAN to internet. It does not push traffic through your firewall policies, so it will not reveal an inspection bottleneck. To measure that, run the iPerf3 test through the FortiGate described below.

Why is my FortiGate throughput lower than the datasheet?

Because the datasheet’s headline number is measured under ideal lab conditions that your network never sees. Fortinet’s top “firewall throughput” figure is tested with large 1518-byte UDP packets and no security inspection enabled. The moment you turn on IPS, application control, antivirus, or SSL inspection, and your traffic becomes a realistic mix of small and large packets, the usable number drops, often by a large margin. That is not a fault; it is the difference between marketing-max and real-world throughput.

Fortinet publishes several throughput numbers precisely because they differ so much. Read the right one for how you actually run the box:

Throughput figureWhat is enabledHow close to real life
Firewall (IPv4)Stateful firewall only, 1518-byte UDP, no inspectionBest case; you rarely see it in production
IPSIntrusion prevention on an enterprise traffic mixCloser, if IPS is your only inspection
Threat ProtectionIPS + application control + malware protection, logging onThe most honest “UTM on” number for most SMBs
SSL InspectionDeep inspection of HTTPS trafficOften the lowest figure, and most of your traffic is HTTPS

For sizing, the Threat Protection and SSL Inspection rows are the ones that matter. SSL inspection is the heaviest workload on the box, and since the vast majority of business traffic is HTTPS, the SSL inspection number is frequently the true ceiling for a modern deployment. If you sized your firewall against the firewall-throughput figure, you almost certainly over-estimated its real capacity. See our breakdown of the key differences between FortiGate models for how these numbers scale across the lineup.

How do you test throughput through the firewall with iPerf3?

Put an iPerf3 server on one side of the FortiGate and an iPerf3 client on the other, then push traffic across a real firewall policy so the FortiGate has to inspect it. This is the only test that measures what your users experience, because it forces traffic through your actual rules, IPS profiles, and SSL inspection rather than testing a single interface in isolation.

Place the endpoints on different segments: Run the iPerf3 server on a host in one zone (for example the LAN) and the client in another (for example a DMZ or WAN-side test host), so traffic must traverse a firewall policy.

Start the server: On the server host run iperf3 -s.

Run the client with parallel streams: On the client run iperf3 -c <server_ip> -P 8 -t 30. Multiple streams (-P) fill the pipe more completely than a single flow and better approximate many users at once.

Test twice, security off then on: Run once through a plain policy, then again through a policy with your production IPS, application control, and SSL inspection profiles applied. The gap between the two runs is exactly the cost of your security posture.

Test with the traffic profile you actually run. If 80% of your traffic is HTTPS and you inspect it, benchmark HTTPS through a full SSL inspection policy, not plaintext iPerf3. A clean-traffic number that ignores SSL inspection will flatter the box and mislead your sizing.

What CLI diagnostics show FortiGate performance?

Use the CLI to see whether the FortiGate itself is the bottleneck. Three commands cover most cases: get system performance status for a rolling summary of CPU, memory, and session rates; diagnose sys top to see which processes are burning CPU; and the session table to confirm whether traffic is being hardware-accelerated. If CPU is pinned while throughput is low, you are CPU-bound, not link-bound.

  • get system performance status: CPU and memory usage, session count, and average network throughput over the last minutes.
  • diagnose sys top: live process list; watch for ipsengine (IPS/flow inspection) or wad (proxy/SSL inspection) dominating the CPU.
  • diagnose sys session stat: total and per-second session counts, useful when a session flood, not bandwidth, is the real problem.

Why hardware acceleration changes the picture

FortiGate models with Fortinet’s network processors (the NP7 on current mid-range and high-end units, or the NP6 family on older ones) can offload much of the packet forwarding from the CPU. Offloaded sessions run fast and barely touch the main processor. The catch: proxy-based inspection and some flow features cannot be fully offloaded and must be handled by the CPU. That is why a box can forward tens of gigabits of plain traffic yet fall over under heavy SSL inspection. Check whether a given session is offloaded in the session table (the NPU/offload state is listed per session) before you blame the hardware; often the fix is tuning inspection, not buying a bigger unit.

