Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎07-09-2025 05:53 AM

Article Id 399796

Technical Tip: FortiGate Role Alignment and Capacity Planning

Description

This article describes how to correctly deploy FortiGates by assigning them to their appropriate roles, ensuring sizing accuracy, and avoiding performance issues caused by misplacement or misuse.

Incorrect role assignment or improper sizing may lead to performance bottlenecks, unnecessary latency, or a lack of critical capabilities and mandatory resources.
Scope FortiGate, DCFW, NGFW, ISFW, DEFW.
Solution

Match the Firewall to Its Intended Role:

Each FortiGate model is designed for specific deployment roles. Aligning the model and its functions with the intended role is both beneficial and effective.

 

role_forti.jpg

 

Fortinet provides performance metrics and capabilities for comparison purposes, helping to support the sizing process.
For reference, check the links below:
Product Comparison Tool
Product Matrix (PDF)

 

Product Matrix performance results are obtained through a controlled scenario, reflecting a device’s maximum capabilities under ideal conditions. Firewalls in real-world production environments handle multiple simultaneous tasks and are exposed to unpredictable workloads and conditions. As a result, actual performance may vary from any benchmark figures.

For a strategic firewall selection, the Fortinet Product Matrix should be compared with the current and future operational requirements of the project/environment.


Resources, including CPU, RAM, concurrent sessions, and the throughput for SSL inspection, firewalling, IPsec VPN, IPS, NGFW, and threat protection, must be carefully considered.

Deploying the FortiGates respecting the designated role will prevent performance issues and unforeseen events.

For FortiGates that will operate in mission-critical or complex scenarios, it is recommended to consider an extra step and run a Proof of Concept (PoC).

 

About Proof of Concept (PoC):

As previously mentioned, conducting a PoC in advance is highly recommended for mission-critical and complex scenarios.
It allows the simulation of the project's key requirements and evaluates whether the selected model meets expectations, ensuring it can handle the demands smoothly before making a final decision or moving into production.

A PoC is highly recommended in scenarios such as:

  • High or unpredictable traffic (e.g., East-West, data centers)
  • Intensive use of advanced features (SSL inspection, IPS, SD-WAN)
  • Critical environments requiring high availability
  • Complex integrations with legacy or third-party systems
  • Vendor migrations or multi-vendor networks:

Contact a Fortinet sales expert to discuss the business needs and product requirements.

Fortinet Sales Contact

Fortinet Partner Contact

 

How to Plan a Firewall Hardware Upgrade Based on Capacity Analysis:

Upgrading firewall hardware requires proactive capacity analysis.
When resource usage, such as CPU, RAM memory, concurrent sessions, and the throughput of SSL inspection, firewall, IPsec VPN, IPS, NGFW, and threat protection reaches or exceeds 65%, optimization or hardware upgrade planning should be urgently considered.


Any system parameter operating above 65% is at high risk of performance degradation or service disruption due to the lack of headroom to handle unexpected or unpredictable loads (spikes), something very common in security infrastructure.


By proactive capacity analysis and taking advantage of tools such as FortiView (built into FortiOS FortiGate) and FortiAnalyzer is possible to capture the current usage of resources and use it to predict the necessity of an upgrade in the short, medium, or long term.

 

For reference, check the articles below to take a more proactive approach to capacity analysis.
The same method can be applied to monitor the health and resource limits of any critical system component:

Technical Tip: Automate FortiGate Performance Monitoring: Using Webhooks to Track CPU and Memory Sta...

Technical Tip: How to get a periodically email alert for the CPU and MEMORY usages.

Technical Tip: Performance statistics logs

FortiView monitors

Technical Tip: FortiGate maximum values table

 

Once the resource monitoring gap is addressed, a common approach in capacity management to forecast future resource usage and predict organic growth over time, based on current measurements such as RAM usage, CPU load, number of connected VPN users, and traffic, is to apply the compound growth formula:

  • Future Usage = Current Usage × (1 + Growth Rate)^ Time

 

For example, if RAM memory usage is currently at 55% and the resource consumption has historically increased by 15% per year, after two years it would reach approximately 72.8%.

  • Future RAM memory = 55 × (1 + 0.15)^2 ≈ 72.8%.

 

The estimate suggests that within two years, the RAM memory utilization (or any critical resource) may approach or exceed critical thresholds (typically above 65%), justifying proactive hardware evaluation or optimization.

This forecasting method helps administrators avoid unexpected performance degradation by aligning FortiGate capacity with future demand.

 

For effective planning and model selection, it is recommended to engage with Fortinet or authorized partners, who can assist in evaluating technical requirements and supporting the implementation process.

 

Related documents:

Fortinet Sales Contact

Fortinet Partner Contact
648
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.