Sora Yazılım
English
Custom software solutions from Türkiye

FortiGate CNF: Azure Cloud-Native Firewall Guide (2026)

FortiGate CNF (Cloud-Native Firewall) is Fortinet's next-generation firewall (NGFW) service delivered as SaaS for cloud environments. It protects workloads running in clouds such as Azure without deploying infrastructure or redesigning your network architecture; it delivers capabilities like IPS, web filtering, DNS security, and SSL inspection through a pay-as-you-go model. Fortinet manages updates, patching, and scaling on your behalf.

What is FortiGate CNF?

FortiGate CNF is a Firewall-as-a-Service approach designed for workloads that run entirely in the cloud. Instead of managing an appliance or a virtual machine as you would with a traditional firewall, Fortinet operates the infrastructure and you focus solely on security policies.

As cloud adoption grows, security teams want the same strong control in the cloud that they have in the data center; however, the dynamic nature of the cloud strains traditional firewall models. Manually sizing virtual machines, building high availability, and steering traffic all take time. FortiGate CNF removes this burden: NGFW capabilities are delivered as a cloud service, capacity scales automatically, and maintenance is handled by Fortinet.

CNF is built on Fortinet's mature FortiOS security stack, meaning you get the same threat intelligence and inspection quality in the cloud as in the data center. Sora Yazılım integrates this service into organizations' cloud architectures with its authorized Fortinet channel partner status and NSE 4-7 certified team. You can review our Fortinet solutions page for the full brand portfolio.

FortiGate CNF is part of Fortinet's Security Fabric architecture. This means the cloud firewall operates not as an isolated island but as an integrated layer that communicates with the rest of the organization's security components (FortiGate, FortiAnalyzer, FortiClient). Policy deployment and event correlation from a single console provide a consistent security posture across cloud and on-premises environments.

How does it work in Azure?

In Azure environments, cloud-native security is delivered with the FortiGate CNF service, or by positioning FortiGate-VM in its high-availability and scalability mode (Azure Virtual Machine Scale Sets). Traffic is steered to the security layer with Azure Load Balancer and Route Server/user-defined routes (UDR).

In a cloud-native architecture, the goal is to route traffic exiting multiple virtual networks (VNets) through a centralized security layer. This is most often built with a hub-and-spoke topology: workloads run in spoke VNets while security inspection is performed in a central hub. UDR steers traffic to this hub, where it is inspected and forwarded to its destination.

Scalability is a critical requirement of cloud security. When demand rises, the security layer must grow automatically and shrink when it falls. VM Scale Sets and a load balancer provide this elasticity; in the CNF service, this scaling is managed entirely by Fortinet. Building the right architecture requires expertise in cloud network design and routing; for this reason, we recommend planning it together with our FortiGate consulting service.

Visibility is a frequently overlooked dimension of cloud security. Inspecting encrypted traffic (SSL inspection) prevents threats from hiding in the cloud as well; however, this requires proper certificate management and performance planning. In addition, centralized collection of all inspection logs is essential for both threat hunting and compliance. Tools like FortiAnalyzer collect these logs and produce correlation.

Features and scope

FortiGate CNF delivers next-generation firewall capabilities as a cloud service: intrusion prevention (IPS), web filtering, DNS security, anti-malware, SSL inspection (man-in-the-middle termination), data loss prevention (DLP), and sandbox. These services are centrally managed through FortiManager integration.

The table below summarizes the main capabilities:

CapabilityFunctionBenefit
IPSIntrusion prevention, blocking vulnerability exploitsProtection against known and emerging threats
Web filteringURL- and category-based access controlBlocking access to malicious sites
DNS securityBlocking resolution of malicious domainsCutting off command-and-control communication
SSL inspectionDecrypting and inspecting encrypted trafficMaking encrypted threats visible
DLP and sandboxData leak prevention, file detonationProtection against zero-day and data loss

The service's scope focuses mainly on inspecting outbound and east-west traffic leaving cloud networks. Some traditional firewall functions such as VPN and NAT may fall outside the CNF scope; when needed, these functions are complemented with solutions like FortiGate-VM or a hardware-based FortiGate 90G.

CNF, FortiGate-VM, and hardware

FortiGate security is delivered in three models: hardware appliances (e.g., FortiGate 90G), FortiGate-VM running in the cloud, and the fully managed FortiGate CNF service. The choice depends on whether the environment is cloud or on-premises, your management-overhead preference, and the cost model.

ModelManagementTypical use
FortiGate hardwareCustomer managedOffice, branch, data center edge
FortiGate-VMCustomer managed (in the cloud)Cloud VNet security, full control
FortiGate CNFFortinet managed (SaaS)Cloud-native, low operational overhead

Most organizations adopt a hybrid approach: hardware for on-premises and branch security, and CNF or FortiGate-VM for cloud workloads. Because they all converge in the same FortiOS and FortiManager ecosystem, policy consistency is preserved. This holistic design also simplifies firewall maintenance and lifecycle management.

Another determining factor in model selection is the shared-responsibility split. With hardware and FortiGate-VM, patching, version upgrades, and redundancy are the customer's responsibility; with CNF, most of this responsibility shifts to Fortinet. If the organization's internal resource capacity is limited, the managed-service model reduces operational risk; if there is a strong network team, self-managed models can offer more flexibility.

Advantages

FortiGate CNF's core advantage is operational simplicity: the burden of deploying infrastructure, patching, and scaling disappears. The service is provisioned in roughly 15 minutes and billed on a pay-as-you-go model; this provides both speed and cost predictability.

Being a managed service allows security teams to focus on policy and threat management instead of infrastructure maintenance. Software updates, security patches, and capacity planning are handled by Fortinet; this is especially valuable for organizations with limited cloud-security staff.

The pay-as-you-go model offers consumption-based operating expenditure (OpEx) instead of a fixed hardware investment (CapEx). As traffic and workloads change, cost adjusts accordingly; this naturally suits cloud environments with seasonal or variable load.

Another advantage is consistency. CNF uses the same FortiOS security engine and FortiGuard threat intelligence as the FortiGate in your data center. This allows the security team to use policies and an interface they already know, without having to learn a new tool for the cloud. A single security language reduces operational errors and lowers training costs.

Who is it right for?

FortiGate CNF is ideal for organizations that run most of their workloads in the cloud, operate a large number of virtual networks, and want to reduce their security operations overhead. It stands out especially for teams with a cloud-first strategy that expect rapid deployment.

Software companies building cloud-native applications, organizations with a multi-cloud architecture, and businesses in the middle of a cloud migration all benefit from this model. Rather than trying to move traditional firewall hardware to the cloud, adopting a cloud-appropriate security model is both more agile and more sustainable.

On the other hand, in environments with complex VPN topologies, NAT requirements, or a need for full control, FortiGate-VM may be more appropriate. Determining the right model requires workload profiling and requirements analysis; Sora Yazılım performs this assessment from the outset.

Compliance requirements also influence model selection. Frameworks such as KVKK, PCI-DSS, or ISO 27001 impose specific requirements on where data is processed and how audit logs are retained. Cloud security architecture must be designed to meet these requirements; log collection, retention periods, and reporting should be planned from the start.

The Sora approach and migration

As an authorized Fortinet channel partner, Sora Yazılım runs cloud security projects from architectural design through deployment and continuous operation. NSE 4-7 certified engineers manage Azure network design, routing, and policy migration end to end.

A CNF or cloud-native security project begins with an analysis of the current cloud topology, hub-and-spoke design, a traffic-steering (UDR) plan, and policy design. This is followed by testing in a pilot environment, a controlled production cutover, and validation. This process ensures that existing security policies are migrated to the cloud consistently.

In the continuous operation phase, Sora Yazılım provides policy optimization, threat monitoring, and regular health reporting. It treats cloud security not as a one-time setup but as a managed process. For detailed planning, we recommend proceeding together with our FortiGate consulting service. For ongoing monitoring and improvement after deployment, our FortiGate technical support processes come into play.

Frequently Asked Questions

What is FortiGate CNF?

It is a managed next-generation firewall (NGFW) service that Fortinet delivers as SaaS for cloud environments. Fortinet takes on infrastructure management; the customer focuses solely on security policies.

Which security features does FortiGate CNF offer?

It offers NGFW capabilities such as IPS, web filtering, DNS security, anti-malware, SSL inspection, DLP, and sandbox. It is managed centrally with FortiManager. Some functions such as VPN and NAT may fall outside its scope.

How is FortiGate CNF positioned in Azure?

Cloud-native security is delivered with the CNF service or by deploying FortiGate-VM in scalable mode with VM Scale Sets. Traffic is steered to the security layer with Azure Load Balancer and UDR.

What is the difference between CNF and FortiGate-VM?

CNF is a SaaS service fully managed by Fortinet; FortiGate-VM is a customer-managed virtual machine that offers full control. CNF reduces operational overhead, while FortiGate-VM provides flexibility and full control.

How long does it take to deploy?

FortiGate CNF is typically provisioned in roughly 15 minutes and billed monthly on a pay-as-you-go model; this provides a fast start and cost flexibility.

Is a hardware firewall still needed?

Yes, most organizations run hybrid. Hardware such as the FortiGate 90G is used for office and branch security, and CNF or FortiGate-VM for cloud workloads; all of them converge in the same FortiOS ecosystem.

Conclusion

FortiGate CNF turns the firewall into a service for cloud-native workloads, reducing operational overhead: rapid deployment, automatic scaling, pay-as-you-go, and Fortinet-managed maintenance. Together with hardware and FortiGate-VM, it forms the cloud pillar of a consistent hybrid security architecture. The key is not to lock into a single technology, but to select the most appropriate model for each workload and unify them under the Security Fabric.

To design your Azure cloud security with the FortiGate ecosystem and determine the right model, you can schedule a free discovery call with the Sora Yazılım team.

Need help with the topics in this post?

Schedule a free discovery call with Sora Yazılım — we'll propose a concrete roadmap.

WhatsApp Support