Julieanne Kost's Blog

Fortigate Vm Sizing Azure < Free Access >

This comprehensive guide covers architectural considerations, performance metrics, and recommended Azure VM sizes for your FortiGate VM deployments. 1. Key Performance Factors in Azure

Accelerated Networking is mandatory for production FortiGate instances. It bypasses the Azure host virtualization data path, reducing latency, jitter, and CPU utilization. Ensure your selected Azure VM size supports this feature to achieve maximum throughput. Network Interface (NIC) Limits

The FortiGate-VM runs the same FortiOS operating system as physical Fortinet appliances. However, instead of proprietary FortiASIC chips (SPUs) accelerating traffic processing, the cloud virtual appliance relies entirely on vCPUs, system memory, and Azure's underlying hypervisor network stack. vCPU and RAM Scaling

This bypasses the virtual switch for direct host-to-NIC communication, drastically reducing latency and CPU overhead. It is available on most instances with 2 or more vCPUs.

| License SKU (Example) | Max Licensed Throughput | Recommended Azure VM Size | |----------------------|------------------------|----------------------------| | FG-VM01 (PayG/BYOL) | 1 Gbps | D2s v3, D2ds v4, B2s | | FG-VM02 | 2 Gbps | D4s v3, D4ds v4 | | FG-VM04 | 4 Gbps | D8s v3, D8ds v4 | | FG-VM08 | 8 Gbps | D16s v3, D16ds v4 | | FG-VM16 | 16 Gbps | D32s v3, D32ds v4 | | FG-VM32 (rare) | 32 Gbps | D64s v3 | fortigate vm sizing azure

By following these Azure-specific sizing rules, you’ll avoid the two worst outcomes: a sluggish firewall that drops traffic or an oversized VM that burns cloud budget. Test with your actual traffic pattern using FortiGate’s built-in performance diagnostics before finalizing your VM size.

If you want, I can also provide a comparison of versus Bring-Your-Own-License (BYOL) costs for your specific throughput needs.

For example, an Standard_F4sv2 VM offers a maximum of 4,000 Mbps (4 Gbps) of Azure network bandwidth. No matter how efficiently FortiOS processes packets, the VM cannot exceed this cloud-enforced ceiling. Accelerated Networking (SR-IOV)

config log disk set status enable set max-log-file-size 100 set full-final-warning threshold 90 end It bypasses the Azure host virtualization data path,

FortiGate VM Sizing in Azure: Architecting for Performance, Scalability, and ROI

Offers significantly higher throughput than VM02, with optimized IPS performance for secure SD-WAN.

Standard_D4s_v5 or Standard_F4s_v2 (4 vCPUs, 8-16 GB RAM, Max 4 NICs).

| Use Case | FortiGate SKU | Azure VM Size | vCPU | RAM | |----------|--------------|---------------|------|-----| | Small office (100 users, 300 Mbps) | FG-VM01 | D2s v3 | 2 | 8 GB | | Branch (500 users, 1.5 Gbps, IPS) | FG-VM02 | D4s v3 | 4 | 16 GB | | HQ (2000 users, 3 Gbps + SSL) | FG-VM04 | D8s v3 | 8 | 32 GB | | VPN concentrator (1000 tunnels) | FG-VM08 | D16s v3 | 16 | 64 GB | | Heavy SSL + logging (5 Gbps) | FG-VM08 | E8s v3 | 8 | 64 GB | small remote offices

Often bundled with specific instance sizes in the Azure Marketplace. 2. Selecting the Right Azure VM Family

This guide examines the key considerations, VM series options, performance expectations, and cost trade-offs when deploying FortiGate’s Next-Generation Firewall (NGFW) as a virtual machine in Azure.

Ideal for high-throughput firewalling and IPsec VPNs. The Fsv2-series is frequently recommended for its high CPU-to-NIC ratio, which is crucial for complex HA (High Availability) setups requiring multiple interfaces.

Note: Sizing metrics are estimates based on standard enterprise traffic mixes. Actual performance varies based on average packet size (IMIX), session duration, and specific security profiles enabled. 4. Architectural Sizing Considerations

Your licensing choice directly impacts how you scale your VM in the future. Microsoft Learn

Ideal for testing, small remote offices, or low-throughput spoke VNets. Standard_F2s_v2 or Standard_D2s_v5 NIC Count: 2