Fortinet FortiGate FG-40F Performance and Security Testing
For this, we are using our high-end Keysight CyPerf testing machine, with our STH traffic profiles that you have seen on a number of STH reviews so far. The machine itself is able to generate over 2Tbps of traffic, and we use it mostly now for our L4-7 network testing since we have the multi-XGS2 chassis and line card setup for L1-3 and switches. One of the cool parts about our setup, if you have seen previous reviews, is that the gateway devices and firewalls being tested look like real traffic. To be clear, we have a setup designed for really high-end 400Gbps and 800Gbps gear, so running it to test a 1Gbps gateway is more than just a bit of overkill.
First, we ran a simple bidirectional throughput test to verify that the FortiSOC4 can handle line-rate traffic. Realistically, just passing LAN-WAN 1Gbps traffic is not a hard workload, but this is also not the newest gateway device out there.
We saw fairly close to line rate at L2/3 and around 1.85Gbps on L4/7, which is also about line rate. We then switched to our STH gateway device 11 app mix of ChatGPT, Google Drive, Google Sheets, LinkedIn, Netflix, Office365 Outlook and Calendar, Reddit, X.com, and YouTube:
That is more of an unidirectional test, but you can see that we are getting around line rate as well. This is exactly what we have come to expect from gateway devices. Frankly, if you are just NAT’ing traffic at 1Gbps speeds, the FG-40F is overkill.
That, of course, was with the firewall off. Fortinet, however, is a premium brand because it offers various security features, not just a basic firewall.
You may have seen that we have our own STH attack profiles. Some solutions do well, others, like the TP-Link Omada VPN Gateway ER8411, we could not get to block attacks. The experience with the FG-40F was very different. As we showed earlier, Fortinet offers a firewall and features such as flow-based inspection, deep SSL/SSH inspection, high-security IPS, application control, antivirus, web filtering, DNS filtering, email filtering, DLP, file filtering, virtual patching, and UTM logging.
The impact was noticeable on two fronts. Performance certainly dropped from our 1Gbps baseline when these features were turned on, but at the same time, unlike with the base Ubiquiti UCG-Fiber (note we tested the base, no-subscription version back then), TP-Link, and other routers we were testing, the FG-40F destroyed this test. In the test above, only one attack got through, and it was an old Apple CVE. Still, that is really good. Sure, the throughput is way down, but from a straight security standpoint, this is what we want to see. Once we started adding features, we were in the 99.4%+ block rate, which is the best we have seen by far.
The next question is important. What happens when you turn on Fortinet’s features to enable higher levels of security?
We went through the exercise of turning features on and off and trying to quantify how much of a performance impact we saw. Antivirus seemed like a big hit compared to the others. Here is a quick look at when we had the attack profiles on versus off.
Part of the reason for doing this is that folks often say they see vendor claims and apply a scaling factor, often 30-60%, to do sizing for their own workloads. We were closer to Fortinet’s spec sheet with our numbers, often a small percentage off, which was an interesting finding in itself.
There are many things we still need to work through. One example is that we are generating so much data now that we need to figure out how to present it, since most folks do not have the appetite for 50-100 pages of data. We are also using default profiles, and our reviews are generally done as a point in time, but firewalls evolve over time. Still much work to do, which is why we are starting with a more well-seasoned batch of gateway devices. One other major gap we have right now is VPN performance. That is something I am hoping we can add in the second batch of reviews, likely kicking off in Q3 2026. Lots of work still to do.
Fortinet FortiGate FG-40F Power Consumption and Noise
Fortinet has a 12V power adapter that can use different socket adapters. This allows one SKU to be used across different countries.
We generally saw 5-5.6W at idle, which is very good. As a fanless unit, it is also silent.
Fortinet says the average power consumption is 7.74W with a maximum of 9.46W, making this a very low-power device. That is one of the advantages of spinning your own silicon.
Final Words
I first contacted Fortinet in 2013, went to the company’s old HQ in Sunnyvale, and tried kickstarting firewall reviews. That went decidedly nowhere, even though we had purchased a unit to use at the time. Now we have better tools and a bigger team, so I think we can do a solid job on bringing the industry’s gateway devices (sub-2Tbps) into a more standardized review process. The Fortinet FortiGate FG-40F is a neat little unit for those who need a 1Gbps-capable firewall. We also tested the FG-60F in this round. As you might expect, that one is faster and has more ports. These devices offer a ton of features and are relatively easy to use and deploy. Well, easy once you get past the licensing and onboarding hurdles.
