Fortigate Vm Sizing Azure ⭐ High Speed
FortiGate VM throughput is not linear due to Azure’s virtual networking overhead and encryption costs. Below is a conservative guide for full inspection (firewall + IPS + SSL inspection):
| vCPUs | RAM (GB) | Est. Firewall (Gbps) | Est. IPSec (Gbps) | Est. SSL Inspection (Mbps) |
|-------|----------|----------------------|--------------------|-----------------------------|
| 2 | 4 | 0.5 – 0.8 | 0.2 – 0.3 | 50 – 100 |
| 4 | 8 | 1.0 – 1.5 | 0.5 – 0.8 | 150 – 250 |
| 8 | 16 | 2.0 – 3.0 | 1.0 – 1.5 | 400 – 600 |
| 16 | 32 | 4.0 – 6.0 | 2.0 – 3.0 | 800 – 1200 |
These are lower than Fortinet’s “lab maximums” because Azure’s accelerated networking and vCPU stealing reduce real-world performance.
In Azure Marketplace, FortiGate-VM offers different throughput tiers based on license. The license determines the licensed throughput (e.g., 1 Gbps, 2 Gbps, 5 Gbps). The VM size must support that throughput. fortigate vm sizing azure
| License SKU (Example) | Max Licensed Throughput | Recommended Azure VM Size |
|----------------------|------------------------|----------------------------|
| FG-VM01 (PayG/BYOL) | 1 Gbps | D2s v3, D2ds v4, B2s |
| FG-VM02 | 2 Gbps | D4s v3, D4ds v4 |
| FG-VM04 | 4 Gbps | D8s v3, D8ds v4 |
| FG-VM08 | 8 Gbps | D16s v3, D16ds v4 |
| FG-VM16 | 16 Gbps | D32s v3, D32ds v4 |
| FG-VM32 (rare) | 32 Gbps | D64s v3 |
Important: Pay-as-you-go (PAYG) licenses are tied to VM size changes—resizing may break licensing. BYOL (Bring Your Own License) is more flexible.
Recommendation: For production >2 Gbps, always choose BYOL with a 3-year commitment. For variable workloads under 1 Gbps, PAYG works but watch your monthly bill. FortiGate VM throughput is not linear due to
| Family | Characteristics | FortiGate Recommendation |
|--------|----------------|--------------------------|
| Dv3 / Dv4 | General purpose, Intel Xeon, good balance | Best for 80% of use cases (VPN + inspection) |
| Ev3 / Ev4 | Memory-optimized, same CPU as Dv3 | Required for large session tables (>2M) or many IPsec tunnels |
| Fsv2 | High frequency Intel (3.4 GHz) | Ideal for SSL inspection and low-latency requirements |
| Dasv4 | AMD EPYC (3.0+ GHz) | Excellent price/performance for stateful firewall only (not VPN-heavy) |
| B-series (Burstable) | Use only for lab/DevTest | Production traffic will exhaust CPU credits and drop packets |
Pros:
Cons:
| FortiGate Model | vCPU Range | RAM | Azure Instance Family | Typical Use Case |
|----------------|------------|-----|----------------------|-------------------|
| FG-VM01 | 1-2 | 1-2 GB | B-series, D2s_v3 | Dev/Test, Site-to-site VPN only |
| FG-VM02 | 2-4 | 4-8 GB | D4s_v3, D4as_v4 | Small production, branch hub |
| FG-VM04 | 4-8 | 8-16 GB | D8s_v3, E8s_v3 | Medium enterprise, SSL inspection |
| FG-VM08 | 8-16 | 16-32 GB | D16s_v3, E16s_v3 | Large enterprise, data center exit |
| FG-VM16 | 16-32 | 32-64 GB | D32s_v3, E32s_v3 | High-performance, service provider |
| FG-VM32 | 32-64 | 64-128 GB | D64s_v3, M64 | Very high throughput (10+ Gbps) |
Critical Insight: Azure vCPUs are not equal to physical cores. A D8s_v3 offers 8 vCPUs (Hyper-threaded on Intel Xeon Platinum 8171M). FortiGate performance is bursty; ensure you understand the baseline performance of your chosen Azure series.
