sase.cloud
Vendor Review

Fortinet

FortiSASE (FortiOS)

7.6/ 10 avg
9 min readUpdated Feb 2025

Fortinet's SASE story starts and ends with SD-WAN. FortiGate SD-WAN has been the consecutive Gartner Magic Quadrant Leader for SD-WAN Infrastructure, and for good reason — the combination of application-aware routing, self-healing mesh overlays, and integrated NGFW security on a purpose-built ASIC platform (NP7/SP5) delivers performance that software-only competitors cannot match. When Fortinet extended this into SASE with FortiSASE, the approach was pragmatic: take FortiOS — the same operating system running on every FortiGate appliance — and deploy it as a VM in cloud PoPs. This gives FortiSASE a genuine architectural advantage: the exact same security policies, application signatures, and FortiGuard threat intelligence that run on your on-prem FortiGate also run in the cloud. For organizations with existing FortiGate infrastructure, this is not marketing — it is operationally meaningful policy consistency.

The trade-off is that FortiOS-in-a-VM is not cloud-native architecture. While competitors like Zscaler and Netskope built their SSE platforms as microservices from the ground up, FortiSASE runs FortiOS instances in cloud PoPs. This means scaling is VM-based rather than container-based, upgrades follow FortiOS release cycles rather than continuous delivery, and multi-tenancy is achieved through VDOM (Virtual Domain) partitioning rather than native cloud isolation. For most mid-market deployments this works fine, but at hyperscale (50,000+ users) the architecture shows its lineage. CyberRatings awarded Fortinet AAA for security efficacy, validating that the FortiGuard-powered inspection pipeline — IPS, AV, sandboxing, web filtering — delivers top-tier threat detection regardless of the underlying architecture.

Fortinet's sovereign SASE offering deserves attention for regulated industries. FortiSASE can be deployed in regional PoPs with data residency guarantees, and for organizations subject to data sovereignty requirements (EU GDPR, Australian data localization, Middle Eastern regulatory frameworks), Fortinet offers dedicated tenant options where traffic never leaves the designated geography. The FortiSASE agent (FortiClient) has received mixed reviews in peer assessments — stability issues on macOS and conflicts with third-party endpoint agents have been reported — but Fortinet has addressed many of these in recent FortiClient 7.2+ releases. CASB and DLP capabilities exist but feel less mature than the core SWG and SD-WAN functions, positioned more as checkbox features than deeply integrated components.

Cloud-native6/10

FortiSASE runs FortiOS virtual machines in cloud PoPs rather than a purpose-built cloud-native microservices architecture. Scaling is VM-based, requiring instance spin-up rather than container auto-scaling. This architectural choice provides FortiOS consistency but limits elastic scalability and increases upgrade complexity compared to cloud-native competitors. FortiOS release cycles (quarterly major, monthly patch) are faster than traditional appliance vendors but slower than SaaS-native platforms doing continuous delivery.

SSE depth7/10

The SSE stack covers all required functions — SWG, CASB, ZTNA, DLP, and sandboxing — powered by FortiGuard threat intelligence with 40+ AI/ML models. Security efficacy is validated by CyberRatings AAA certification. However, CASB lacks the breadth of API integrations found in Netskope or Palo Alto, DLP does not yet support advanced features like EDM or IDM, and the overall SSE experience feels like a FortiGate-in-the-cloud rather than a purpose-built cloud security platform.

SD-WAN10/10

Best-in-class SD-WAN, period. FortiGate SD-WAN delivers application-aware routing with 3,000+ application signatures, self-healing SD-WAN mesh with sub-second failover, integrated NGFW security on the same appliance, and ASIC-accelerated performance (NP7 delivers 198 Gbps firewall throughput on the 4800F). The tight coupling of SD-WAN and NGFW on a single device with single-pane management through FortiManager is an operational advantage no other vendor matches.

MSP ready7/10

FortiManager provides multi-tenant management with ADOM (Administrative Domain) isolation and template-based provisioning. FortiCloud offers a cloud-hosted management option for MSPs avoiding on-prem infrastructure. The MSP tooling is functional but less polished than Cisco's Security Cloud Control — bulk operations, tenant onboarding automation, and per-tenant reporting require more manual configuration. The Engage partner program provides MSP-specific licensing models.

