A FortiGate that looks cost-effective on paper can become expensive very quickly once real traffic, SSL inspection, remote access and branch growth hit production. That is usually where buyers realise that how to choose FortiGate models is less about picking a box and more about sizing for business risk, performance and operational fit.
The good news is that the process does not need to be complicated. If you start with the right inputs, you can narrow the field fast and avoid the two mistakes that cause most pain later - under-sizing for enabled security services, or over-buying capacity you will never use.
How to choose FortiGate models without guessing
The best way to choose a FortiGate is to work backwards from your environment. Model selection should reflect the number of users, internet breakout patterns, application mix, branch topology, WAN design, VPN demand, and whether you plan to switch on the security features you are paying for.
That last point matters. Raw firewall throughput is not the same as real-world throughput with threat protection, deep inspection and logging enabled. A model that looks generous in a datasheet may be marginal once you turn on IPS, application control, anti-malware, SSL inspection and SD-WAN policies. If your business expects full security capability, size for that outcome rather than the headline number.
For most organisations, the practical starting point is simple. Estimate your current peak throughput, then look at expected growth over three to five years. Add in how many concurrent VPN users you support, how many sites need connectivity, and whether cloud applications dominate your traffic profile. Once those variables are clear, the shortlist becomes much more defensible.
Start with the environment, not the part number
FortiGate models suit different roles. A small branch, a busy head office, a campus edge and a data centre perimeter do not have the same requirements, even if they share the same vendor. Buyers often get into trouble by trying to standardise too aggressively across every location.
A small office may only need secure internet access, site-to-site VPN and basic segmentation. A larger site may need multiple WAN links, heavy SSL inspection, local internet breakout, guest network separation, and support for voice or business-critical applications. Those use cases point to very different hardware classes.
It also pays to separate user count from traffic reality. Two sites with 100 users each can behave very differently. One may be mostly SaaS and web browsing. The other may run constant file transfers, video meetings, cloud backups and remote desktop sessions. The second site will place far more pressure on inspection performance.
Key inputs that actually matter
User numbers are useful, but they are not enough on their own. The stronger indicators are peak bandwidth, inspection requirements, number of interfaces, VPN load, and resilience expectations. If high availability is planned, your chosen model also needs to make commercial sense as a pair, not just as a single unit.
Branch density matters as well. If the firewall will act as the hub for many spokes, IPsec capacity and route scale become more relevant. If it is a standalone branch, simplicity and value may outweigh advanced scale.
Then there is management overhead. A slightly higher model that gives you breathing room can be the more economical choice if it avoids redesign, emergency replacement or performance complaints twelve months later.
Match the model to the security features you will enable
This is where many purchases go off track. Organisations compare models on firewall throughput, then deploy them with every meaningful protection profile switched on. Security works best when it is enabled properly, not selectively disabled because the appliance cannot keep up.
If you intend to use IPS, web filtering, application control, antivirus, DNS security, SSL inspection, and central logging, those functions should shape the decision from day one. The more encrypted traffic in your environment, the more processing headroom you need. Modern business traffic is heavily encrypted, so this is rarely a minor consideration.
There is also a trade-off between strict inspection and user experience. A smaller appliance may technically support a feature set, but at peak times latency, session handling and throughput can become the issue. That is why practical sizing should reflect business hours, not just average utilisation.
Licensing and services change the equation
Choosing FortiGate hardware without considering subscriptions is only half a decision. Your security posture depends on the FortiGuard services and support entitlements attached to the appliance. Different organisations prioritise different bundles depending on compliance, visibility and threat exposure.
A leaner deployment may focus on essential filtering, intrusion prevention and support. A more mature environment may require broader threat intelligence, sandboxing, endpoint integration, centralised management or stronger reporting. If those services are part of the plan, make sure the hardware is sized to run them effectively.
Think in roles: branch, campus, edge and data centre
One of the easiest ways to simplify how to choose FortiGate models is to define the role each firewall will play. That avoids comparing everything as though it belongs in the same category.
For a small branch, the right model is usually the one that delivers solid security, SD-WAN capability and VPN performance without overcapitalising. Port requirements, PoE needs in some cases, and ease of deployment matter more than chasing excess capacity.
For a head office or larger site, throughput under inspection, high availability, segmentation, and support for more complex routing become central. These sites often carry a mix of user traffic, server access, voice and branch aggregation, so headroom is worth paying for.
For internet edge or data centre roles, east-west traffic, application publishing, advanced segmentation and resilience expectations usually push buyers toward higher performance platforms. Here, the cost of under-sizing is much higher because the firewall is sitting in front of critical services and larger traffic volumes.
Budget matters, but replacement pain costs more
Commercial discipline is part of getting this right. The objective is not to buy the biggest FortiGate. It is to buy the right one for the required security outcome at the best value across its service life.
That means looking beyond upfront hardware cost. Consider subscription spend, support cover, deployment effort, rack space, power, and the risk of replacing the unit early because capacity was too tight. A model that is slightly more expensive initially may offer better value if it absorbs growth, supports more services and avoids a forklift upgrade.
At the same time, there is no prize for over-specifying a quiet branch or a small office with modest internet usage. Buyers should be wary of designs that assume every site needs enterprise-scale hardware. Efficient architecture is part of cost control.
When it makes sense to step up a model
Stepping up is usually justified when one of three things is true. First, your inspection requirements are non-negotiable and encrypted traffic is heavy. Second, your growth outlook is clear, such as planned staff expansion, new branches or more cloud adoption. Third, the firewall supports a critical site where downtime or performance degradation carries real business cost.
If none of those apply, a more compact model may be the smarter choice.
Common buying mistakes to avoid
The most common mistake is buying to current average load instead of future peak demand. The second is assuming published throughput figures reflect your actual policy set. The third is ignoring topology, especially for organisations with multiple sites and growing VPN requirements.
Another frequent issue is treating compliance and security goals as optional extras. If the business expects stronger visibility, auditability and threat prevention, that needs to be reflected in the chosen model and bundle. Retrofitting capability later is rarely as tidy or as cheap.
Procurement teams also benefit from checking operational fit early. Port density, WAN interfaces, form factor, support response expectations and management approach all affect long-term value. The appliance has to suit the network and the people running it.
A practical shortlist approach
If you are narrowing options, build a shortlist around three questions. What is the firewall protecting? What services will be enabled from day one? What is likely to change over the next three years?
Those answers usually identify whether you need an entry-level branch platform, a stronger mid-range unit for larger offices, or a higher-capacity model for aggregation, edge or data centre use. From there, compare candidates based on inspected throughput, VPN scale, interface needs, redundancy options and the subscription mix required.
This is also the point where an authorised Fortinet reseller with certified local expertise can save time. A good sizing conversation should reduce ambiguity, not add it. FortiSecure Store approaches that process from the perspective of deployment reality, not just part numbers, which is often the difference between buying fast and buying correctly.
The right FortiGate model is the one that fits your network role, security settings, growth path and budget without forcing compromise where it matters. If you size for the environment you actually run, rather than the appliance you hope will do, the result is usually simpler, stronger and better value over time.