Enabling this feature dramatically increases maximum PPS (Packets Per Second) and overall throughput. Network Interface (NIC) Limits
FortiGate VM Sizing in Azure: Complete Architectural Guide Deploying a Fortinet FortiGate VM in Microsoft Azure requires a balance between security inspection, performance, and cost. Unlike hardware appliances with dedicated Application-Specific Integrated Circuits (ASICs), virtual firewalls rely entirely on cloud-allocated CPU and RAM. Sizing your FortiGate VM incorrectly can lead to high latency, dropped packets, or unnecessary infrastructure spend.
Your sizing decision must sync with your licensing model to avoid "dead" resources. Pay-As-You-Go (PAYG):
Sizing a in Azure requires balancing Azure's virtual machine performance with Fortinet's licensing tiers. Because Azure throttles network throughput based on the instance size, choosing a VM with enough vCPUs and RAM is critical for security performance. 1. Minimum Requirements
At least 4 GB of RAM is recommended for stable operation, especially if you enable features like Unified Threat Management (UTM), Zero Trust Network Access (ZTNA), or Proxy. fortigate vm sizing azure
Most deployments start with 32 GB of disk space, expandable up to 2 TB for logging and reporting. 2. Selecting the Right Azure Instance Series
For detailed configuration steps, refer to the FortiOS Azure Administration Guide .
Run get system performance status to verify if traffic is distributing evenly across all assigned vCPUs.
Fortinet licensing is strictly tied to vCPU count. This creates a "Tax" on oversizing. Sizing your FortiGate VM incorrectly can lead to
FortiGate VM throughput is due to Azure’s virtual networking overhead and encryption costs. Below is a conservative guide for full inspection (firewall + IPS + SSL inspection):
This guide examines the key considerations, VM series options, performance expectations, and cost trade-offs when deploying FortiGate’s Next-Generation Firewall (NGFW) as a virtual machine in Azure.
When selecting your size in the Azure Marketplace, keep these three technical limits in mind:
| Use Case | Recommended VM Size (BYOL) | License | Expected Throughput | |----------|----------------------------|---------|----------------------| | Small branch / Dev test | D2sv5 (2 vCPU, 8 GB) | PAYG | 300–500 Mbps | | Medium enterprise hub | D4sv5 (4 vCPU, 16 GB) | BYOL | 1–1.5 Gbps | | IPS + SSL inspection (1 Gbps) | E8sv5 (8 vCPU, 64 GB) | BYOL | 800 Mbps – 1.2 Gbps | | VPN concentrator (500 users) | F8sv2 (8 vCPU, 16 GB) | BYOL | 1.5 Gbps IPSec | | Large perimeter (>2 Gbps) | E16sv5 (16 vCPU, 128 GB) | BYOL | 4–6 Gbps | Because Azure throttles network throughput based on the
A common pitfall is sizing a VM based purely on "Firewall Throughput." Enabling advanced security features introduces significant CPU overhead.
| Azure Series | Characteristics | Best For | |--------------|----------------|-----------| | (General purpose) | Balanced compute & memory, good for most inspection workloads | Mixed firewall + IPS + SSL inspection (500 Mbps – 2 Gbps) | | Ev5 / Esv5 (Memory optimized) | Higher memory-to-vCPU ratio | Large NAT tables, millions of sessions, VPN termination | | Fsv2 (Compute optimized) | High clock speed (3.4+ GHz) | Low-latency, high-packet-rate environments (e.g., gaming, trading) | | Dasv5 (AMD EPYC) | Cheaper per core, good sustained performance | Cost-sensitive production deployments |
: Utilizing vSPU (virtual Security Processing Unit) technology allows FortiGate-VM to offload packet processing, overcoming the typical throughput bottlenecks of virtual firewalls. Licensing and Scaling Considerations