FortiGate VM sizing for MS Azure - explicit proxy, full UTM, ssl deep inspeciton, ICAP
| Use Case | Recommended VM Size (BYOL) | License | Expected Throughput | |----------|----------------------------|---------|----------------------| | Small branch / Dev test | D2sv5 (2 vCPU, 8 GB) | PAYG | 300–500 Mbps | | Medium enterprise hub | D4sv5 (4 vCPU, 16 GB) | BYOL | 1–1.5 Gbps | | IPS + SSL inspection (1 Gbps) | E8sv5 (8 vCPU, 64 GB) | BYOL | 800 Mbps – 1.2 Gbps | | VPN concentrator (500 users) | F8sv2 (8 vCPU, 16 GB) | BYOL | 1.5 Gbps IPSec | | Large perimeter (>2 Gbps) | E16sv5 (16 vCPU, 128 GB) | BYOL | 4–6 Gbps |
For massive cloud data centers, carrier-grade environments, or intensive deep-packet inspection requirements.
Moderate CPU overhead. Packets are reassembled to match signatures. fortigate vm sizing azure
FortiGate VM is a virtualized version of the FortiGate network security appliance, which provides a comprehensive range of security features, including firewall, intrusion prevention, antivirus, and more. The VM can be deployed on various platforms, including Azure, to provide security and protection for cloud-based infrastructure.
Some deployments may require more than the default two network interfaces (external and internal) created by the Azure Marketplace template.
Active/Passive HA deployments, medium-scale IPsec VPN aggregation, and Next-Generation Security (IPS, App Control) for standard web applications. Large Enterprise / Datacenter Hubs (8 vCPUs) FortiGate VM sizing for MS Azure - explicit
Maximum processing power per vCPU core, yielding the highest NGFW throughput metrics. The High-Memory Choice: Ev4 / Esv4 Series
FortiGate VMs are licensed based on the number of . FortiGate License vCPU Count Ideal Use Case Recommended Azure Series FG-VM01 Small Office, Test/Dev, Low Traffic Dsv5, Fsv2 (1-2 vCPU) FG-VM02 Medium Office, Branch Office, Standard IPS Dsv5, Fsv2 (2-4 vCPU) FG-VM04 Large Branch, Small Data Center, Active Inspection Dsv5, Fsv2 (4-8 vCPU) FG-VM08 Large Data Center, High Throughput Dsv5, Esv5 (8+ vCPU) FG-VM16+ Enterprise Edge, Data Center Hub Dsv5, Esv5 (16+ vCPU) 2.1 Recommended Azure Virtual Machine Series
Standard enterprise edge firewalls, hub-and-spoke routing, and moderate IPS traffic. FortiGate VM is a virtualized version of the
FortiGate VM Sizing in Azure: A Comprehensive Guide for 2026
The BYOL license model uses SKUs based strictly on the number of vCPUs: FG-VM01 , FG-VM02 , FG-VM04 , FG-VM08 , FG-VM16 , FG-VM32 , and FG-VMUL (for unlimited cores). Crucially, the licensed number of vCPUs does not restrict the size of the Azure VM you can choose. You can deploy a license on a larger VM, but only the licensed vCPUs will handle traffic; the rest remain unused. For instances with , you must use the FG-VMUL license.
1. Define required throughput (clean traffic) → ______ Gbps 2. Multiply by 1.5x (future growth) → ______ Gbps 3. Add inspection factor: - No inspection: x1.0 - Basic firewall + NAT: x1.2 - +IPS: x1.5 - +SSL inspection: x2.0 → Effective required Gbps = ______ 4. Match to Azure VM size from table in section 3 5. Check license SKU supports that throughput 6. Add 20% vCPU/RAM overhead if using: - SSL deep inspection - 50+ IPsec tunnels - Explicit web proxy 7. Final VM size = ______
is strongly recommended for production environments, especially when enabling Unified Threat Management (UTM) or Proxy features. Smaller sizes (e.g., 1 vCPU / 1 GB RAM) are generally restricted to lab or testing environments and may require deployment via VHD rather than the Azure Marketplace. Accelerated Networking