2.6 FortiGate VM, FortiGate CNF & FortiSASE

Key Takeaways

  • FortiGate-VM runs the same FortiOS as hardware on hypervisors (ESXi, Hyper-V, KVM) and public clouds (AWS, Azure, GCP); licensing is by vCPU count via BYOL or on-demand (PAYG) marketplace listings.
  • FortiGate CNF (Cloud-Native Firewall) is a Fortinet-managed firewall service in AWS and Azure where Fortinet operates the firewall instances and you manage only policy.
  • FortiSASE is Fortinet's cloud-delivered Secure Access Service Edge, combining SWG, ZTNA, CASB, and FWaaS with FortiClient/agentless onboarding for remote users.
  • FortiSASE users onboard by installing the FortiClient (FortiSASE) agent, by SWG/PAC proxy for agentless web traffic, or via a site/IPsec connection for a whole location.
  • ZTNA grants access per application after verifying user identity and device posture each session, replacing implicit network-wide trust of traditional VPN.
Last updated: June 2026

Why Cloud Topics Joined NSE 4

The FortiOS 7.6 Deployment and System Configuration domain explicitly added objectives to describe FortiGate CNF and FortiGate-VM in public cloud and to explain FortiSASE administration and user onboarding methods. These are awareness-level, conceptual objectives — you need to know what each product is, how it is licensed or onboarded, and when to use it, rather than deep configuration. They reflect Fortinet's shift from on-box-only security to cloud-delivered and cloud-managed options.

FortiGate-VM in Public Cloud

FortiGate-VM is the virtual-machine edition of FortiGate. It runs the exact same FortiOS image as a hardware appliance, so every concept in this guide — policies, NAT, VPN, security profiles, HA — applies identically. FortiGate-VM runs on:

  • On-premises hypervisors — VMware ESXi, Microsoft Hyper-V, KVM, Xen, Nutanix.
  • Public clouds — AWS, Microsoft Azure, Google Cloud, Oracle Cloud, and others, deployed from each provider's marketplace.

FortiGate-VM Licensing

Licensing is tied to the number of virtual CPUs (vCPUs) allocated, not throughput. Two models exist:

  • BYOL (Bring Your Own License) — you purchase a perpetual or subscription license from Fortinet and apply it to a VM you deploy. Best for predictable, long-running workloads.
  • On-demand / PAYG (Pay As You Go) — you launch the VM from the cloud marketplace and pay hourly through the cloud bill, with the license bundled. Best for short-lived or bursty workloads.

A key exam point: more vCPUs require a larger license tier, and adding vCPUs beyond the license does not increase capacity until the license is upgraded.

FortiGate CNF (Cloud-Native Firewall)

FortiGate CNF is a Fortinet-managed, cloud-native firewall service available in AWS and Azure. The crucial distinction from FortiGate-VM is the management model:

  • With FortiGate-VM, you deploy, scale, patch, and operate the firewall instances yourself (IaaS — infrastructure you run).
  • With FortiGate CNF, Fortinet operates the firewall instances as a managed service. You consume it as SaaS-like security: you define policies and security profiles, and Fortinet handles the underlying firewall scaling, availability, and patching.

CNF integrates natively with cloud routing (for example AWS Gateway Load Balancer) so traffic is steered to the managed firewall without you building and maintaining a VM cluster. For the exam: FortiGate-VM = you manage the firewall; FortiGate CNF = Fortinet manages the firewall, you manage policy.

Public-Cloud Deployment Options Compared

OptionWho operates the firewallBest for
FortiGate hardwareYou, on-premisesPhysical sites, data centers
FortiGate-VM (BYOL)You, in cloud or hypervisorLong-running cloud workloads, existing licenses
FortiGate-VM (PAYG/on-demand)You, in cloudBursty or short-lived workloads
FortiGate CNFFortinet (managed service)Cloud teams that want firewalling without running VMs

FortiSASE

FortiSASE is Fortinet's cloud-delivered Secure Access Service Edge (SASE) offering. SASE converges networking and security into one cloud service so that remote users and branch sites get consistent protection regardless of location. FortiSASE bundles several functions delivered from Fortinet's cloud points of presence:

  • Secure Web Gateway (SWG) — web filtering, AntiVirus, and SSL inspection for user web traffic, applied in the cloud.
  • Zero Trust Network Access (ZTNA) — per-application access with continuous identity and device-posture checks.
  • Cloud Access Security Broker (CASB) — visibility and control over SaaS application usage.
  • Firewall-as-a-Service (FWaaS) — cloud-based firewalling for outbound and inter-site traffic.

The value proposition is that a roaming user's traffic is inspected by a nearby FortiSASE PoP using the same FortiGuard security as an on-prem FortiGate, without backhauling everything to headquarters.

FortiSASE User Onboarding Methods

The blueprint specifically calls out user onboarding methods. FortiSASE connects users and sites in three principal ways:

MethodHow users connectTypical use
Agent-based (FortiClient/FortiSASE agent)The FortiClient (FortiSASE) endpoint agent builds a secure tunnel to the nearest FortiSASE PoP; all (or split) traffic is inspected in the cloudManaged laptops needing full SASE protection and ZTNA
Agentless / SWG (PAC or explicit proxy)The browser/OS is pointed at the FortiSASE Secure Web Gateway via a PAC file or proxy settings — no agent installedUnmanaged or BYOD devices, web traffic only
Site-based (secure private access / IPsec)A whole location connects to FortiSASE over IPsec (often from a FortiGate or FortiExtender), so site users are onboarded as a groupBranch offices, retail sites

Exam tip: Agent-based onboarding (FortiClient) gives the deepest protection and ZTNA; agentless SWG covers web traffic on devices you cannot install software on; site/IPsec onboards an entire location at once.

ZTNA in the Cloud-Access Model

Zero Trust Network Access (ZTNA) replaces the implicit "connected to the VPN means trusted on the whole network" model. With ZTNA, every access request to an application is evaluated against user identity and device posture (patch level, antivirus status, certificate) each session, and the user is granted access only to that specific application — never broad network reachability. FortiGate and FortiClient implement ZTNA on-prem, and FortiSASE delivers it from the cloud.

Fortinet positions ZTNA (alongside IPsec) as the strategic successor to SSL VPN tunnel mode for remote access, which is why it appears across the VPN and Deployment objectives.

Loading diagram...
FortiSASE Onboarding and Cloud Inspection
Test Your Knowledge

What is the key difference between FortiGate-VM and FortiGate CNF in a public cloud?

A
B
C
D
Test Your Knowledge

A company must onboard unmanaged BYOD devices to FortiSASE to protect their web browsing, but cannot install any agent on those devices. Which onboarding method fits?

A
B
C
D
Test Your Knowledge

How is FortiGate-VM licensed when deployed in a public cloud?

A
B
C
D