The FortiGate Buyer's Toolkit: Size, Spec, Negotiate

Published 26 Apr 2026 · By Pawan Sharma · Network Security · 15 min read

Most Indian organisations buy FortiGate the wrong way. They get a vendor on a Zoom call, the vendor "discovers" the requirement, the vendor recommends their preferred SKU, and a quote arrives priced for opacity rather than comparison. Six months later, an internal audit reveals a UTP bundle was bought when ATP would have done, FortiCare Standard was renewed instead of Premium, and the hardware that should have been refreshed got another three years of subscriptions stapled onto a unit that no longer matches the workload.

This is a six-chapter buyer's guide for Indian procurement teams. It pairs with a free FortiGate Buyer's Toolkit (Excel) — eight tabs, no prices, just the structure you need to size, spec, RFP and negotiate. Use the guide to understand the why; use the Excel to do the work.

📐 Chapter 1

Sizing

Throughput vs. magic numbers

📦 Chapter 2

Bundles

ATP ⊂ UTP ⊂ Enterprise reality

📊 Chapter 3

TCO Comparator

25 line-items every quote needs

📋 Chapter 4

RFP

60+ specs to demand

🔄 Chapter 5

Renewal Audit

12 silent-downgrade traps

🚩 Chapter 6

Vendor Red Flags

12 questions, 12 reveals

Disclosure: Ogma Consulting is an authorised Fortinet partner. We have skin in this game — but the toolkit and the guide work whether you buy from Ogma or from any other authorised partner. Our bet: the more honest the procurement process, the more often we win it on merit.

Chapter 1 — Sizing: Throughput vs. Magic Numbers

Why sizing goes wrong

Datasheet throughput is not real throughput

Every FortiGate datasheet publishes a "Firewall Throughput" number. It is measured against a specific test profile (1518-byte UDP packets, raw forwarding, no inspection) that bears no relationship to your network. The number you actually care about — NGFW throughput with full UTM enabled — is typically 15–35% of the datasheet headline. Add SSL/TLS deep inspection and you fall to 10–25% of the headline.

The implication is uncomfortable: vendors size models against the headline because it makes their unit look adequate. You should size against the inspected number plus 30% headroom for three years. The Sizing tab in the toolkit walks you through this without naming any specific FortiGate model — because the right model depends on your real workload, not on what the vendor wants to sell.

Practical rule: Whatever throughput number you get from the vendor, divide by four. If the result still covers your peak + 30% headroom for three years, the unit is sized correctly. If not, you need to go up a class.

SSL inspection is the silent killer

What kills under-sized FortiGates

Almost every Indian enterprise rolls out SSL deep-inspection within the first year of FortiGate ownership — for DLP, for AV scanning, for application visibility. Most discover their unit was sized without it. The cure usually involves either accepting degraded performance, disabling inspection on high-volume flows (defeating the point), or buying a bigger unit at next refresh.

Mid-size models (the FortiGate 100F / 200F class) typically lose half their NGFW throughput when SSL inspection is enabled.
Larger models with dedicated CP9 / SP5 ASICs handle SSL inspection in hardware and degrade much less.
Cloud-hosted FortiGate-VM performance scales linearly with vCPU count but at a different cost curve — typically more flexible, sometimes more expensive at scale.

The toolkit's Sizing tab uses use-case rows (single-branch, mid-tier office, datacentre, OT segment, cloud) rather than model tables — because your model recommendation depends on which use case dominates your traffic.

Chapter 2 — Bundles: ATP ⊂ UTP ⊂ Enterprise

Most prospects buy the wrong tier

The decision is workload-driven, not size-driven

FortiGate ships with three subscription bundles plus FortiCare support tiers. The hierarchy is ATP ⊂ UTP ⊂ Enterprise — each tier is a superset of the one below. ATP is the base threat-protection tier (IPS, AV, Application Control, AntiBot, Cloud Sandbox). UTP adds Web Filtering, DNS Filtering, AntiSpam and IoT detection on top of ATP. Enterprise adds DLP, Industrial Security, SOCaaS and Attack Surface Rating on top of UTP.

Vendors love proposing UTP because it sounds prudent and complete. The reality is that the right tier is determined by which features you actually enable — not by your firewall throughput class.