To be fair, we are using the FG-40F here because it is an older model, so we figured that would be a good place to start the series. We have a bunch of devices from several vendors already in progress. Our hope is to shed more light on this segment of the market since we often see these devices in our AI data center and lab tours. Overall, it was really neat to see all of the engineering, down to the custom silicon, that Fortinet puts into these firewalls.
Where to Buy
If you want to purchase one of these, here is an Amazon affiliate link.
I can’t wait for y’all to do more firewall reviews. Talk ’bout an opaque industry.
Any chance you will review the Watchguard Firebox M-Series (M270, M290) ?
We’ve got a few hundred of these deployed. They’re far from perfect, but you don’t have millions of hours of experience on them. You’re right. I’ve never seen a review like this and excellent work
Please test the IPsec performance vs other products (enterprise or not) in this price range! Forti does it all in the ASIC and IPsec performance is insane, even on a small box like this. I’d like to see if any other vendors can compare. Just a note that it is particular on what algos it will accelerate, but AES256/SHA256 should not be an issue at all.
HeloPatrik, excellent work. Could you please test the firmware on the PA-440 firewall?
Thank you, and I wish you many pleasant days ahead.
How about flow setup rate, under different conditions? Flow setup (of permitted flows) is also a very basic attack (generally against an Internet-connected device). Most devices can deny at a decent rate, but setup is another matter.
A 5 page ad for Fortigate.
As someone that manages a fleet of 50+ Fortigates, there are serious issues with these models and the firmware, but none of that seems to be mentioned here. Coincidence, I’m sure.
Wonder if HPE will ever release an update to the SRX branch devices, the SRX300 line is 10 years old now, been looking at fortinet now because at least the hardware is current, even PA needs a refresh too at that level
I don’t see this as a Fortigate ad. I’ve never seen anything like the license discussion in an ad. Greybeard IT must be like an old highly quantized llama2 with that bad of comprehension. lolz @ the low IQ bots
These are 2G devices so they’re on the way out on Forti anyway.
Hehe… never thought I’d see a review on the sites I frequent for Fortinet hardware I’ve deployed; big thanks for this guys.
I can say the 40F is one hell of a step up from the 30E; it was a joke at 1GB RAM. You had to run limited geoip or ips rule sets IIRC, but that was 2020ish; right around the beginning of IT security apocalypse.
I agree that these routers (fortigate) aren’t perfect. But for piece of mind they can provide if you’ve done your diligence in designing your networks; as long as the client is willing to pay the license costs, i sure sleep better at night knowing there’s a team of engineers working on the CVE’s & fixes. Also that i can pick up the phone and have them help of I’m stumped. Big plus in my books.
@Greybeard IT I don’t have a doubt that this chinese spyware has a lot of issues. ^^
Please tell us more about licensing costs, ongoing or one-shot ? How much? Can they be bought directly?
Great idea, firewall / router tests! I would love to see vs. Sophos XGS comparison when all security features are on.
This right here is the mainstream appeal of STH. Anyone working IT with 20-200 end users can use real, hard, data like this to guide and inform decisions, report to management, or check the recommendations from a VAR. I will continue to read STH and watch the YouTube channel as long as reviews like this are being made!
Updated: 2026-03-31
Published: 2026-02-06
Description
An improper neutralization of special elements used in an sql command (‘sql injection’) vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
CWE 1 Total
Learn more
CWE-89: Execute unauthorized code or commands
CVSS 1 Total
Learn more
Score Severity Version Vector String
9.1 CRITICAL 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
Product Status
Learn more
Vendor
Fortinet
Product
FortiClientEMS
Versions 1 Total
Default Status: unaffected
affected
affected at 7.4.4
References 1 Total
fortiguard.fortinet.com: https://fortiguard.fortinet.com/psirt/FG-IR-25-1142
One of many ongoing issues with FortiNET environs.
Next time, at least check CISA for advisories prior to giving such an unmerited glittering review, right now.
There is also significant history. I am not going to list all 10+ known issues…I have already already compiled a comprehensive report on these issues and it is available on demand
Looking at a new firewall cluster to set-up later this year, and Fortinet is a probable candidate. So I’m very glad I could read your review. I would have liked if the “HA” feature would have been reviewed or even just described.
