Buying the wrong FortiGate licence usually shows up in one of two places - overspend at renewal, or security gaps when the appliance is already under pressure. If you are working out how to size FortiGate licensing, the real task is not just matching a firewall to a user count. It is aligning hardware performance, subscribed security services, branch design, and commercial reality so the platform still fits 12 to 36 months from now.
What sizing FortiGate licensing actually means
A lot of buyers start with the firewall model and assume the licence decision is secondary. In practice, FortiGate sizing and licensing are tied together. The appliance determines the baseline throughput and interface capacity, while the licence determines which security functions are active and how much value you are getting from the platform.
That matters because a FortiGate running basic firewalling behaves very differently from one inspecting SSL traffic, applying intrusion prevention, web filtering, application control, antivirus, sandbox integration, SD-WAN, and logging to a central platform. The more services you switch on, the more realistic performance matters.
So when considering how to size FortiGate licensing, you are really assessing five variables at once: user volume, traffic profile, enabled security services, site architecture, and growth expectations. Miss any one of them and the quote may still look fine on paper, but the design will not hold up operationally.
Start with the traffic, not the headcount
User numbers are useful, but they are not the best starting point. A 100-user professional services firm and a 100-user manufacturing business can generate very different traffic patterns. One may lean heavily on cloud applications, video meetings, and remote access. The other may have lower internet usage but far more east-west traffic between sites, OT segments, and internal systems.
For that reason, the first question should be how much traffic the firewall must process during normal business peaks. Internet bandwidth is part of it, but so is the proportion of encrypted traffic and the likelihood that full security inspection will be enabled. If a site has a 1 Gbps internet service but only basic policy enforcement, a smaller model may be enough. If the same site expects deep inspection across most sessions, sizing needs to be more conservative.
This is where many procurement exercises go off track. They compare list prices between models without allowing for the real-world cost of under-specifying the appliance and then layering on security subscriptions that the box cannot comfortably run at scale.
How to size FortiGate licensing by security profile
The cleanest way to approach how to size FortiGate licensing is to map the licence to the security outcome you actually need.
If your priority is straightforward perimeter control for a small office, basic support and limited add-on services may be enough. If you need broad threat prevention, secure web access, application visibility, IPS, antivirus and URL filtering, a bundled security subscription usually makes better commercial and operational sense.
For organisations with compliance pressure, distributed branches, or lean internal teams, the value is often in consolidated protection rather than buying individual services one by one. Bundles simplify renewal management and reduce the risk of a needed control being left out because the initial quote was built too narrowly.
There is also a practical trade-off here. The cheapest licence mix upfront is not always the lowest-cost option over three years. A bundle may look larger on day one, but if it aligns better to your control set, support expectations, and renewal planning, it often delivers better value.
Understand the common licence layers
Most FortiGate buying decisions sit across three layers: the hardware appliance, FortiCare support, and FortiGuard security subscriptions or bundles. Hardware gives you the processing platform. FortiCare covers vendor support and firmware entitlement. FortiGuard services add threat intelligence and security functions.
From a sizing perspective, support level matters because some environments can tolerate standard response windows while others cannot. A single-site SMB may accept a more modest support arrangement. A business running multiple locations, customer-facing services, or strict availability requirements usually needs stronger support coverage built into the decision from the start.
Bundles versus individual services
There is no universal winner here. If you only require a very small subset of features, selecting services individually can work. But most business deployments end up needing a broader control set once policy is written properly. That is why bundles are often the cleaner option.
They also help avoid a common problem: buying the firewall for today’s minimum requirement, then adding separate services later and finding the final cost exceeds what a properly scoped bundle would have been in the first place.
Site type changes the answer
A head office, a branch, a data centre edge and a remote retail site should not be licensed the same way just because they all use FortiGate.
A branch site may need SD-WAN, secure VPN, web filtering and central visibility, but not the same inspection overhead as a major corporate gateway. A head office may require heavier SSL inspection, remote access capacity, higher session counts and tighter segmentation. A regulated environment may also need stronger logging, retention planning, and integration with the wider Fortinet stack.
This is why model and licence standardisation across every site can be inefficient. It simplifies procurement, but it often creates two bad outcomes: small sites are overbought, and critical sites are under-protected. Better practice is to group sites by role and risk profile, then size appliance and licence accordingly.
Remote access and hybrid work are often underestimated
If your workforce uses VPN regularly, that should be part of the sizing exercise, not an afterthought. Remote users affect throughput, authentication load, concurrent sessions, and inspection demand. Hybrid work also tends to increase reliance on SaaS applications, which changes the encrypted traffic mix.
In other words, a FortiGate supporting 50 office users and 100 occasional VPN users is not the same proposition as one supporting 50 office users only. The licence choice may be similar on paper, but the hardware platform and support posture may need to move up.
Growth matters more than perfect precision
You do not need to predict the future with laboratory accuracy. You do need to avoid sizing to the last available megabit. A firewall that is just adequate at install will usually become a constraint long before the licence term ends.
A sensible rule is to size for current demand plus realistic business growth, additional inspection overhead, and a margin for service adoption. That might include adding a branch, increasing internet bandwidth, enabling stricter SSL inspection, or rolling out more remote access.
This does not mean blindly buying the largest unit in budget. It means understanding where the platform will sit in the organisation over the licence period and choosing a model and subscription set that can absorb normal change without forcing an early refresh.
How to avoid overbuying
Overbuying usually comes from using enterprise design assumptions in a mid-market environment. Not every site needs the full service stack, premium support level, and highest performance tier. If traffic patterns are predictable and the risk profile is moderate, a more measured design can still deliver strong protection.
The discipline is in matching controls to business exposure. If there is no requirement for advanced features at a given site, do not force them in just because a bundle looks comprehensive. Conversely, if a site handles sensitive data, supports business-critical connectivity, or sits under compliance obligations, cutting back on services to hit a budget target often creates more cost later.
That is where working with a certified reseller matters. FortiSecure Store approaches licensing as part of the security design, not just a part number exercise, which is usually the difference between a quote that looks cheap and a deployment that stays cost-effective.
A practical way to size correctly
If you need a workable internal method, assess the site in this order. First, define the role of the firewall - branch, campus edge, head office, data centre, or mixed use. Next, confirm internet bandwidth, expected growth, and whether deep inspection will be enabled broadly or selectively. Then estimate remote access demand, segmentation complexity, and any compliance or logging requirements.
After that, choose the hardware class that can sustain those services under load, not just the raw link speed. Only then should you settle on the support and security subscription mix. That sequence avoids the most common error, which is choosing a low headline-cost appliance first and trying to force the licence model around it afterward.
The commercial question buyers should ask
The right question is not, “What is the cheapest FortiGate licence for this unit?” It is, “What licence and appliance combination gives us the required protection, supportability, and lifespan at the best total value?”
That wording matters because Fortinet buying decisions are rarely just product decisions. They affect uptime, incident response, user experience, branch connectivity, and renewal predictability. A good sizing outcome protects the network and keeps commercial surprises to a minimum.
If you are still weighing options, treat licensing as a design decision with budget consequences, not an add-on at the end of procurement. That is usually where the best-value outcome starts.