Which FortiGate Should You Buy? Technical Sizing Guide for Indian Enterprises (2026)

You have decided to buy a FortiGate. That is the easy part. The hard part is figuring out which FortiGate. Fortinet sells over 20 models across two product generations, three subscription tiers, and multiple form factors. Pick too small and your firewall becomes a bottleneck. Pick too large and you are burning budget on capacity you will never use.

This guide gives you the technical framework to size a FortiGate correctly for your environment. We are Ogma Consulting, an authorised Fortinet partner in India — our NSE 7 certified engineers deploy FortiGate firewalls every week across enterprises ranging from 20-user branch offices to 5,000-user campuses. Here is what we have learned.

Step 1: Understand What Actually Determines FortiGate Size

Fortinet publishes five throughput numbers for every model. Most buyers look at the wrong one. Here is what each means and which one matters for your sizing decision:

Rule of thumb: Size your FortiGate based on Threat Protection throughput, not firewall throughput. A FortiGate 90G advertises 28 Gbps firewall throughput, but with all security features enabled, it delivers 2.2 Gbps. That 28 Gbps number is irrelevant in production.

Step 2: Calculate Your Actual Throughput Requirement

Before looking at models, calculate what you actually need:

1. Check your current internet bandwidth — If you have a 1 Gbps leased line, your FortiGate needs at least 1 Gbps of Threat Protection throughput. If you have two 500 Mbps links in SD-WAN, you need 1 Gbps aggregate.
2. Add 50% headroom — Bandwidth upgrades happen. Your 500 Mbps link today will be 1 Gbps next year. Size for 1.5 Gbps.
3. Account for SSL inspection overhead — If you plan to decrypt HTTPS traffic (and you should), check the SSL inspection throughput number separately. It is always lower than Threat Protection.
4. Count concurrent sessions — A typical office user generates 200-500 concurrent sessions. A developer or power user generates 1,000+. Multiply by your user count and add 30% buffer.

Step 3: G-Series vs F-Series — Which Generation to Buy

Fortinet currently sells two generations of FortiGate firewalls. Understanding the difference is critical for your buying decision.

G-Series (SP5 ASIC) — The New Generation

The G-series runs on Fortinet's SP5 Security Processing Unit — a System-on-Chip (SoC) that integrates the CPU, network processor, and content processor onto a single 7nm chip. Think of it like Apple's M-series chips versus Intel's separate CPU + GPU approach.

Why it matters:

• All security functions (L7 firewall, IPS, anti-malware, SSL inspection, SD-WAN, ZTNA) run concurrently on one chip — no bottleneck shuttling data between separate processors
• 17x faster firewall processing and 32x faster crypto versus CPU-only firewalls
• 88% lower power consumption — significant for branch offices and rack density
• Runs 2x more concurrent applications than previous generation

Available models: FortiGate 30G, 50G, 70G, 90G, 120G, 200G (branch to mid-enterprise)

F-Series (NP7 ASIC) — Still the Choice for Large Enterprise

The F-series uses NP7 (Network Processor 7) — a dedicated network ASIC paired with CP9/CP10 content processors as separate chips. This architecture delivers raw hyperscale performance.

Why it still matters:

• Handles millions to billions of concurrent sessions — required for data centre edge and large campus deployments
• Ultra-low latency packet processing for high-frequency trading, real-time applications
• Models above 200G (400F, 600F, 1000F, 1800F, 2600F, 3000F, 4800F) are only available in F-series

Bottom line: For branch offices and mid-enterprise (up to ~1,000 users), buy G-series. For large campus, data centre edge, and hyperscale (1,000+ users), buy F-series. The G-series 200G is the crossover point.

Step 4: Pick Your Model — The Complete Comparison

G-Series Models (SP5 ASIC)

F-Series Models (NP7 ASIC) — Mid to Large Enterprise

G-Series vs F-Series: Head-to-Head at Similar Price Points

If you are comparing models in overlapping tiers, here is how they stack up:

Our recommendation for new purchases: If the G-series model covers your throughput requirement, always buy G-series. The SP5 architecture is more power-efficient, runs cooler (fanless on smaller models), and gets priority for FortiOS feature updates. The F-series remains the right choice only when you need throughput above what the 200G delivers.

Step 5: Choose Your Subscription Bundle

The FortiGate hardware is only half the purchase. FortiGuard subscriptions power the security intelligence — without them, your FortiGate is just a stateful firewall with no IPS signatures, no URL filtering, no sandboxing, and no support.

