Fortinet FortiGate
ASIC-accelerated next-generation firewall platform combining network security, SD-WAN, and zero-trust access with hardware-speed inspection.
Continue your mission
ASIC-accelerated next-generation firewall platform combining network security, SD-WAN, and zero-trust access with hardware-speed inspection.
# Fortinet FortiGate
Fortinet FortiGate is a hardware and software security platform built to inspect, filter, and control network traffic at scale. It exists because organizations need more than basic packet filtering: they need a unified system that can enforce granular access policies, decrypt and inspect encrypted sessions, block exploits in real time, and route traffic intelligently across distributed networks. FortiGate solves the problem of security fragmentation, where organizations historically deployed separate appliances for firewalling, intrusion prevention, VPN, and web filtering, each generating siloed logs and requiring separate management. By consolidating these functions into a single platform powered by purpose-built silicon, FortiGate reduces operational complexity without sacrificing inspection depth or throughput.
---
Fortinet FortiGate is a network security platform that combines stateful firewall enforcement, deep packet inspection, intrusion prevention, application control, SSL/TLS decryption, SD-WAN, and zero-trust network access (ZTNA) within a single operating system called FortiOS. The platform is available as physical appliances ranging from desktop-class units suitable for small branch offices to chassis-based hyperscale systems designed for data center cores. It is also available as virtual machine instances (FortiGate-VM) for deployment in private and public cloud environments including AWS, Azure, and Google Cloud.
FortiGate is not a simple stateful firewall. Stateful firewalls track connection state but perform no content inspection. FortiGate's inspection engine operates at Layer 7, examining application payloads, DNS queries, URL categories, and file transfers in real time. It is also distinct from a standalone IPS appliance, which passively monitors traffic without enforcement capability. FortiGate enforces, blocks, resets connections, and quarantines endpoints through Security Fabric integration.
FortiGate is not a SIEM. It generates and forwards log data to FortiAnalyzer or third-party SIEM platforms, but it does not correlate events across organizational systems or provide case management. Practitioners sometimes confuse the platform's broad visibility with comprehensive threat detection across all data sources. FortiGate sees what traverses its interfaces. It does not see lateral movement occurring entirely within a flat network segment that bypasses its inspection path.
Product variants include the FortiGate desktop series (60F, 80F), mid-range rack appliances (100F through 600F), high-performance platforms (1000F, 2600F, 3700F), and the hyperscale series (7000 and 6000 chassis). Each tier is matched to specific throughput requirements, redundancy needs, and feature sets.
---
When a network packet arrives at a FortiGate interface, it enters a processing pipeline that begins with interface-level policy lookup and proceeds through a sequence of security inspection modules before the traffic is either forwarded, dropped, or redirected.
Policy Lookup and Session Management
FortiOS first checks whether the incoming packet belongs to an existing session tracked in the session table. If a matching session exists and no security profile override applies, the packet is forwarded without full re-inspection, which is how the platform maintains throughput on established, trusted flows. For new connections, the policy engine evaluates the traffic against the configured firewall policy table. Each policy is evaluated in order from top to bottom, matching on source interface, destination interface, source address, destination address, application or service, and user identity. The first matching policy determines the action: accept, deny, or inspect further.
Security Profile Application
Policies that permit traffic can attach security profiles including antivirus, intrusion prevention, application control, web filtering, DNS filtering, and file filtering. When a security profile is applied, the packet is passed to the relevant inspection engine. FortiOS supports two inspection modes: proxy-based and flow-based. In proxy-based mode, the firewall acts as a full proxy, buffering complete file objects before scanning them, which allows thorough antivirus scanning but introduces latency. In flow-based mode, inspection occurs as packets stream through, which reduces latency and is handled in part by the Content Processor (CP) ASICs.
SSL/TLS Deep Inspection
A significant percentage of enterprise traffic is encrypted. Without SSL inspection, an IPS signature or antivirus engine cannot see the payload. FortiGate performs SSL deep inspection by terminating the client-to-server TLS session, decrypting the payload, inspecting it, re-encrypting it, and forwarding it to the destination. The firewall presents a re-signed certificate to the client, which requires the FortiGate CA certificate to be trusted by client endpoints. This is typically deployed by pushing the CA certificate through Group Policy or an MDM solution. Certificate pinned applications, such as certain banking apps, will break under full SSL inspection and require exemption policies.
ASIC Acceleration
The NP (Network Processor) ASICs handle high-speed packet forwarding, IPsec VPN encryption and decryption, and flow-based firewall operations at wire speed. The CP (Content Processor) ASICs accelerate computationally intensive tasks such as SSL handshakes, signature matching, and pattern-based content scanning. This offloading is what allows FortiGate to maintain advertised throughput figures under full security inspection, whereas software-only implementations experience significant throughput degradation when all inspection features are enabled.
Threat Intelligence via FortiGuard
FortiGuard Labs continuously publishes updates to IPS signatures, antivirus definitions, application signatures, URL category databases, and IP reputation lists. FortiGate checks for updates on a scheduled interval (commonly every 60 minutes) and applies them without a service restart. The IPS engine compares traffic payloads against thousands of signatures covering known CVEs, exploit frameworks, and post-exploitation techniques mapped to MITRE ATT&CK tactics.