What mistakes produce misleading speed test results?

Most “my FortiGate is slow” tickets come from test setups that measure the wrong thing. The single interface speed test is fine for checking the ISP link, but it tells you nothing about inspection capacity. Watch for these:

  • Testing only the WAN interface and assuming that number is your usable throughput. It is the link speed, not the firewall’s inspection ceiling.
  • Benchmarking with security off, then running production with SSL inspection and IPS on. You measured a different firewall than the one you deployed.
  • Using a single TCP stream. One flow rarely saturates a fast link; use parallel streams (-P in iPerf3) to approximate real load.
  • Underpowered test endpoints. A laptop with a slow disk or NIC, or a busy VM, caps the result below the firewall’s real capacity.
  • Ignoring where the bottleneck is. If diagnose sys top shows the CPU pinned, the firewall is the limit; if CPU is idle and throughput is still low, look upstream at the ISP or cabling.
Warning:

If your testing or migration plan still leans on SSL VPN, note that Fortinet is removing SSL VPN tunnel mode from FortiOS (7.6 and later, and 8.0) and steering customers to IPsec VPN and ZTNA for application access. Factor IPsec throughput, not SSL VPN, into new sizing. See why FortiGate SSL VPN is going away and how to migrate to IPsec.

When does low throughput mean you have outgrown your FortiGate?

You have outgrown the box when the CPU is consistently high under your real, inspected traffic and tuning no longer helps. If diagnose sys top shows ipsengine or wad saturating the CPU during normal business hours, and your through-the-firewall iPerf3 test with SSL inspection on lands well below your internet plan, the firewall (not the link) is the ceiling. That is a sizing problem, not a configuration one.

2-3x

The threat-protection throughput uplift of the FortiGate G-series (FortiSP5) over the F-series it succeeds (Fortinet product data).

If you are replacing an aging unit, price the current G-series (30G, 50G, 70G, 90G) built on Fortinet’s FortiSP5 security processor. It succeeds the F-series (40F, 60F, 80F) and delivers roughly 2 to 3 times the threat-protection throughput, which is exactly the number that limits an inspected deployment. The F-series is still sold and supported with no end-of-life announced, but any new multi-year purchase should be sized on G-series numbers. A rough successor map: 40F maps to 30G or 50G, 60F to 70G, and 80F to 90G. For a full sizing walkthrough, read our guide on the 5 critical factors when selecting your next FortiGate.

Tip:

Before you replace hardware, confirm you are on a supported, mature FortiOS branch. 7.4 and 7.6 are the current production branches (7.6.6 is widely recommended). FortiOS 7.2 reaches end-of-support in September 2026, so plan upgrades off 7.2. FortiOS 8.0 exists but is a new feature release and is not yet recommended for production.

The FortiGate speed test checks your link; an iPerf3 test through the firewall with your real security profiles checks the box. Size on threat-protection and SSL-inspection throughput, not the firewall-only headline. If the CPU is pinned under inspected traffic and tuning is exhausted, you have outgrown the model, and the G-series is the current answer.

Not sure whether your slow-down is the ISP, your inspection settings, or an undersized firewall? Our team runs this analysis every week. Explore our managed firewall services and Fortinet solutions, and we will size and tune the right FortiGate for your traffic.

Sources

What’s the value of Network & System Diagrams

Its one of those things that the entire department, from CIO to the tech support guy, know is essential. Yet often system diagrams and documentation are either outdated or non-existent. That one day when something in the network goes south, everyone is scrambling for the recent documentation and it becomes the centre of attention.

Proper network documentation is essential for IT operations. This is more true as enterprise architecture grows larger and more complex. But even for SMEs with moderate IT budgets, the IT department can put together a very detailed and flexible document. The documentation should be a reference and guide to help the company in many ways:

  • Train new recruits;
  • Analyse and troubleshoot networks;
  • Better capacity planning;
  • Audit;
  • Report underutilized resources and improve efficiency of the network;
  • Less downtown.