Fortinet offers three bundles. Here is exactly what each includes:

ATP — Advanced Threat Protection (Entry Tier)

• FortiGuard IPS — intrusion prevention signatures, updated hourly
• FortiGuard Antivirus — signature and heuristic malware detection
• FortiGuard Application Control — identify and control 4,000+ applications
• FortiSandbox Cloud — AI-driven cloud sandboxing for zero-day file analysis
• Inline CASB — Cloud Access Security Broker for SaaS visibility
• FortiCare Premium — 24x7 technical support, firmware updates, hardware replacement

Best for: Organisations with existing web filtering solutions who need core threat prevention. Minimum viable subscription for any production FortiGate.

UTP — Unified Threat Protection (Most Popular)

Everything in ATP, plus:

• FortiGuard URL Filtering — categorised web filtering with 300+ million rated URLs
• FortiGuard DNS Filtering — block malicious domains at DNS resolution
• FortiGuard Video Filtering — granular YouTube/Vimeo category control
• Anti-Botnet & C2 Detection — identify and block command-and-control communications

Best for: Most Indian enterprises. UTP covers the security stack that compliance frameworks like RBI cybersecurity guidelines, CERT-In directives, and ISO 27001 expect — IPS, antivirus, web filtering, and DNS security. This is our most recommended bundle.

Enterprise Protection (ENT) — Full Stack

Everything in UTP, plus:

• Data Loss Prevention (DLP) — 500+ data patterns for PII, financial data, healthcare records, custom regex
• AI-based Inline Malware Prevention — real-time AI/ML detection beyond signatures
• IoT Detection & Vulnerability Correlation — automatically discover and classify IoT/OT devices, map to known CVEs
• Attack Surface Security Monitoring — continuous risk scoring of your security posture
• FortiConverter — migration tool for converting policies from Cisco, Palo Alto, Check Point, SonicWall

Best for: BFSI, healthcare, government, and organisations subject to DPDPA 2023 (need DLP), or environments with IoT/OT devices (manufacturing, hospitals, smart buildings).

Subscription Duration — 1-Year vs 3-Year vs 5-Year

Fortinet offers subscriptions in 1, 3, and 5-year terms. The price difference is significant:

• 3-year term saves approximately 15-20% versus buying 1-year three times
• 5-year term saves approximately 25-35% versus annual renewals
• Caveat: 5-year locks you into the current hardware generation. If your throughput needs change significantly, you cannot transfer the subscription to a different model.

Our recommendation: 3-year UTP for most enterprises. It hits the sweet spot between cost savings and flexibility. Buy 5-year only if you are confident the model will serve you for the full term — typically for branch office deployments where bandwidth is stable.

Step 6: Real-World Sizing Examples

Here are five common deployment scenarios we encounter with Indian enterprise customers, and what we recommend for each:

Scenario 1: IT Company, 80 Employees, Single Office in Noida

Internet: 500 Mbps leased line
Requirements: Full UTM, SSL inspection on all traffic, SD-WAN ready for future second link
Recommended: FortiGate 90G + UTP 3-year
Why: 2.2 Gbps Threat Protection gives 4x headroom over the 500 Mbps link. Fanless = zero noise in a small office. 2.6 Gbps SSL inspection handles full HTTPS decryption without becoming a bottleneck. SD-WAN built-in for when they add a second ISP link.

Scenario 2: Manufacturing Company, 300 Users + 200 IoT Devices, Manesar

Internet: Two 1 Gbps links (SD-WAN)
Requirements: IPS, web filtering, IoT device discovery, OT network segmentation, DPDPA compliance (DLP)
Recommended: FortiGate 200G + Enterprise Protection 3-year
Why: 6 Gbps Threat Protection handles 2 Gbps aggregate with 3x headroom. 11M concurrent sessions easily handles 500 devices. Enterprise bundle provides IoT detection for the factory floor devices and DLP for DPDPA compliance. 1U rackmount fits the server room.

Scenario 3: Bank, 1,200 Users, HQ + 15 Branches

Internet: 10 Gbps MPLS + internet breakout
Requirements: RBI cybersecurity compliance, full threat prevention, SSL inspection on all external traffic, HA pair
Recommended: HQ: FortiGate 400F HA pair + Enterprise Protection 3-year. Branches: FortiGate 70G or 90G + UTP 3-year (managed via FortiManager)
Why: 400F delivers 9 Gbps Threat Protection for the 10 Gbps MPLS — with SSL inspection at 10 Gbps, full HTTPS decryption is viable. HA pair ensures zero downtime (RBI requirement). Enterprise bundle provides DLP for financial data and attack surface monitoring. Branches get G-series for power efficiency and central management through FortiManager.

Scenario 4: SaaS Startup, 40 Remote Employees, No Office

Internet: Employees on home broadband, no central office
Requirements: Zero Trust access to cloud apps, endpoint visibility
Recommended: FortiSASE (not a FortiGate appliance)
Why: If you have no physical office, you do not need a physical firewall. FortiSASE delivers ZTNA, SWG, CASB, and SD-WAN as a cloud service — same FortiGuard intelligence, no hardware.

