Acronis Bitdefender Fortinet Microsoft Cisco Duo HPE Adobe Adobe Green Rocket Acronis Bitdefender Fortinet Microsoft Cisco Duo HPE Adobe SolarWinds Green Rocket
⌘K
Cloud-Native NGFW

FortiGate CNF Cloud Firewalls

SaaS-delivered NGFW service for AWS VPCs and Azure VNets. Enterprise-grade protection without the complexity of managing security infrastructure.

No infrastructure to manage
FortiGuard Labs Intelligence
Multi-account and multi-subscription
Request Demo
FortiGate CNF

NGFW Delivered as a Service

FortiGate CNF is a next-generation firewall (NGFW) service delivered as SaaS that simplifies protection for your cloud workloads by eliminating the need to manage security infrastructure.

Get all FortiOS NGFW capabilities including IPS, web filtering, DNS Security and botnet protection, powered by FortiGuard Labs threat intelligence updated in real-time.

FortiGate CNF Cloud NGFW
Key Features

Multi‑Cloud Firewall

Cloud Native

Zero-Management SaaS

Fully managed service: no software licensing, sizing, deployment or patching. Pay only for security processing credits.

FortiGuard Security

Enterprise NGFW

Full FortiOS capabilities: known bad IP blocking, geo-IP filtering, IPS, DNS security, anti-botnet protection and sandbox/AV.

Global Deployment

Global Geo-Fencing

Restrict traffic by geographic location for regulatory compliance and attack surface reduction with granular per-country policies.

Auto-Scaling

East-West Security

Lateral movement protection between VPCs/VNets with microsegmentation and consistent security policies across your cloud infrastructure.

Unified Management

Dynamic Security

Policies based on FQDN objects, geo objects, cloud metadata and resource tags for adaptive security in dynamic environments.

Security Fabric

Centralized Multi-Account

Manage security for multiple AWS accounts or Azure subscriptions from a single centralized CNF instance.

Egress Security

Complete Egress Traffic Control

Protect all outbound traffic from your cloud workloads with deep inspection and granular policies that prevent communications with malicious destinations.

  • Block known malicious IPs with FortiGuard reputation
  • URL category filtering for browsing control
  • Prevent communication with C&C servers
  • Geo-fencing for data sovereignty compliance
Egress Security
East-West Security

Lateral Movement Protection

Implement segmentation and microsegmentation between VPCs and VNets to detect and prevent threats attempting to spread laterally in your cloud infrastructure.

  • Microsegmentation between workloads and applications
  • IPS inspection of inter-VPC/VNet traffic
  • Anomalous behavior detection between segments
  • Integration with Transit Gateway and VNET peering
East-West Security
Adaptive Security

Dynamic Policies for Cloud Environments

Create security policies that automatically adapt to changes in your cloud infrastructure using metadata, tags and dynamic objects.

  • FQDN objects for dynamic network destinations
  • Geographic objects for location-based policies
  • Integration with cloud instance metadata
  • Resource tags for policy automation
Dynamic Security
Use Cases

Enterprise Use Cases

Enterprise Cloud Migration

Organizations migrating critical workloads to the cloud that need enterprise-grade security without operational complexity.

Multi-VPC Architectures

Enterprises with multiple VPCs or VNets requiring consistent security policies and centralized management across their cloud footprint.

Regulatory Compliance

Regulated industries (finance, healthcare) that must comply with GDPR, HIPAA, PCI-DSS and require geo-fencing and traffic controls.

Secure DevOps

DevOps teams needing API-automatable security, integrated with CI/CD pipelines and compatible with infrastructure as code.

Threat Intelligence

FortiGuard Services

Intrusion Prevention (IPS)

Protection against exploits, vulnerabilities and known attacks with signatures continuously updated by FortiGuard Labs.

DNS Security

Blocking malicious domains, DNS tunneling prevention and protection against DNS query-based attacks.

Botnet Protection

Detection and blocking of communications with known botnets and command and control (C&C) servers.

Sandbox & Antivirus

Analysis of suspicious files in cloud sandbox and antivirus protection with real-time updated signatures.

Geo IP & IP Reputation

Global IP reputation and geolocation database for location-based policies and blocking malicious sources.

URL Filtering

URL categorization and web filtering to control site access by category, risk or corporate policy.

Operational Benefits

0
Infrastructure to manage
Multi
Accounts/Subscriptions
100%
FortiGuard coverage
24/7
Threat updates
Deployment Options

Supported Cloud Architectures

AWS Multi-VPC

Centralized deployment for multiple VPCs with Transit Gateway integration and AWS Firewall Manager.