Concrete Scenario: Ransomware Lateral Movement Prevention
Consider an environment where a user endpoint on VLAN 10 has been compromised and the attacker is attempting to move laterally to servers on VLAN 20. If the FortiGate is configured as the inter-VLAN routing gateway and security policies enforce traffic inspection between VLANs (rather than allowing all internal traffic freely), the IPS engine will detect and block exploit traffic such as EternalBlue (MS17-010) attempts. Application control will flag unexpected SMB traffic from a workstation to multiple servers in rapid succession. The Security Fabric integration can trigger an automated response to quarantine the source endpoint via FortiNAC or the connected switch port, stopping propagation without manual intervention. Without this segmentation and inspection policy in place, traffic between VLANs flows freely and the lateral movement proceeds undetected.
SD-WAN Configuration
FortiGate's SD-WAN engine selects among multiple WAN links (MPLS, broadband, LTE) based on application-aware rules, link quality measurements (latency, jitter, packet loss), and defined SLA thresholds. Voice and video traffic can be pinned to low-latency paths while bulk data transfers use lower-cost links. This is configured through SD-WAN rules that reference application signatures, providing path selection that is application-aware without requiring additional hardware.
---
Network security controls that cannot inspect encrypted traffic are functionally blind to the majority of modern attacks. As of recent measurements, more than 85 percent of network traffic is encrypted. A firewall that permits TLS sessions without inspection is not enforcing security policy on the contents of those sessions. FortiGate's SSL deep inspection capability directly addresses this blind spot, though it requires careful deployment planning to avoid breaking certificate-pinned applications and to ensure the inspection CA is properly distributed.
Without a platform like FortiGate performing inter-segment inspection, flat or poorly segmented networks allow attackers to move freely once initial access is achieved. The 2021 Oldsmar water treatment facility incident (which, while involving remote access rather than internal segmentation, illustrated the danger of unrestricted network access) highlighted how attackers who gain a foothold can reach critical systems if no enforcement boundaries exist internally. In enterprise environments, the absence of east-west inspection between segments is a consistent factor in how ransomware operators reach backup systems and domain controllers after initial access.
A common misconception is that deploying FortiGate with its default configuration provides meaningful security. Default configurations in many environments do not enable SSL inspection, leave IPS in detection-only mode, and apply minimal application control. The hardware is present, the licenses may be active, but the security posture is not materially better than a basic stateful firewall. Organizations that have not audited their FortiGate security profiles against their actual traffic and risk profile are likely operating with significant blind spots.
A second misconception is that FortiGate's threat intelligence subscription is optional for organizations with mature endpoint security. IPS signatures address network-layer exploit attempts that endpoint agents may not see, particularly in OT/ICS environments where endpoints cannot run agents. Network-layer detection provides a defense-in-depth layer that is independent of endpoint health.
From an operational continuity perspective, FortiGate's high-availability clustering (active-passive or active-active) ensures that a hardware failure does not create an unplanned outage. Organizations that rely on a single unprotected perimeter device and experience hardware failure lose network connectivity until replacement hardware is provisioned, which can take hours or days.
---
CDA approaches FortiGate deployment through the Planetary Defense Model's VSD (Verified Surface Defense) domain, applying the Continuous Surface Reduction (CSR) methodology: every surface you expose is a surface we eliminate.
In practical terms, this means CDA does not deploy FortiGate as a permissive gateway with policies added over time as needs arise. The default posture is deny-all, with explicit permit rules created only for verified, documented business requirements. Every permitted flow is attached to a security profile that matches the sensitivity of the traffic. Inter-VLAN routing through FortiGate is not a convenience feature in this model; it is the enforcement boundary for every east-west flow.
CDA's FortiGate configurations begin with a baseline derived from CIS Benchmark for Fortinet FortiOS, then layered with organization-specific requirements. SSL deep inspection is enabled by default for all outbound traffic, with a documented exemption register for applications that cannot tolerate inspection. IPS is deployed in block mode, not detection mode. Application control policies deny all peer-to-peer, proxy, and remote access applications that are not explicitly authorized.
Where FortiGate differs from what many organizations do is in the treatment of management interfaces. CDA isolates FortiGate management to a dedicated out-of-band management network. Administrative access is restricted to specific source IPs, requires certificate-based authentication, and is logged to FortiAnalyzer with real-time alerting on any administrative login. HTTPS management on any production interface is disabled.
FortiGuard subscription services are treated as required operational components, not optional add-ons. IPS, web filtering, application control, antivirus, and DNS filtering subscriptions are maintained and verified through automated checks that alert if a subscription lapses or if signature update failures occur for more than four hours.
The SPH (Security Posture Hardening) domain applies to FortiOS configuration management: CDA maintains FortiGate configurations under version control, applies changes through a documented change management process, and conducts quarterly configuration audits to identify policy drift, unused rules, and overly permissive address objects.
---
---
---
CDA Theater missions that address topics covered in this article.
Guide to AWS Security Hub for centralized finding aggregation, continuous compliance monitoring, and automated remediation across AWS organizations.
Vendor assessment guide for HashiCorp Vault.
Wireshark is the leading network protocol analyzer for traffic capture and security investigation.
Written by CDA Editorial
Found an issue? Help improve this article.