FortiGate appliances use dedicated ASICs (Application-Specific Integrated Circuits) for network processing. Understanding what these chips do — and where commodity x86 achieves parity — is necessary for rational sizing decisions.
FortiGate's ASIC architecture
Fortinet uses three custom processor families:
NP (Network Processor): Handles Layer 3/4 forwarding, stateful firewall processing, and IPsec VPN encryption/decryption offload. The NP7 (current generation) processes packets at line rate without CPU involvement, enabling multi-gigabit firewall throughput with near-zero latency.
CP (Content Processor): Handles cryptographic operations and content inspection — SSL/TLS inspection, IPS signature matching, and virus scanning. The CP9 can perform TLS decryption at 20+ Gbps.
SP (Security Processor): Used in higher-end models for application identification and deep packet inspection.
Where ASICs outperform x86
The NP processor advantage is measurable at high throughput:
| Traffic type | FortiGate 60F (NP6Lite) | Commodity x86 (2-core) |
|---|---|---|
| Firewall throughput | 10 Gbps | ~3-5 Gbps |
| IPsec VPN throughput | 6.5 Gbps | ~1-2 Gbps (AES-NI) |
| TLS inspection throughput | 1 Gbps | ~500 Mbps |
| Firewall latency | ~4 μs | ~50-200 μs |
These numbers matter for enterprise edge deployments handling multi-gigabit WAN links or thousands of concurrent VPN tunnels.
Where x86 achieves parity
For deployments with:
- Internet uplinks under 500 Mbps
- Under 200 concurrent users
- Under 500 concurrent VPN tunnels
Modern x86 with AES-NI (hardware AES acceleration, standard on all Intel/AMD CPUs since ~2010) and multi-core processing reaches equivalent throughput. The NP processor advantage becomes unmeasurable below ~1 Gbps of actual traffic.
# Verify AES-NI availability on Linux
grep -m1 aes /proc/cpuinfo
# Benchmark AES-256-GCM performance
openssl speed -evp aes-256-gcm
A 4-core x86 system running CacheGuard can handle:
- 1 Gbps+ firewall throughput
- 500 Mbps+ TLS inspection (limited by SSL handshake rate, not bulk throughput)
- Hundreds of concurrent IPsec VPN tunnels
FortiGuard threat intelligence: the non-hardware advantage
Separate from the ASIC processing, FortiGate's operational advantage includes FortiGuard Labs — Fortinet's threat intelligence operation that updates IPS signatures, URL categories, and malware definitions continuously. This is a cloud service, not a hardware feature.
The update frequency and breadth of FortiGuard intelligence is materially better than open-source alternatives (ClamAV signatures, community URL blocklists). For environments facing sophisticated, targeted threats, this is a real operational difference.
For standard SMB threat profiles — commodity malware, phishing, drive-by downloads — ClamAV signatures and maintained URL blocklists (or a subscription category database at ~€5/month) provide adequate coverage.
The hardware lock-in consequence
FortiGate hardware cannot run third-party software. FortiOS is proprietary. If Fortinet changes pricing, deprecates a model, or is acquired, your options are limited to whatever Fortinet offers.
On commodity x86, you run software you control on hardware you can replace from any vendor. The hardware is a commodity; the software can be updated, replaced, or forked.
Sizing guidance
FortiGate is the right choice if:
- Internet uplink > 1 Gbps AND TLS inspection is required
- Deployment requires FortiGuard intelligence at enterprise update frequency
- IPS (intrusion prevention) is a hard compliance requirement
- You operate > 500 concurrent VPN tunnels
Commodity x86 with CacheGuard is sufficient if:
- Internet uplink < 500 Mbps
- Organisation size < 500 users
- Standard threat protection (firewall, antivirus, URL filtering, WAF) meets security requirements
- Hardware independence and zero licensing cost are operational priorities
→ https://www.cacheguard.com/fortinet-alternative/
Originally published on the CacheGuard Blog. CacheGuard is free and open source — GitHub.
Top comments (0)