Sizing Azure - Fortigate Vm

To get the performance you sized for, you must enable specific features:

  • SSL/TLS Offload: Azure VMs do not have dedicated hardware crypto cards (ASICs) like physical FortiGates. All SSL inspection is done in software (CPU).

    • If you are planning a deployment, follow this rough estimation guide:

    | Estimated Traffic Throughput | Recommended VM Tier (Approx) | vCPU / RAM | Notes | | :--- | :--- | :--- | :--- | | < 500 Mbps | Standard D2s_v5 | 2 vCPU / 8GB | Good for VPN hub or small spoke. | | 1 - 2 Gbps | Standard D4s_v5 | 4 vCPU / 16GB | Common mid-size hub. Enable Accelerated Networking. | | 3 - 5 Gbps | Standard D8s_v5 | 8 vCPU / 32GB | Ideal for heavy inspection/UTM. | | > 5 Gbps | Standard D16s_v5 or Fxs_v4 | 16+ vCPU | Check Azure bandwidth caps carefully here. |

    My Advice: Start with a D-series v5 instance. They offer the best balance of CPU performance, network bandwidth credits, and cost. Deploy active-passive (AP) clustering via Azure Load Balancer for HA, and leverage the "Usage" graphs in the Azure Portal to verify if your CPU or Network Out metrics are hitting the ceiling.

    This is a comprehensive guide and "paper-style" breakdown regarding FortiGate VM Sizing on Microsoft Azure. This document covers the selection methodology, specific SKU mappings, licensing implications, and architectural best practices.

    Based on the factors mentioned earlier, here are some general guidelines for sizing a FortiGate VM in Azure: fortigate vm sizing azure

  • Medium: For medium-sized networks with moderate traffic volume (100-500 Mbps) and standard security features.
  • Large: For large networks with high traffic volume (500-2000 Mbps) and advanced security features.
  • Extra Large: For extremely large networks with very high traffic volume (> 2000 Mbps) and comprehensive security features.

    • For environments above 2 Gbps, consider FortiGate-VM with vSRX or native Azure Firewall Premium for cost comparison – FGT-VM often wins on features but not always on raw Azure throughput.

    Note: Always refer to the latest Fortinet Azure Sizing Guide (FortiOS 7.4+) and Microsoft’s VM documentation, as both companies update performance data quarterly.

    Version: 2024 Standards Scope: Infrastructure Architects, Security Engineers, Cloud Administrators

    When sizing a FortiGate VM in Azure, consider the following factors:

    Sizing a FortiGate VM in Azure for Deep Inspection (SSL/TLS decryption) is CPU-intensive and requires careful alignment between Azure instance capabilities and Fortinet licensing. For reliable performance with deep inspection enabled, a minimum of 4 GB RAM is recommended. Core Sizing Considerations To get the performance you sized for, you

    CPU Impact: Deep packet inspection (DPI) and SSL/TLS inspection significantly increase CPU load. For example, one user's browsing and file downloading can consume up to 12% of a single CPU core when deep inspection is active.

    NIC Limitations: Azure limits the number of Network Interfaces (NICs) based on the VM size. D2/D2v2: Supports only 2 NICs. D4/D4v2: Supports up to 8 NICs.

    Accelerated Networking: For high-throughput requirements, ensure the chosen VM size supports Accelerated Networking (SR-IOV) to reduce CPU overhead for networking tasks. Recommended Azure Instance Types

    FortiGate supports various instance families, primarily leveraging Compute Optimized (F-series) or General Purpose (D-series). Feature Need Recommended Azure Series Standard DPI D-Series (e.g., D2s_v3, D4s_v3) Good balance of compute and memory for general UTM tasks. High Performance DPI F-Series (e.g., F4s, F8s)

    Higher CPU-to-memory ratio, ideal for compute-heavy SSL inspection. Scalability VMSS (Scale Sets) SSL/TLS Offload: Azure VMs do not have dedicated

    Allows auto-scaling FortiGate instances based on traffic demand. Licensing vs. VM Size

    It is critical to match your Fortinet license with the Azure VM's vCPU count:

    FortiGate VM sizing for MS Azure - explicit proxy, full UTM, ssl deep inspeciton, ICAP

    This guide covers the critical factors (throughput, instance types, disk configuration, and scaling options) to ensure you select the right SKU and VM size for your deployment.

    1. Define required throughput (clean traffic) → ______ Gbps
2. Multiply by 1.5x (future growth) → ______ Gbps
3. Add inspection factor:
   - No inspection: x1.0
   - Basic firewall + NAT: x1.2
   - +IPS: x1.5
   - +SSL inspection: x2.0
   → Effective required Gbps = ______
4. Match to Azure VM size from table in section 3
5. Check license SKU supports that throughput
6. Add 20% vCPU/RAM overhead if using:
   - SSL deep inspection
   - 50+ IPsec tunnels
   - Explicit web proxy
7. Final VM size = ______

    Example:
    Need 2 Gbps clean + SSL inspection = 4 Gbps effective → D8s v3 + FG-VM04 license.