What to include

Here are some of the important aspects to keep in mind while documenting networks and systems:

  1. Keep it simple and clean.
  2. Use standard equipment images to depict each device in the network.
  3. Label each device (Hostname, IP address, Date of Manufacture, etc.).
  4. Clearly mark different network location on the diagram with location addresses and IP scheme.

Value Added

Lets think of it from the clients perspective. When you get in touch with your IT service provider to sort out an issue, all you need is immediate resolution. Your business is slowing down because of a system that is not working and all you care is that it be up and running ASAP.
Onthe IT side, if a network diagram and documentation of all configurations of the clients equipment is available, all you need to know is what the trouble is. With all relevant information available in documentation, you will be able to troubleshoot in much less time and minimise potential losses. Sort that out, call the customer back and things are back to normal. Happy customer, satisfied you

The value this brings to the customer is tremendous in terms of low downtime and hassle-free experience. As the IT side of the business, anytime an audit happens, having all those documents and diagrams will help deal with network compliance issues easily. And as you update and grow the documentation, it will also become a guide in finding unallocated or underused resources and help make efficient technical and business decisions.

Examples of Network and Systems Diagrams that we have prepared for our clients:

Our Final Thoughts

In conclusion, network documentation is an essential aspect of any IT department. It not only helps in troubleshooting network issues but also assists in better capacity planning, audits, and improving network efficiency. By creating a detailed and flexible document, IT professionals can ensure minimal downtime and a hassle-free experience for customers.

Looking to improve your company’s IT operations? Contact BALANCED+ for expert consulting services and start achieving your business goals today.

5 Things you Need to know about IT Disaster Recovery

No one wants to experience an IT disaster – the loss of critical files, network outage, or hardware failure. However, these risks can be mitigated with appropriate preparation through Disaster Recovery planning. As IT is woven into every business, it’s crucial to include an IT portion in any DR plan(Disaster Recovery Plan). In this blog, we’ll discuss five important things you need to know about IT disaster recovery to keep your business running smoothly.

1. The purpose of an IT DR plan

Is to help the company recover as quickly and effectively as possible from an unforeseen IT disaster or emergency. Such an emergency would interrupt information systems and business operations. The plan should ensure that:

  • All employees fully understand their duties in implementing the DR plan. This means that the appropriate portions of the plan should be discussed with employees and tested.
  • Proposed contingency arrangements are cost-effective. This is where planning and preparation can really save you lots of money if you encounter an IT disaster.
  • Disaster recovery capabilities as applicable to key vendors and service providers. Your disaster recovery is only as good as those you rely on to provide equipment, services, etc.

2. Who should write the DR plan?

DR planning for IT requires preliminary study and thorough understanding of the company business model and IT infrastructure. Ideally, the IT DR planning would be done by your own IT department or an IT consultant who has done previous work for you. Having someone who is new to your environment write and test your IT DR plan may drive up your costs, or leave you with a DR plan that is disconnected from reality.

3.  What should the DR plan include?

It is easy to get carried away and write a document of such volume that will never be read by anyone (except the author). Needless to say, the size and content of DR documents for SMEs and large enterprises will differ, as the size and complexity of their IT infrastructure is also very different. Here is a brief list of the content sections that SMEs should include in their DR plan.

  • A policy statement that establishes the business requirements for the IT DR plan. Typically, a business would have a statement on IT DR requirements in its policies.
  • Key personnel and vendors contact information. This information will be priceless if an IT disaster is encountered.
  • A clearly defined DR team that outlines responsibilities for each team member, as well as a calling tree so that each team member know who they are responsible to contact and all team members and staff are notified of the incident.
  • An overview of the IT infrastructure, including a definition of the critical business process supported by IT, list of systems and their functions, network and system diagrams.
  • Backup office locations.
  • For each actual disaster event considered in the IT DR plan,
    • a description of the event;
    • risk-impact analysis, discussing the probability of a particular disaster event versus its potential business impact;
    • restoration requirements this should be determined by upper-level management;
    • and restoration procedures.

It is easy to get carried away in defining and describing all possible IT disaster scenarios; this is why good communication with management is important in order to narrow down the scope of the DR planning to key events with highest business impact or highest probability.

