Choosing the right FortiGate firewall is crucial for maintaining a secure and efficient network. An undersized unit can become a bottleneck, leading to slow performance and a frustrating user experience. Conversely, an oversized unit means you’ve overspent on hardware you don’t fully utilize. At BALANCED+, we believe in finding that perfect equilibrium. This guide will walk you through the essential considerations for properly sizing your FortiGate to ensure optimal performance and robust security.

Why Proper Sizing Matters

Before diving into the “how,” let’s understand the “why.” A correctly sized FortiGate ensures:

• Optimal Security: The device can handle the processing demands of all necessary security services (like Intrusion Prevention, Antivirus, Application Control, and SSL Inspection) without bogging down.
• Peak Performance: Your network users experience fast and reliable connectivity, without the firewall becoming a chokepoint.
• Cost-Effectiveness: You invest in a solution that meets your current and near-future needs without overspending on unnecessary capacity.
• Future Scalability: A well-sized unit, with some room for growth, allows for easier adaptation as your business and network demands evolve.

Key Factors to Consider When Sizing Your FortiGate

Sizing a FortiGate isn’t just about matching your internet speed. It’s a multifaceted process. Here are the critical metrics and features to evaluate:

1. Throughput – More Than Just a Single Number:

FortiGate datasheets list various throughput figures. It’s vital to understand what each represents:

• Firewall Throughput (UDP/TCP): This is the raw packet processing capability of the firewall, typically measured with User Datagram Protocol (UDP) traffic, which has less overhead than Transmission Control Protocol (TCP). While a useful baseline, it doesn’t reflect real-world performance with security services enabled.
• Next-Generation Firewall (NGFW) Throughput: This metric reflects performance with key security services like Intrusion Prevention System (IPS) and Application Control enabled. This is often a more realistic number to consider for typical deployments.
• Threat Protection Throughput: This is arguably the most critical throughput number for most businesses. It indicates the performance when multiple advanced security services (like IPS, Antivirus, Application Control, and often sandboxing) are active simultaneously. This is the figure you should most closely align with your actual internet bandwidth and internal traffic inspection needs.
• SSL/TLS Inspection Throughput: If you plan to decrypt and inspect encrypted traffic (which is increasingly important for security), this figure is paramount. SSL/TLS inspection is resource-intensive, and the dedicated throughput for it will be significantly lower than other throughput metrics.
• IPSec VPN Throughput: If you rely heavily on site-to-site or remote access VPNs, ensure the FortiGate model can handle your encrypted VPN traffic demands.

BALANCED+ Tip: Always focus on the “Threat Protection Throughput” and “SSL/TLS Inspection Throughput” (if applicable) as your primary guides, rather than just the basic firewall throughput.

2. Concurrent Sessions:

This refers to the total number of active connections passing through the firewall at any given moment. Every time a user accesses a website, sends an email, or uses a network application, one or more sessions are created.

• Consider: The number of users, the types of applications they use (some applications, like peer-to-peer, open many sessions), and the number of IoT or always-on devices on your network.
• BALANCED+ Tip: It’s wise to choose a model with a concurrent session capacity that comfortably exceeds your current peak usage to accommodate growth and unexpected spikes.

3. New Sessions Per Second (CPS):

This metric indicates how quickly the FortiGate can establish new connections. A low CPS rate can lead to delays in opening new web pages or starting new applications, especially in environments with many users or services initiating connections frequently.

• Consider: High-traffic environments, web servers, or applications that rapidly open and close connections.
• BALANCED+ Tip: Don’t underestimate this metric, especially if you have a dynamic environment with many users initiating new tasks simultaneously.

4. Interface Requirements:

Consider the number and types of network interfaces you need:

• Ports: How many LAN, WAN, DMZ, and other segments do you need to connect?
• Speed: Do you require 1Gbps, 10Gbps, or even faster ports?
• Type: Do you need copper (RJ45) or fiber (SFP/SFP+) interfaces?
• Power over Ethernet (PoE): Will you be powering devices like access points or IP phones directly from the firewall?

5. VPN Requirements:

If you use Virtual Private Networks (VPNs):

• Site-to-Site Tunnels: How many persistent VPN connections to other offices or cloud environments do you need?
• Remote Access Users: How many concurrent remote users will connect via SSL VPN or IPsec VPN?
• BALANCED+ Tip: Ensure the chosen model has sufficient VPN throughput and tunnel capacity for your needs.

6. Other Feature Impacts:

Certain features can significantly impact resource utilization:

• SD-WAN: If you plan to leverage FortiGate’s robust SD-WAN capabilities, factor in the overhead for link monitoring and traffic steering.
• Logging and Reporting: Extensive logging requires storage and processing power. If you’re sending logs to a FortiAnalyzer or SIEM, this is less of a burden on the FortiGate itself.
• High Availability (HA): If you require a redundant setup, you’ll typically need two identical FortiGate units.

7. Future Growth:

Always plan for the future. Consider:

• User Growth: Will your number of employees or network users increase?
• Bandwidth Increases: Do you anticipate upgrading your internet connection?
• New Applications/Services: Will you be deploying new technologies that increase network load?

BALANCED+ Recommendation: Aim to size your FortiGate to handle your current needs plus 20-30% capacity for future growth over the next 3-5 years.

Common Sizing Pitfalls to Avoid

• Focusing Solely on Firewall Throughput: Ignoring NGFW, Threat Protection, and SSL Inspection throughput.
• Underestimating Concurrent Sessions: Leading to dropped connections and poor user experience.
• Forgetting SSL Inspection Impact: This is a major performance hit if not accounted for.
• Not Planning for Peak Loads: Sizing only for average use can cause issues during busy periods.
• Ignoring Future Growth: Leading to a premature and costly upgrade.
• Not Understanding Your Traffic: Perform a network assessment to understand your actual usage patterns before making a decision.

Optimizing Performance Beyond Sizing

Once you have your FortiGate, remember that configuration plays a vital role in performance:

• Firmware Updates: Keep your FortiOS firmware up-to-date for the latest performance improvements and security patches.
• Policy Optimization: Streamline firewall policies and remove unused or redundant rules.
• Selective SSL Inspection: Only inspect traffic that needs it. Create exemptions for trusted, high-volume traffic where appropriate.
• Resource Monitoring: Regularly monitor CPU, memory, and session load to identify potential bottlenecks.
• Hardware Session Offloading: Ensure features like hardware acceleration are enabled where appropriate.

Get a Free Expert Sizing Assessment

Properly sizing a FortiGate firewall is a critical step in building a secure and high-performing network. It requires a careful analysis of your current environment, security needs, and future growth plans.

Ready to find the perfect FortiGate for your organization? Let the experts at BALANCED+ help! We offer a free, no-obligation sizing assessment. Fill out our form, and one of our certified engineers will help you determine the ideal FortiGate model to meet your specific requirements.