✓ When UTP is right

Worth the upgrade from ATP

You need FortiGuard Web Filtering (productivity, compliance, category control) — by far the most common reason
You need DNS Filtering for DNS-layer category enforcement
FortiGate sits in front of a mail server and you need AntiSpam there (rare if you use M365 / Workspace)
You need IoT / OT device visibility (inventory only — for OT IPS signatures, see Enterprise)

✗ When UTP is overkill (ATP is enough)

You are paying for unused features

You handle web filtering at a separate proxy (Zscaler, Cisco Umbrella, on-prem proxy)
Email security is fully outsourced to M365 / Workspace / Mimecast
No IoT / OT devices on your network
You only enable IPS + AppCtrl + AV + Sandbox at the firewall

Honest test: Look at config system feature-visibility on your existing FortiGate. Count which UTM features your policies actually invoke. If web-filter, dns-filter and anti-spam are all disabled across every policy, you don't need UTP — you need ATP plus discipline about what your other layers (proxy, mail security, EDR) already cover.

Enterprise tier (UE)

When the Enterprise bundle pays for itself

The Enterprise tier (sometimes labelled "UE") is justified in two scenarios:

OT / industrial workload. If you have any SCADA, ICS, manufacturing-floor or healthcare-device traffic, the OT IPS signatures bundled in Enterprise are worth more than the entire bundle delta over UTP.
Regulated industry without a SOC. If you're in BFSI / healthcare / utilities and don't run your own SOC, the bundled SOC-as-a-Service can replace a separate managed-SOC contract. Run the math line-for-line in the TCO Comparator tab.

If neither applies, Enterprise is overkill. ATP or UTP, plus a separate managed SOC if you need one, almost always works out comparable or better.

Chapter 3 — TCO Comparator: Twenty-Five Line-Items Every Quote Should Contain

Quote-comparison sanity

Why "lump-sum quote" should be banned in your tender

If you receive a FortiGate quote with a single line that reads "FortiGate FG-200F bundle — 3 years — ₹X", the partner is hiding markup, hiding SKU substitution, and making it impossible for you to compare against a second quote. The right quote has at least the line-items in the toolkit's TCO Comparator tab — split into six categories:

Hardware & initial procurement — appliance, transceivers, redundant PSU, rack rails, optional spare unit
Software / subscription bundles — ATP / UTP / ENT, year by year, with explicit renewal terms
Support / FortiCare — Premium or Elite, year by year, with SLA in writing
Management plane — FortiManager + FortiAnalyzer (or FortiAnalyzer Cloud)
Implementation — itemised professional services SoW (hours per task, not flat fee)
Operational costs — power, rack space, internal admin time

The toolkit auto-sums. Paste numbers into "Quote A" and "Quote B" columns; the totals at the bottom auto-calculate. Whichever quote is missing line-items shows up as suspiciously cheap.

Chapter 4 — RFP: Sixty-Plus Specs to Demand in Your Tender

Most RFPs miss 30+ of these

What a real FortiGate RFP looks like

The default tender template most Indian organisations use covers maybe twenty FortiGate-relevant specs. Vendors love these tenders because they leave room to substitute SKUs, swap bundles, propose Standard FortiCare while you assumed Premium, and quote India-imported hardware while you assumed India-stocked. The toolkit's RFP Checklist has 60+ items across nine sections, prioritised MUST / SHOULD / NICE.

The MUST items — the ones whose absence should cause you to reject the bid — fall into a few clusters:

Hardware certainty — exact model, exact PSU configuration, exact NPU/SP5 chip variant, exact interface mix.
Performance under inspection — NGFW with full UTM, SSL/TLS deep-inspection, IPsec — not raw firewall numbers.
Bundle and licence specificity — exact bundle name with full feature list per device, exact term length, exact renewal terms.
Support tier and SLA — FortiCare tier in writing, response SLA in writing, escalation path.
Compliance fit — RBI / SEBI CSCRF / DPDPA / CERT-In log-retention compatibility, FIPS / Common Criteria where applicable.
Channel provenance — authorised partner letter, India-stocked vs imported, RMA SLA.