4. What should the IT DR plan NOT include?

The DR plan for IT should not include portions that are covered by the main business disaster recovery plan, which covers all aspects of the business (including insurance, property and personnel management, etc.), not just the IT portion.

5. What parts of the plan should be tested

It really depends on the budget you set aside for DR planning. Ideally, all parts of the plan  from complete loss of the office and emergency relocation, to virus infection, to loss of the phone system. Realistically, SMEs will not have the budget to test their entire DR plan, therefore key events must be pin-pointed and tested. For example, loss of a server, loss of critical files, loss of internet access, call tree simulation.

To Conclude

Disaster Recovery Planning for IT is an essential part of any business today. While it may seem overwhelming at first, proper preparation and planning can make all the difference in the event of an IT disaster. Remember to establish a clear policy statement, define your DR team, and include key contact information, an overview of your IT infrastructure, and restoration procedures in your plan. Regular testing and updating your plan as your business changes is also critical.

At BALANCED+, we can help you develop and implement a DR plan that fits your unique needs and budget, supported by our backup and disaster recovery services. Contact us today to learn more about our IT Disaster Recovery Planning services.

Replacing TMG with FortiGate: A Comprehensive Breakdown of Capabilities

What Microsoft TMG services can a FortiGate replace?

Are you currently using Microsoft’s TMG (Threat Management Gateway) server for your network security needs? If so, you may be wondering what your options are now that TMG has reached end-of-life.

In this blog post from BALANCED+, we’ll explore how FortiGate appliances can be used to replace many of the services that TMG previously provided. From web proxy and terminal services to web access and Sharepoint publishing, the FortiGate offers a range of features to help you maintain your network security and protect your users from online threats. So let’s dive in and learn more about how the FortiGate can help you secure your network!

Replacing TMG with FortiGate: A Comprehensive Breakdown of Capabilities

Web Proxy and Single Sign-On

TMG is often used to proxy client connections to the internet. A FortiGate appliance can do the same thing, and includes the ability to have Single-Sign-On for the clients. An FSSO agent gets installed on a Windows server that provides the Fortigate with authentication information.

Terminal Services and Terminal Server Agent

If you have Terminal Services such as Microsoft or Citrix, the user doesnt have an IP address, so this gets a little more interesting. There is a Terminal Server Agent that assists with identifying the user of the terminal services, and correctly controlling the internet traffic to/from that terminal user.

Web Access and Sharepoint Publishing

TMG was also used for Outlook Web Access and Sharepoint publishing. The FortiGate appliances can indeed provide these services as well. The Fortigate provides the translation of Public IP addresses, and certificate exchanges. The FortiGate then scans for attacks using IPS, scans for viruses, checks pathways, and monitors the protocols to make sure nothing sneaks through. The FortiGate can also block upon failed logins, or other attempted breaches. It can also do some basic load sharing across multiple application servers.

VPN Services and Firewall Capabilities

TMG is sometimes used to provide VPN services, which of course, FortiGates do very well. TMG sometimes is also used as a firewall, which again is handled by the Fortigates.

Application Control

FortiGate appliances have the ability to control the applications that users are trying to access. For example, you can create policies which allow or deny access to web applications such as Facebook. The FortGates have granular controls, so that you could allow your users to view Facebook, but denying the ability to post to Facebook.

Lync Communications

If you also have Lync in use, the FortiGate appliances can have a couple of extra settings enabled to allow the SIP and additional protocols used within Lync for communications. As always, the FortiGate is inspecting for attacks and viruses.

Final Thoughts

If you’re currently using Microsoft’s TMG server for your network security needs and wondering what to do now that it has reached end-of-life, FortiGate appliances can provide an excellent alternative with a wide range of features and capabilities. From web proxy and application control to VPN services and firewall capabilities, FortiGate appliances can do it all.

If you’re interested in learning more or need assistance with FortiGate implementation, BALANCED+ is a partner of Fortinet and can help guide you through the process. Don’t wait until it’s too late – contact BALANCED+ today to start securing your network with FortiGate appliances.