Azure Multi-VNet

Protection for multiple subscriptions and VNets with Azure Load Balancer integration and VNET peering.

FortiGate VM

Virtual FortiGate instances for ESXi, KVM, Hyper-V and all major clouds with full control.

Containers

FortiGate CNF for Kubernetes and container environments with native network policies.

Transit Hub

Hub-and-spoke architecture with FortiGate as central inspection point for all inter-VPC traffic.

Security Fabric

Native integration with Fortinet Security Fabric for unified visibility and management.

Compliance

Supported Regulations

FortiGate CNF helps comply with major global security and data privacy regulations.

PCI-DSS

Network controls and segmentation for card payment environments

HIPAA

Health information protection with access controls and encryption

GDPR

Geo-fencing and data sovereignty controls for European compliance

SOX

Security controls and auditing for corporate financial information

Expert Analysis

What are Cloud Firewalls and how does FortiGate protect cloud infrastructure?

TUTARI S.A. — Fortinet Authorized Partner

Expert Analysis Latin America and the Caribbean

Cloud Firewalls refer to FortiGate VM and cloud-native variants deployed as security perimeters in AWS, Azure, and Google Cloud environments. These instances provide the same threat prevention, policy control, and analytics as on-premises FortiGate, but optimized for cloud architecture including auto-scaling groups, security groups, and cloud-native logging.

FortiGate VM integrates with cloud provider orchestration tools, enables automation via API, and supports SD-WAN hub failover for hybrid cloud and on-premises environments. Organizations gain unified policy management, consistent threat prevention across on-premises and cloud, and reduced reliance on cloud provider security groups.

TUTARI assists with FortiGate VM sizing, cloud subnet design and routing, security group setup, AutoScale policies, integration with your existing FortiGate hub, and ongoing monitoring through FortiAnalyzer. We ensure your cloud security posture matches on-premises standards.

Expert-verified content TUTARI S.A. — Fortinet Authorized Partner
FAQ

Frequently Asked Questions

Answers to the most common questions about our services

What is the difference between physical FortiGates and Cloud Firewalls?
Fortinet Cloud Firewalls (FortiGate VM) deliver the exact same FortiOS security and threat prevention as physical appliances, but are optimized to reside dynamically inside Public Clouds (AWS, Azure, Google Cloud) protecting your virtual networks.

Do Cloud Firewalls support high availability?
Yes. Fortinet Cloud Firewalls leverage cloud-native high-availability architectures, supporting auto-scaling groups, cross-availability zone failover, and active-active clustering to eliminate single points of failure in the cloud.

How do Cloud Firewalls fit into a multi-cloud or hybrid network?
Deploying FortiGate VMs in your cloud environments enables a cohesive SD-WAN fabric. You can establish secure, encrypted IPSec tunnels directly linking on-premise physical FortiGates to your AWS or Azure VPCs using the exact same rule sets.

How can TUTARI assist with scaling Azure or AWS Cloud Firewalls?
Deploying virtual firewalls natively requires deep cloud networking expertise. TUTARI manages the complex cloud routing tables, integration with native cloud Load Balancers, and ensures proper licensing models (BYOL or PAYG) mapped specifically to your traffic patterns.

Which licensing model is better for Cloud Firewalls: BYOL or PAYG?
BYOL (Bring Your Own License) is best for predictable traffic and annual contracts, offering better unit pricing. PAYG (Pay As You Go) is ideal for variable loads, development environments, or proof of concepts. TUTARI analyzes your usage patterns and recommends the model that optimizes costs without compromising protection.

Can I apply the same security policies on-premise and in the cloud?
Yes, that is a key advantage of Fortinet Cloud Firewalls. By running the same FortiOS as physical appliances, you can define policies once in FortiManager and deploy them uniformly across physical FortiGates, VMs in AWS, Azure, and GCP, ensuring a consistent security posture across the entire hybrid environment.
Integrations

Compatible Ecosystem

Native integration with leading cloud platforms, enterprise tools, and the Fortinet Security Fabric ecosystem.

AWS
Splunk
CrowdStrike
SentinelOne
ServiceNow
Microsoft
HPE
Rapid7
GrayLog
Citrix
SolarWinds
Bitdefender
Acronis
AWS
Splunk
CrowdStrike
SentinelOne
ServiceNow
Microsoft
HPE
Rapid7
GrayLog
Citrix
SolarWinds
Bitdefender
Acronis

Protect Your Cloud Infrastructure with FortiGate CNF

Get enterprise-grade NGFW security delivered as a service, with no infrastructure to manage and FortiGuard Labs intelligence.

Request Demo