The official is your primary source for these throughput numbers, which vary by the number of vCPUs assigned.
Monitor memory metrics. If RAM utilization consistently breaches 70%, plan an upgrade to an instance with a higher memory-to-core ratio (e.g., switching from an F-series to a D-series).
If you are terminating many IPsec tunnels, CPU core count becomes the primary bottleneck for encryption/decryption. Azure Instance Family Recommendations
In an Active-Passive High Availability (HA) architecture, the passive node does not process transit traffic but requires an identical Azure VM size to ensure a seamless failover during disruptions. fortigate vm sizing azure
Rather than deploying a massive 32-core FortiGate VM to handle all cloud traffic, scale horizontally. Use a utilizing Azure Virtual WAN or a centralized transit VNet. If throughput demands grow, scale out by adding more FortiGate instances behind an Azure Load Balancer rather than scaling up to increasingly expensive VM sizes. Disk Performance
| FortiGate Model | vCPU Range | RAM | Azure Instance Family | Typical Use Case | |----------------|------------|-----|----------------------|-------------------| | FG-VM01 | 1-2 | 1-2 GB | B-series, D2s_v3 | Dev/Test, Site-to-site VPN only | | FG-VM02 | 2-4 | 4-8 GB | D4s_v3, D4as_v4 | Small production, branch hub | | FG-VM04 | 4-8 | 8-16 GB | D8s_v3, E8s_v3 | Medium enterprise, SSL inspection | | FG-VM08 | 8-16 | 16-32 GB | D16s_v3, E16s_v3 | Large enterprise, data center exit | | FG-VM16 | 16-32 | 32-64 GB | D32s_v3, E32s_v3 | High-performance, service provider | | FG-VM32 | 32-64 | 64-128 GB | D64s_v3, M64 | Very high throughput (10+ Gbps) |
Buffers traffic completely to perform deep analysis (e.g., URL modification, detailed ICAP sandboxing). This is highly memory and CPU intensive. The official is your primary source for these
: FortiGate-VM uses Virtual Security Processing Units (vSPUs) to offload packet processing from the kernel, which can triple firewall throughput for UDP traffic. 2. Choosing the Right Azure Instance Family
1 Gbps+ throughput, full Threat Protection, SSL Inspection, VPN. Solution: FG-VM04 + Standard_D4s_v5 .
This is the silent killer. Enabling full SSL inspection drops throughput by . If you are terminating many IPsec tunnels, CPU
Accelerated Networking is a non-negotiable requirement for production FortiGate deployments. It utilizes Single Root I/O Virtualization (SR-IOV) to bypass the Azure virtual switch, connecting the VM directly to the physical network interface card (NIC).
Resizing an Azure FortiGate VM instance - Fortinet Community 20 Jun 2023 —