PoP coverage8/10

Fortinet operates 30+ FortiSASE PoP locations globally with strong coverage in North America, Europe, and Asia-Pacific. PoP expansion has been aggressive, adding 10+ locations in 2024 alone. Regional PoPs support data residency requirements for sovereign SASE deployments. Fortinet's PoP strategy leverages premium Equinix and data center partners, though total PoP count is lower than hyperscale competitors like Zscaler.

Strengths

+Best-in-class SD-WAN with ASIC-accelerated performance — consecutive Gartner Leader
+Same FortiOS policies on-prem and cloud — genuine operational consistency
+CyberRatings AAA security efficacy certification with FortiGuard threat intelligence
+Sovereign SASE options with regional data residency for regulated industries
+Converged NGFW + SD-WAN on single appliance eliminates security-networking silos
+Competitive pricing with flexible per-user and per-device licensing models

Watch out

FortiOS-in-VM architecture limits cloud-native elasticity and continuous delivery
SSE depth trails cloud-native competitors in CASB breadth and DLP sophistication
FortiClient agent stability issues reported on macOS in peer reviews
CASB and DLP feel bolted-on rather than deeply integrated into the inspection pipeline
VDOM-based multi-tenancy less elegant than native cloud tenant isolation

Verdict

Fortinet FortiSASE is the right choice when SD-WAN is the primary requirement and SSE is the secondary concern. No other vendor matches FortiGate SD-WAN's combination of application intelligence, ASIC-accelerated performance, and integrated NGFW security on a single appliance. If your organization already runs FortiGates at the branch, FortiSASE extends those same policies into the cloud with genuine consistency — same FortiOS version, same application signatures, same FortiGuard intelligence feeds. This is not a marketing claim; it is an architectural reality that simplifies operations for Fortinet shops.

The honest assessment is that the SSE side of FortiSASE is a generation behind cloud-native competitors. Running FortiOS in cloud VMs delivers security efficacy (CyberRatings AAA proves this) but not cloud-native agility. CASB covers the basics but lacks the API integration depth of Netskope. DLP handles standard patterns but misses advanced features like exact data matching. If your primary use case is securing remote users accessing SaaS applications and you do not have existing FortiGate infrastructure, a cloud-native SSE platform will serve you better.

The sovereign SASE angle is underappreciated. For organizations subject to GDPR, Australian Privacy Act, or Middle Eastern data localization requirements, Fortinet's ability to guarantee that traffic processing stays within a specific geography — combined with the option to deploy FortiSASE in customer-controlled infrastructure — provides compliance assurance that multi-tenant cloud-only platforms struggle to match. Regulated industries in financial services, healthcare, and government should evaluate this capability seriously.

When to pick Fortinet

Choose Fortinet when SD-WAN is the primary driver and you need best-in-class WAN optimization with integrated NGFW security. This is the obvious pick for organizations with existing FortiGate infrastructure — the policy consistency between on-prem FortiGates and cloud FortiSASE eliminates the operational tax of managing disparate policy sets. Regulated industries needing sovereign SASE with data residency guarantees should evaluate Fortinet's regional deployment options. Organizations with price sensitivity will appreciate Fortinet's competitive licensing relative to Palo Alto and Cisco. Avoid if cloud-native SSE architecture is the priority, if advanced CASB/DLP capabilities are critical, or if your user base is predominantly macOS where agent stability has been a concern.

Best for
+SD-WAN-first deployments prioritizing WAN performance and reliability
+Existing FortiGate shops wanting on-prem/cloud policy consistency
+Regulated industries requiring sovereign SASE with data residency
+Organizations needing converged NGFW + SD-WAN at the branch
+Price-sensitive enterprises comparing total cost of ownership
Not ideal for
Cloud-native SSE purists prioritizing microservices architecture
Organizations requiring advanced CASB API integrations across hundreds of SaaS apps
macOS-heavy environments concerned about endpoint agent stability
Enterprises needing best-in-class DLP with EDM and IDM capabilities
Compare all vendors

See how Fortinet stacks up against Cisco, Palo Alto, Check Point in our head-to-head comparison.

Stay current
SASE moves fast. We'll keep you sharp.

One email when we publish. No spam. Unsubscribe anytime.