FortiWeb hardware sizing guide for India — appliance models 2026
Published 08 Jun 2026
· By
Pawan Sharma
· Network Security
· 16 min read
Picking the wrong FortiWeb appliance is more expensive than picking the wrong vendor. Throughput class, ML Domain count, latency budget, HA topology, and rack constraints — five inputs, one right model from the 100F to 4000F line. This guide walks the sizing decision tree against the official FortiWeb Ordering Guide (FWEB-OG-R25-20260318) — the same source Fortinet's distribution channel uses to quote.
7 models
100F → 4000F
100 Mbps to 70 Gbps. One-RU through 2-RU. Desktop for the smallest.
70 Gbps
4000F top end
"Industry's fastest WAF appliance" per the Ordering Guide.
~60%
Target headroom
Size to peak ≤ 60% of rated throughput. Leaves growth + bursts.
5 inputs
Sizing decision
Throughput · ML Domains · Latency · HA · Rack/Power.
The 7 models and what changes between them
| Model | HTTP / HTTPS (2048) | ML Domains | Form factor | 10G SFP+ | 40 GE | Power |
|---|---|---|---|---|---|---|
| 100F | 100 Mbps | 6 | Desktop | — | — | Single |
| 400F | 500 Mbps | 6 | 1RU | — | — | Single |
| 600F | 1 Gbps | 16 | 1RU | — | — | Dual |
| 1000F | 2.5 Gbps | 32 | 2RU | 2× | — | Hot Swap |
| 2000F | 5 Gbps | 96 | 2RU | 4× | — | Hot Swap |
| 3000F | 10 Gbps | 96 | 2RU | 10× (2 bypass) | — | Hot Swap |
| 4000F | 70 Gbps | 192 | 2RU | 10× | 2× bypass | Hot Swap |
Source: FortiWeb Ordering Guide, FWEB-OG-R25-20260318, page 5. All throughput at 2048-bit HTTPS keysize.
Input 1 — Throughput class
This is the headline sizing dimension. Measure peak HTTPS throughput (not average) across the apps you'll protect — peak periods are what break under-sized boxes. The Ordering Guide's published throughput is at 2048-bit keysize, which is the modern standard; 4096-bit keysize roughly halves throughput on most models so flag this in your sizing call if applicable.
The 60% rule
Size to peak ≤ 60% of rated throughput
This is the engineering convention. 60% leaves room for SSL session reuse failures, traffic spikes, partial-failure operation during HA cutover, and 12-18 months of growth before you outgrow the box. Sizing to peak = 100% rated throughput means you're running at headroom-zero from day one.
Input 2 — ML Domain count
FortiWeb's machine-learning engine builds one model per application domain. The Max ML Domains count is the hard ceiling on simultaneously protected unique applications. This often nudges sizing up a tier independently of throughput.
| App portfolio size | Model that fits | Notes |
|---|---|---|
| 1-6 apps | 100F / 400F | Throughput typically the constraint, not ML Domains |
| 7-16 apps | 600F | 16 ML Domains is the headline differentiator over 400F |
| 17-32 apps | 1000F | 32 ML Domains — typical large mid-market |
| 33-96 apps | 2000F or 3000F | Throughput then chooses between them |
| 97-192 apps | 4000F | Only model that scales to 192 ML Domains |
Input 3 — Latency budget
For most workloads WAF latency is in the single-digit-ms range and not a sizing input. For card-payment / interactive / trading workloads where every ms matters, the dedicated inspection ASICs in higher-tier models matter. 1000F and above carry more dedicated hardware for inspection paths — the cost-per-Gbps drops at the same time as the latency budget improves. This is why heavy interactive workloads often size to 1000F+ even when 600F throughput would technically suffice.
Input 4 — HA topology
Active-passive
- One box sized for full peak; partner box in standby
- Failover swap on outage; standby takes full load
- Total cost: 2× licence + 2× HW
- Standard for BFSI / regulated workloads
- Lower complexity
Active-active
- Each box sized for ~70% of peak — both inspect
- Failover degrades to single-box at full peak
- Total cost: 2× licence + 2× HW
- Standard for e-commerce / high-burst workloads
- Higher burst headroom; more session-state complexity
Input 5 — Rack space, power, ports
▸ Form factor
100F: desktop. 400F/600F: 1RU. 1000F+: 2RU. Rack constraint can push small deployments to remote installs.
▸ Dual power
Kicks in at 600F. Required for any colo / production DC by standard rule of thumb.
▸ Hot-swap PSU
1000F and above. Required for true zero-downtime power swap.
▸ 10G SFP+
1000F: 2. 2000F: 4. 3000F: 10 (2 bypass). 4000F: 10. Often the constraint if you're terminating 10G upstream.
▸ 40 GE bypass
4000F only — 2× 40 GE bypass. Required for DC-core deployments that can't drop traffic on a unit failure.
▸ Bypass ports
Bypass mode allows traffic to flow through without inspection on unit failure. Critical for fail-open requirements.