Chapter 5 — Renewal Audit: Catching Silent Downgrades

Three silent-downgrade traps every renewal contains

Pre-renewal verification in 30 minutes

Renewal quotes are where channel partners make their margin back. The three traps that catch the largest number of customers, in order of frequency:

Bundle silent downgrade. You currently have UTP. The renewal quote says "FortiGate subscription bundle — 3 years" without naming the tier. The renewal is for ATP. You sign. A year later you discover web filtering, DNS filtering, anti-spam and IoT visibility all stopped working at renewal — but the alerts went to a mailbox no one reads.
FortiCare tier silent drop. You currently have Premium (1 hr SLA). The renewal proposes Standard (24-72 hr SLA). The line-items don't make this obvious unless you're looking. You sign. The next critical incident, your SLA has quietly tripled.
Renewal of an EoL device. Your hardware is approaching End of Support. The partner renews three years of subscriptions on it anyway. When the device hits EoS during the renewal term, you discover you've paid for entitlements you can't use.

The 30-minute audit: open FortiCloud Asset Management → confirm current bundle + FortiCare tier per device → check device EoL/EoS status on fortinet.com → compare against the renewal quote line-by-line. The toolkit's 12-item Renewal Audit tab walks the full process.

Chapter 6 — Vendor Red Flags: Twelve Questions, Twelve Reveals

Channel partner sanity check

The questions that good partners answer fast

Every channel partner you talk to should answer twelve questions quickly and without evasion. The questions are mundane on the surface — partner authorisation, NSE certification levels, hardware origin, itemised quotes, escalation paths. The pattern of answers reveals whether the partner is acting in your interest or theirs.

Authorisation — produces partner letter / portal screenshot within 5 minutes
NSE certification — minimum NSE 4 for support, NSE 7 for design
Hardware origin — India-stocked with delivery challan, or specifically imported for this order
Itemised quote — willing every time, no exceptions
Mid-term partner switch — administrative, you retain entitlements
Sector references — three at similar deal size, willing to talk
Support escalation — named L2 plus Fortinet TAC plus regional engineer
FortiCare tier and SLA — in writing, with response time
Cutover plan — named engineers, escalation contacts, run-book before cutover
Hypercare phase — 30-day daily check-ins, named engineer, written hand-off
Migration capability — sample migration plan from a similar engagement
Multi-vendor stance — open integration with CrowdStrike, Splunk, Sentinel, etc.

Hesitation, evasion, or "I'll get back to you on that" on three or more of these is a strong signal to take your tender to two more partners before signing.

✅ Key Takeaways

Datasheet throughput is not real throughput. Size against NGFW-with-full-UTM and SSL-DPI numbers, plus 30% three-year headroom.
Most prospects buy the wrong bundle. Audit which UTM features you actually enable; UTP is overkill for many (web filter / DNS filter / anti-spam often handled by separate proxy or M365). ATP suffices when those layers are already covered. Enterprise is only justified for OT workloads or as a SOC-replacement.
Lump-sum quotes hide everything. Demand 25-line-item itemisation: hardware, bundles year-by-year, FortiCare tier, management plane, implementation, ops cost.
Default RFPs miss 30+ FortiGate-specific specs. Use a checklist that covers hardware certainty, inspection performance, bundle specificity, support SLA, compliance fit, channel provenance.
Renewal audits catch silent downgrades. Three traps: bundle drop, FortiCare tier drop, renewal on EoL hardware. 30-minute pre-renewal check prevents all three.
Channel partners reveal themselves in twelve questions. Three or more evasions = take your tender to two more partners.

📥 Free toolkit · 8 tabs · No prices

Download the FortiGate Buyer's Toolkit (Excel)

Sizing decision logic, ATP / UTP / Enterprise bundle picker, 25-line TCO comparator with auto-sum, 60+ RFP specs prioritised, 12-item renewal audit, 12 vendor red flags, migration notes for CP/PA/SonicWall/Cisco/Juniper. The same structure Ogma uses internally during customer scoping.

8Tabs

60+RFP specs

25TCO line-items

12Red-flag questions

📥 Download the toolkit

🔥 Authorised Fortinet Partner

Ready to talk numbers?

Build your tender using the toolkit. Send it to Ogma plus two or three other authorised partners. We'll respond line-for-line against the same structure you defined. You'll see exactly where partners differ — and where the games are being played.

✉ Write to [email protected] 📞 +91 80 0979 0979

Tags FortiGate Procurement Buyer's Guide RFP Renewal Audit Bundle Selection Sizing Vendor Negotiation Indian Enterprise

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.

The FortiGate Buyer's Toolkit: Size, Spec, Negotiate

Chapter 1 — Sizing: Throughput vs. Magic Numbers