Y’all are freakn’ out over Fortinet has CVEs. Every Linux distro just had a big ugly one. There’s going to be so many soon. CVEs get found and reported when someone is looking. It’s way worse to have a small vendor firewall and no CVEs.
I like that STH is at least doing the hardware teardown and providing something new and useful in the space. They’re doing what they do for servers.
I have hundreds of these deployed across the EU in smaller sites, along with their 60F brothers for larger locations. While these boxes certainly have some minor issues, I like their cost/performance point and remote management features. Licensing is troublesome, and license renewals are painful, but that is the Forti business case: cheap up front, get paid during renewal, although licensing is not Oracle-level abusive. Enterprise-level discounts are significant btw.
Someone mentioned CVEs, but I see this as a plus when it comes to Forti’s transparency and their speed in fixing them.
Watchguard (inherited 100+ installed units) has proven to be cheaper but much more troublesome, to the point that we’re ripping them out for Forti’s.
Fortinet, the Swiss cheese of firewalls.
Some of these comments are hilarious. The one guy posting a a CVE about FortiClientEMS apparently thinking it’s a firewall is just classic. I’ve worked for a large MSSP for over 24 years and we deploy Check Point, Cisco, Fortinet, Juniper, and Palo firewalls. Fortinet is by far the easiest to deal with. They are very upfront about everything, provide advance noticed concerning CVEs and remediation. Some of the vendors I mentioned almost never mention CVEs in patch release notes unless they’ve made the news cycle. I’ve got firewalls from each of those listed in my home lab, but only the FortiGate is connected to the Internet and in production.
Some notes for the folks asking about the licensing.
These firewalls are meant for business use; the licensing is best done via business write-offs. It’s an annual license, with many levels of care; think similar to anti-virus licenses, just with a different set of protection tools (network level versus endpoint level).
Something I’m not sure if anyone’s mentioned having worked with Fortinet support – I’ve used it a fair amount, and it’s an INCREDIBLE safety net in the event your IT guy gets hit by a bus (for example). They can provide remote support for type devices so long as they are actively licensed; just be aware that they have two license ranges: 8×5 support (no evenings or weekends), and 24×7 support.
They also do 24hr cross-ship on defective units, depending on the level of unit (enterprise cloud units likely have shorter).
Just like any highly recognized brand, they’re going to have security flaws. Fortinet is pretty good about informing off these, as well as remediation techniques, just make sure you set up these notifications within your Fortinet support portal.
Dr_b_: SRX 400 series have been “paper released”. It will come in a 420,440,460 and 480 editions 4x SFP+ ports on 460 and 480 if my memory does not play games with me.
Anyway, SSL decrypt should also be considered when enterprise grade NGFW solutions is validated, aswell as possible SASE integrations and also thirdparty compliance/integration
I use one of these at home and some 100f’s at work. I got mine used with no license, because that’s way cheaper and still has many features that beat consumer crap. They’re down to like $50-100 now IIRC. I would suggest pointing out a few things about the ports on page 1 for this 40f. The A / fortilink port can be reassigned to be just another lan port, giving you 4 lan ports. The usb however can’t do the cheapo-nas function that many consumer routers use. The power connector is the same spec as the other brand of firewall, IIRC sonicwall, to the point that you can save a few bucks buying theirs as a replacement if you got one of these used without an adapter. The underside of the 40f has a place where on a related model, m.2 storage would go, but that’s also not for nas use.
The 40f has a couple fewer license-free features than the 60f IIRC, sorry that I don’t remember which ones. Of course if you keep it licensed, that’s fine. But unlicensed ones are very cheap on ebay, for 40f and 60f. Do keep in mind the rating comparison chart, which indicates the 40f may have insufficient performance for some purposes, and of course it’s gigabit only at this tier. I wouldn’t use their built in SSL vpn anyway, I’d run a separate server with some other type and port forward. And some of the performance-hogging filters / features are licensed, so I don’t use them. You can still define your own filters which can pull from public lists, for certain purposes. So you could definitely do dns filtering like people do with pihole / adguard. I also enjoy being able to define domain names (using the .internal tld) for local use in the same device that defines what those devices can do.
If your wan and any segmented parts of your network don’t need to be mutually accessible at more than a gigabit, e.g. iot and guest devices don’t need multi-gig and your wan connection is not multi-gig, then you can use vlans and switches to let your lan devices access each other and a nas device or server faster than that, with only the other segments being limited.