Scenario 5: Hospital, 500 Users + 1,000 Medical IoT Devices, Delhi NCR

Internet: 2 Gbps dual ISP
Requirements: IoT/OT segmentation for medical devices, DPDPA compliance for patient data, 24x7 uptime
Recommended: FortiGate 400F HA pair + Enterprise Protection 3-year
Why: 1,500 total devices (500 users + 1,000 IoT) generate heavy session counts — 400F's 7.8M concurrent sessions handles this. Enterprise bundle provides IoT detection to automatically classify infusion pumps, MRI machines, and HVAC controllers into security zones. DLP protects patient health records under DPDPA. HA pair ensures the firewall never goes down — critical for life-safety medical equipment.

Common Sizing Mistakes Indian Enterprises Make

After deploying hundreds of FortiGate firewalls across Indian enterprises, here are the mistakes we see repeatedly:

Mistake 1: Sizing on Firewall Throughput Instead of Threat Protection

A customer with a 1 Gbps link buys a FortiGate 70G because "10 Gbps firewall throughput is 10x my bandwidth — plenty of headroom." Then they enable IPS, antivirus, web filtering, and SSL inspection. Actual throughput: 1.3 Gbps Threat Protection, 1.4 Gbps SSL inspection. They are already at the ceiling. The fix: they needed a 90G or 120G.

Mistake 2: Forgetting SSL Inspection

Over 90% of internet traffic is HTTPS-encrypted. If your FortiGate cannot decrypt and inspect it, your IPS and antivirus are blind to most threats. SSL inspection throughput is always lower than other metrics — sometimes significantly. Always check this number and size accordingly.

Mistake 3: Buying Without Subscription

We have seen companies buy FortiGate hardware and skip the FortiGuard subscription to "save costs." This turns a next-generation firewall into a basic stateful firewall from 2005. No IPS signatures (updated hourly), no antivirus definitions, no URL categorisation, no sandboxing, no support. The subscription is not optional — it is what makes the FortiGate a FortiGate. Read our detailed article on what happens when FortiGate subscriptions expire.

Mistake 4: No HA for Production Firewalls

A single FortiGate is a single point of failure. If it dies — hardware fault, power surge, bad firmware update — your entire organisation loses internet and inter-VLAN connectivity. For any production deployment with more than 50 users, deploy in High Availability (active-passive or active-active) pair. Yes, this doubles the hardware cost. No, the alternative is not acceptable for business continuity.

Mistake 5: Oversizing "Just in Case"

The opposite problem. A 100-user company buys a FortiGate 400F because "we might grow." The 400F costs 4-5x more than a 90G. A better approach: buy the 90G now, and when you outgrow it in 3-5 years, trade it in and buy the appropriate next model. FortiGate hardware holds its value well on the secondary market, and Ogma offers competitive trade-in pricing for existing customers upgrading.

Quick Reference: Model Selection by User Count

This is a simplified guide. Actual sizing depends on bandwidth, enabled features, and traffic patterns. Use this as a starting point, then validate with your Fortinet partner.

What FortiOS Version Should You Run?

As of March 2026, the current stable release is FortiOS 7.6.6. Key features relevant to your sizing decision:

• GenAI integration (FortiAI) — AI-powered threat analysis and configuration recommendations
• AI/ML-based IPS detection — machine learning models for zero-day attacks beyond signature matching (added in 7.6.3)
• Built-in SD-WAN — no separate license required on any FortiGate model
• ZTNA proxy — Zero Trust Network Access built into FortiOS, no additional appliance needed
• Wi-Fi 7 support — FortiAP K-series (802.11be) management

Important: FortiOS 7.6 removes SSL VPN support on models with 2 GB RAM (FortiGate 40F, 60F). If you rely on SSL VPN for remote access, either use IPsec VPN / ZTNA instead, or buy a 70G or higher model.

Get Your FortiGate Sized and Quoted — Free

Still not sure which model fits? That is exactly what we are here for. Tell us your user count, internet bandwidth, number of sites, and compliance requirements — our NSE 7 certified engineers will recommend the right FortiGate model, subscription bundle, and deployment architecture. We will also provide a competitive quotation with proper GST invoicing.

• Request a sizing consultation: Contact our team — we respond within 4 working hours
• Get a FortiGate quotation: Request pricing for any FortiGate model with UTP/ATP/ENT bundles
• Talk to an engineer: Call +91 80 0979 0979 or email [email protected]
• Already own a FortiGate? Book a free configuration review — we will audit your setup and tell you if your current model is undersized

Ogma Consulting is an authorised Fortinet partner based in Gurugram. We sell, deploy, and support FortiGate firewalls across India — from single-site SMBs to multi-site enterprises with thousands of users. Every FortiGate we sell comes with our engineering team's deployment support, not just a box and a tracking number.