Fortigate Vm - Sizing Azure

Sizing a FortiGate-VM in Azure requires balancing Azure's virtual machine performance with Fortinet's licensing tiers. Because Azure throttles network throughput based on the instance size, choosing a VM with enough vCPUs and RAM is critical for security performance. 1. Minimum Requirements

While a FortiGate-VM can technically run on 1 vCPU and 2 GB of RAM, these specs are generally reserved for evaluation or light testing.

Recommended Minimum: At least 4 GB of RAM is recommended for stable operation, especially if you enable features like Unified Threat Management (UTM), Zero Trust Network Access (ZTNA), or Proxy.

Storage: Most deployments start with 32 GB of disk space, expandable up to 2 TB for logging and reporting. 2. Selecting the Right Azure Instance Series

The "Series" you choose in Azure dictates the underlying hardware and network bandwidth. fortigate vm sizing azure

Compute-Optimized (F-Series): High-performance instances (e.g., Standard_F2, Standard_F4) are often preferred for firewall workloads because they offer a high CPU-to-NIC ratio and strong compute power for packet inspection.

General Purpose (D-Series): These (e.g., Standard_D2s_v5, Standard_D4s_v5) are balanced options. However, be aware that throughput can vary significantly; for example, some users prefer older v2 instances over newer ones because of specific Azure bandwidth allocations.

Accelerated Networking: Crucial. Ensure your chosen VM size supports Accelerated Networking, which offloads networking tasks from the CPU to the hardware, significantly reducing latency and jitter. 3. Aligning with FortiGate Licenses

Your Azure VM resources must not exceed your Bring Your Own License (BYOL) limits, or you will waste compute power. FortiGate VM on Microsoft Azure Data Sheet - Fortinet Sizing a FortiGate-VM in Azure requires balancing Azure's

3. Recommended Azure VM Series for FortiGate

Not all Azure VM families work well for firewalls. The following are field-proven:

| Azure Series | Characteristics | Best For | |--------------|----------------|-----------| | Dv5 / Dsv5 (General purpose) | Balanced compute & memory, good for most inspection workloads | Mixed firewall + IPS + SSL inspection (500 Mbps – 2 Gbps) | | Ev5 / Esv5 (Memory optimized) | Higher memory-to-vCPU ratio | Large NAT tables, millions of sessions, VPN termination | | Fsv2 (Compute optimized) | High clock speed (3.4+ GHz) | Low-latency, high-packet-rate environments (e.g., gaming, trading) | | Dasv5 (AMD EPYC) | Cheaper per core, good sustained performance | Cost-sensitive production deployments |

Avoid: Burstable B-series (unpredictable under load), older A-series (low network performance).

Key FortiGate Azure Metrics to Watch (via Azure Monitor + FortiGate SNMP)

• CPU I/O wait time – High values (>10%) indicate Azure disk or NIC throttling.
• Net::Session statistics – If session table fills, increase RAM (move to Ev3 family).
• IPS engine dropped packets – Immediate sign of undersizing.

5. Pros and Cons of FortiGate-VM on Azure

Pros:

• Integration: Native Azure SDN integration via "Fabric Connector" allows the firewall to dynamically learn Azure routes and APIs. This is better than Palo Alto or Cisco implementations.
• Consistency: Same OS (FortiOS) as physical appliances—policies and objects migrate easily.
• Autoscaling: Fortinet provides an Autoscaling solution (FortiGate Autoscale) that works well in Azure, though it requires a specific sizing approach (using smaller instances in a scale-set rather than one large instance).

Cons:

• No ASICs: You lose the hardware acceleration (NP7/CP9 processors) found in physical boxes. A physical $5,000 FortiGate often outperforms a much more expensive Azure VM instance regarding encrypted throughput.
• Cost Creep: It is easy to oversize. A D8s_v5 costs significantly more than a D4s_v5, and combined with Azure data egress fees and Fortinet licensing, the monthly bill can balloon.

Mistake #2: Ignoring East-West Traffic

• Why it fails: You size for internet ingress (2 Gbps) but forget that your Azure VMs send 5 Gbps between subnets – all inspected.
• Fix: Use Azure Network Watcher for 7 days to capture intra-VNet traffic. Add 100% buffer.

Introduction

FortiGate is a popular network security appliance that provides advanced threat protection, firewall, and VPN capabilities. In Azure, FortiGate can be deployed as a virtual machine (VM) to secure your cloud infrastructure. However, sizing the FortiGate VM correctly is crucial to ensure optimal performance, security, and cost-effectiveness. In this article, we will guide you through the process of sizing a FortiGate VM in Azure.

A. Entry Level (Small Branch / Test / Dev)

• Target Throughput: < 1 Gbps
• License: VM01 / VM02
• Recommended Azure Sizes:
  • Standard_D2s_v3 (2 vCPU, 8GB RAM) – Standard for VM01.
  • Standard_D2s_v4 / v5 – Newer generations, slightly better network burst.

3. SSL/TLS Inspection Throughput

This is the silent killer. Enabling full SSL inspection drops throughput by 60-80% .

• No inspection: 1.0 Gbps
• With SSL inspection (default cipher sets): 200-300 Mbps on same VM size.
• Sizing for SSL: Double your vCPU count for every 500 Mbps of SSL inspection.

Example 3: Internal Data Center East-West (10 Gbps raw, no UTM)

• Required: High-speed routing, ACLs only
• Recommendation: Standard_D16s_v5 (16 vCPUs) + VM16 license
• Note: Azure single VM max network is ~12-16 Gbps. Use multiple VMs + LB for >15 Gbps.