| Feature | Performance Hit (CPU) | Memory Impact | | :--- | :--- | :--- | | Firewall only (ACL) | 1x baseline | Low | | + IPS | 1.6x | Medium | | + Antivirus (proxy-based) | 3.0x | High | | + SSL Deep Inspection (1,000+ certs) | 4.5x | Very High | | + Logging to FortiAnalyzer/Cloud | 1.2x | Low | | + Full SD-WAN rules | 1.3x | Medium |

: Required if you use heavy inspection features like IPS or SSL decryption, which consume more memory. Critical Sizing Constraints 💡

Supports the latest for maximum bandwidth. 3. Performance Metrics by License Tier

Deploying a FortiGate Next-Generation Firewall (NGFW) in Microsoft Azure is a best practice for securing hybrid and cloud-native workloads. However, the most common point of failure—either performance-related or financial—is .

: Fsv2 (higher clock speed) or Dsv3 (balanced)

In Azure, FortiGate-VM licenses do not strictly limit RAM; you can use any RAM size supported by the chosen Azure VM size. A minimum of 4 GB RAM is recommended for stable operation. 2. Recommended Azure VM Sizes

If consistently over 80% CPU → scale up to next VM size.

Several factors influence FortiGate VM sizing in Azure:

| FortiGate License | vCPUs (Azure VM) | Realistic UTM Throughput (Full IPS+AV) | Realistic Firewall Only | SSL Inspection | | :--- | :--- | :--- | :--- | :--- | | VM01 | 2 | 150 Mbps | 400 Mbps | 80 Mbps | | VM02 | 4 | 350 Mbps | 800 Mbps | 200 Mbps | | VM04 | 8 | 800 Mbps | 2 Gbps | 500 Mbps | | VM08 | 16 | 1.8 Gbps | 4.5 Gbps | 1.2 Gbps | | VM32 | 32 | 4 Gbps | 10 Gbps | 3 Gbps |

Your "Raw Throughput" is not your "Threat Protection" throughput. Firewall Only: You can get away with smaller instances. Full UTM (IPS + AV + SSL Inspection): This is CPU-intensive. Assume you will lose

downsize the passive node to save costs. If the active node fails, the passive node must handle the full production load immediately. Azure does not support autoscaling CPU/memory in an HA pair.