A FortiGate 40F, specifically when configured with the Explicit Proxy feature and utilizing Kerberos authentication on FortiOS version 6.4.11, has been observed to practically handle up to 1001 concurrent authenticated users. This limit was noted in testing where no additional users appeared in the authentication list beyond this number, even when performing several thousand authentication tests.
While the FortiGate 40F is a capable entry-level next-generation firewall, its exact user handling capacity can vary significantly based on the specific features enabled and the type of network traffic it processes. The figure of 1001 users applies to a particular scenario involving authenticated users via Explicit Proxy.
Understanding FortiGate User Capacity
The term "user capacity" for a FortiGate device can refer to several different metrics, as the firewall handles various types of connections and services. These metrics are often distinct and have different maximums:
- Concurrent Sessions: The total number of active connections passing through the firewall.
- Authenticated Users: Users who have logged in or been identified by the FortiGate for policy enforcement (e.g., through FortiAuthenticator, Active Directory, or local database).
- VPN Users: The number of concurrent users connected via SSL VPN or IPsec VPN.
- Throughput: The volume of data the device can process per second (e.g., firewall throughput, IPS throughput, VPN throughput).
The observation of 1001 authenticated users for Explicit Proxy with Kerberos provides a practical insight into one specific aspect of user handling.
Observed Authentication Limit
| Feature | Authentication Method | FortiOS Version | Observed User Limit (Concurrent Authenticated) |
|---|---|---|---|
| Explicit Proxy | Kerberos | 6.4.11 | 1001 |
This specific observation highlights a practical upper bound for the number of authenticated users displayed or managed in this particular configuration.
Factors Influencing User Capacity
The actual number of users a FortiGate 40F can effectively support is influenced by a multitude of factors, going beyond just the observed authentication list size:
- FortiOS Version: Different FortiOS releases can introduce performance optimizations or new features that impact capacity.
- Enabled Security Features: Activating features like Intrusion Prevention System (IPS), Web Filtering, Application Control, AntiVirus, or SSL Inspection significantly consumes system resources (CPU and memory), potentially reducing the number of users or sessions the device can handle while maintaining optimal performance.
- Authentication Method: The overhead of different authentication protocols (e.g., Kerberos, LDAP, SAML, local database) can vary.
- Traffic Patterns: The type of network traffic (e.g., many small transactions vs. fewer large file transfers), average session duration, and concurrent connections per user play a role.
- Hardware Resources: While a 40F has fixed hardware, understanding its CPU and memory utilization is crucial when evaluating its real-world performance under load.
- Network Latency: High latency can affect the efficiency of authentication processes and session management.
For specific deployments, it's always recommended to consult Fortinet's official datasheets for the FortiGate 40F, which provide theoretical maximums for various performance metrics, and to perform practical tests that mirror your anticipated network conditions. For instance, discussions around concurrent authenticated users are common within the Fortinet community, as seen in relevant forum discussions.
