How to Choose the Right FortiGate Firewall (NGFW)

November 10, 2025

Summary: Practical guidance for matching FortiGate NGFW models to security, throughput and connectivity requirements.

Selection criteria to consider

When selecting a FortiGate NGFW, evaluate:

Security requirements
Expected throughput and inspection needs
Interface connectivity and port types
Redundancy requirements (WAN, power, IPsec VPN tunnels, device)
Ease of migration from existing systems

Throughput and inspection capacity

FortiGate models vary significantly in available throughput. This affects performance when enabling security inspection features such as SSL decryption and deep packet inspection.

Below is a snapshot of real performance values from three FortiGate models across the Branch and SMB range:

Model	Firewall Throughput	Threat Protection Throughput	SSL Inspection Throughput
FortiGate 30G	4 Gbps	500 Mbps	400 Mbps
FortiGate 80F	10 Gbps	900 Mbps	715 Mbps
FortiGate 200G	39 Gbps	6 Gbps	7 Gbps

Use inspection throughput (not just raw firewall throughput) as the primary sizing metric if security services will be enabled.

Connectivity and hardware variants

FortiGate appliances differ in WAN/LAN port counts and optional hardware variants such as PoE, Wi-Fi, LTE/5G or built-in storage. Confirming connectivity needs up front prevents the need for extra switching hardware.

Licensing and high availability

For high-availability deployments, each appliance in the cluster must have its own license and support contract. Licensing only the primary device is not sufficient.

Security service bundles

Fortinet offers security bundles that combine services such as intrusion prevention, malware protection, URL/DNS filtering, application control and support. Select the bundle based on which services will be enabled.

Migration support

Fortinet offers migration services to convert existing configurations to FortiGate, which reduces manual configuration effort and error risk.

Need guidance choosing a model?

We at DataCenter360.ca can map your throughput and inspection requirements to the correct FortiGate model and licensing bundle.

Contact us now!

How to Choose the Right FortiGate Firewall – Frequently Asked Questions

What factors should I consider when choosing a FortiGate firewall?

Consider throughput, security services, interface options, redundancy, and scalability. These parameters define which FortiGate model best fits your business size, traffic, and security needs.

Which FortiGate model is best for small businesses or branch offices?

The FortiGate 30G, 50G, or FortiWiFi 30G are ideal for small offices and branches that need strong UTM and SD-WAN performance in compact, affordable form factors.

What FortiGate models are designed for medium-sized enterprises?

Mid-range options like the FortiGate 120G, 200G, and 400F balance performance and scalability with full FortiGuard Enterprise Protection, perfect for growing corporate networks.

Which FortiGate models are recommended for large enterprises or data centers?

High-end units such as the FortiGate 1000F, 1800F, and 2600F deliver multi-100 G connectivity and terabit-class throughput for large enterprises and data-center cores.

What is the difference between FortiGate and FortiWiFi models?

FortiGate models provide wired security only, while FortiWiFi units integrate enterprise-grade Wi-Fi, ideal for remote or small locations that need both wired and wireless protection.

What security bundle should I choose with my FortiGate firewall?

The FortiGuard Enterprise Protection Bundle is recommended. It includes AI-powered IPS, antivirus, web filtering, sandboxing, DNS security, and FortiCare Premium support.

How do FortiGate UTP and Enterprise bundles differ?

UTP (Unified Threat Protection) covers essential IPS, antivirus, and application control. The Enterprise Bundle adds AI sandboxing and full cloud-security services for complete coverage.

Can FortiGate firewalls operate in high-availability mode?

Yes. FortiGates can run in HA clusters. Each unit requires active FortiCare and FortiGuard licenses to maintain synchronization and failover continuity.

What’s the role of FortiConverter in FortiGate deployments?

FortiConverter Service automates migration from legacy or third-party firewalls by converting configurations into FortiOS templates, reducing manual setup time and errors.

Do I need a separate license for FortiGSLB (Global Server Load Balancing)?

No additional FortiGate license is required, but a FortiGSLB Cloud license must be registered on the same FortiCloud account for integration.

What is Zero Touch Provisioning (ZTP) and how does it help?

FortiDeploy (ZTP) enables remote FortiGate devices to auto-connect to FortiCloud upon power-up, simplifying large-scale distributed deployments.

What’s the difference between Enterprise, Mid-Range, and High-End FortiGate devices?

Enterprise / Branch (30G–200G): up to 39 Gbps; Mid-Range (400F–900G): up to 164 Gbps; High-End (1000F–7000): terabit-level throughput and full redundancy.

How does FortiGate use AI to enhance protection?

FortiGate integrates FortiGuard AI-powered security services that analyze global threat data in real time to detect and stop zero-day and AI-based attacks automatically.

What professional services are available for FortiGate deployment?

Fortinet offers QuickStart Deployment and Professional Consulting Packages providing expert configuration, optimization, and training for fast, secure rollouts.