Bundle tier — Standard, Advanced, Enterprise
Every hardware model is bought as a Hardware Bundle SKU + a Renewal Bundle SKU. The bundle code determines feature set:
- Standard (
FWB-XXXX-BDL-934-DD) — OWASP Top 10, signatures, IP rep, antimalware, 24×7 support, FortiAI Assist - Advanced (
FWB-XXXX-BDL-580-DD) — + Sandboxing, ML anomaly detection, Threat Analytics, Credential Stuffing Defense - Enterprise (
FWB-XXXX-BDL-1266-DD) — + Advanced Bot Protection, Client-Side Protection (PCI DSS 4.0), DLP
Enterprise is effectively non-optional for card-payment workloads — Client-Side Protection addresses PCI DSS 4.0 requirements 6.4.3 and 11.6.1.
Advanced Bot Protection request volumes
The Enterprise bundle's Advanced Bot Protection carries per-platform request ceilings per month. Heavy bot-targeted workloads can hit these before throughput becomes the constraint.
| Model | Bot requests / month |
|---|---|
| 400F | 850,000 |
| 600F | 1.25 M |
| 1000F | 1.7 M |
| 2000F | 3 M |
| 3000F | 4 M |
| 4000F | 11 M |
If you're seeing 1.5 M+ bot-classified requests per month against a single app, jump to a 1000F minimum. E-commerce and credential-stuffing-targeted BFSI workloads often hit these ceilings before throughput does.
SKU pattern reference
| Model | Std HW Bundle | Std Renewal | Adv HW Bundle | Ent HW Bundle |
|---|---|---|---|---|
| 100F | FWB-100F-BDL-934-DD | FC-10-W01HF-934-02-DD | FWB-100F-BDL-580-DD | FWB-100F-BDL-1266-DD |
| 400F | FWB-400F-BDL-934-DD | FC-10-FV40F-934-02-DD | FWB-400F-BDL-580-DD | FWB-400F-BDL-1266-DD |
| 600F | FWB-600F-BDL-934-DD | FC-10-W06HF-934-02-DD | FWB-600F-BDL-580-DD | FWB-600F-BDL-1266-DD |
| 1000F | FWB-1000F-BDL-934-DD | FC-10-FW1KF-934-02-DD | FWB-1000F-BDL-580-DD | FWB-1000F-BDL-1266-DD |
| 2000F | FWB-2000F-BDL-934-DD | FC-10-FW2KF-934-02-DD | FWB-2000F-BDL-580-DD | FWB-2000F-BDL-1266-DD |
| 3000F | FWB-3000F-BDL-934-DD | FC-10-FW3KF-934-02-DD | FWB-3000F-BDL-580-DD | FWB-3000F-BDL-1266-DD |
| 4000F | FWB-4000F-BDL-934-DD | FC-10-FW4KF-934-02-DD | FWB-4000F-BDL-580-DD | FWB-4000F-BDL-1266-DD |
The sizing decision tree, in one page
Measure peak HTTPS throughput
Not average. The peak periods are what break under-sized boxes. Take the 95th or 99th percentile over a representative month.
Count unique application domains
Each protected app = 1 ML Domain. Don't count micro-services as separate — count the public-facing apps.
Apply 60% headroom rule
Divide peak by 0.6. That's your effective sizing target.
Pick smallest model ≥ sizing target AND ≥ ML Domain count
If throughput says 600F but ML count says 1000F — 1000F wins.
Bump tier for bot-heavy workloads
If you're projecting more bot requests than the Advanced Bot Protection ceiling, bump up. E-commerce typically jumps from 600F to 1000F just for the bot ceiling.
Decide HA topology
Active-passive for BFSI / regulated. Active-active for e-commerce / high-burst. Both double licence cost.
Pick bundle
Card payments → Enterprise (Client-Side Protection for PCI DSS 4.0). Production non-card → Advanced. Dev/UAT → Standard.
FAQ
How do I size between two adjacent FortiWeb models?
Active-passive or active-active HA?
What about 40 GE on the 4000F?
Can I cluster more than two FortiWebs?
What's the typical refresh cycle?
Does the appliance need a separate FortiAnalyzer for logging?
What if my throughput grows mid-cycle?
Can a single FortiWeb protect both internet-facing and internal apps?
Free FortiWeb HW sizing assessment
Get the right model + bundle + HA topology for your workload
Ogma takes peak throughput, app portfolio, latency budget, and HA topology and returns a sized recommendation with INR + GST quote in 2 working days.
Request the sizing or explore the FortiWeb Hardware landingSources
- FortiWeb Ordering Guide (FWEB-OG-R25-20260318) — model specs, SKUs, bundle structure
- FortiWeb Data Sheet — ML detection, ASIC inspection paths, feature reference
Related: FortiWeb deployment models guide · FortiWeb Hardware (Ogma landing) · FortiWeb Installation service
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.
