Resizing VM - Fortigate firewall

Jerald K Philip 26 Reputation points


We are planning to deploy a fortigate firewall solution on Azure to safeguard the environment. We were using Azure firewall till now, and due to some missing features like Application control, moving to Fortigate. The deployment is planned to be done as Active-Passive HA using load balancers. As of now there is not much of our workloads in Azure, so we are planning to deploy the firewall using 4 vcpu VMs for now, and later upgrade to 8 vcpu VMs when load is increased. Could you please confirm if it is possible to upgrade the VM size, without much of a downtime or need of redeployment?

Also, one more silly question, if we go with a 8 vcpu VM and 4 vcpu fortigate license, would we be changed the price of the VM for 8 vcpu or 4 vcpu? I could see the below in Fortinet documentation : "The number of vCPUs indicated by the license does not restrict the FortiGate VM from working, regardless of how many vCPUs are included in the virtual instance. However, only the licensed number of vCPUs process traffic and management tasks. The rest of the vCPUs are unused."

Thanks and regards,

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,350 questions
0 comments No comments
{count} votes

Accepted answer
  1. Yannic Graber 586 Reputation points MVP


    There are two aspects you have to take care of, Azure itself and Fortigate licensing.
    The upscaling in terms of the VM on Azure should not be a problem at all, if you're scaling within the same VM size family (example D4s_v3 to D8s_v3). This is usually done within seconds rather than minutes.

    Talking about Fortigate, according to the following link, there are two license types available... Bring your own license (BYOL) and Pay as you go (PAYG).

    In your scenario, I'd recommend to use the PAYG option, so you do not have to care about the vCPUs licenses for Fortigate, as this will be charged as you go, just like the name indicate. If you chose the BYOL option, you have to take care yourself to cover all the vCPUs accordingly, as far as I interpreted this correctly.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful