Skip to content

SYSTEM Cited by 1 source

Fortinet FortiOS

What

FortiOS is the operating system running on Fortinet's FortiGate firewall / branch-connector appliance family (docs.fortinet.com/document/fortigate/). FortiOS implements stateful firewalling, VPN (IPsec + SSL-VPN), SD-WAN, intrusion prevention, and related network-security capabilities on Fortinet's dedicated hardware.

On the sysdesign-wiki, FortiOS appears as one of the interoperability-verified branch connectors for Cloudflare's 2026-04-30 post-quantum IPsec GA.

(Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)

Role in the wiki

Canonical as a hardware implementation of draft-ietf-ipsecme-ikev2-mlkem — the IETF draft specifying hybrid ML-KEM for IPsec. Cloudflare's 2026-04-30 post:

"Customers using Fortinet FortiOS 7.6.6 and later as their branch connector can now establish post-quantum Cloudflare IPsec tunnels to Cloudflare's global network per draft-ietf-ipsecme- ikev2-mlkem." (Source: sources/2026-04-30-cloudflare-post-quantum-encryption-for-cloudflare-ipsec-is-ga)

Parallel to Cisco 8000 Series Secure Routers, this confirms that existing FortiGate hardware can enable PQ IPsec to Cloudflare via firmware update, not a hardware refresh — the default-on security upgrade at no additional cost posture extending to third-party branch- connector vendors.

Version requirement

Why this matters structurally

Fortinet has a significant share of the enterprise branch-security appliance market. Having FortiOS ship hybrid ML-KEM on schedule alongside Cisco 8000 Series means two of the three dominant enterprise branch-connector vendors verified interoperable with Cloudflare IPsec at PQ GA. This is a meaningful fraction of the enterprise IPsec installed base covered, and is one of the reasons Cloudflare's GA post frames the PQ upgrade as usable "today using hardware you already have."

The third major vendor in this segment, Palo Alto Networks, shipped its PQ IPsec implementation under RFC 9370 before draft-ietf-ipsecme-ikev2-mlkem was available — and as a result is the canonical non-interoperable case as of GA. See systems/palo-alto-networks-ipsec and concepts/ciphersuite-bloat.

Caveats

  • The 2026-04-30 Cloudflare post does not disclose Fortinet's architectural approach to ML-KEM integration on FortiGate hardware (software-only vs dedicated crypto accelerator). The PQ handshake's CPU cost on FortiOS hardware is not quantified.
  • No tunnel-throughput or concurrent-session numbers for the post-quantum path are disclosed in this post.
  • FortiOS versions earlier than 7.6.6 remain on classical IPsec only; upgrade path depends on the FortiGate hardware model and Fortinet's support matrix.
  • FIPS-compliance status of the hybrid on FortiOS is not explicitly discussed in the Cloudflare post.
  • This page is a stub scoped to what the 2026-04-30 Cloudflare post names about Fortinet FortiOS. Detailed FortiOS architecture, SD-WAN orchestration via FortiManager, or non-IPsec FortiGate features are not in scope here.

Seen in

Last updated · 433 distilled / 1,256 read