The focused Fortinet alternative for cloud — the 98% you actually use.

Not the whole platform — and we are honest about that. Fortinet's Security Fabric is broad and powerful: NGFW, SD-WAN, ZTNA, SASE, switching, wireless and endpoint under one FortiOS, across branch, data centre and cloud. If you need that breadth, Fortinet is the right call. Enforza replaces the part most cloud teams actually use — the firewall in your network doing egress, east-west, identity-aware L7, secure NAT and compliance — at a flat per-firewall price with no per-vCPU size tax. It is the right-scoped choice for the cloud firewall job, not a like-for-like swap for a full enterprise platform.

In several places, and we say so plainly. Fortinet has far greater platform breadth (the full Security Fabric); it consolidates hardware and cloud under one FortiOS; it ships curated FortiGuard threat intelligence with lab-validated efficacy; it carries analyst placement, an incumbent track record and a deep MSSP ecosystem; and its published per-model throughput pedigree is hardware-accelerated. If those are what you are buying, Fortinet may be the right platform.

It is a fair question, not a criticism of the product. The Security Fabric spans hundreds of features built for branch, campus, end-user devices, data centre and cloud. A cloud workload firewall typically exercises a fraction of that surface — yet you license, size and operate the whole platform, with the hourly software charge scaling by instance size and FortiCare/FortiGuard subscriptions stacked on top. The question to ask is whether those capabilities are what your cloud actually requires, or breadth you are paying for and rarely switching on.

No. Enforza filters egress by SNI and FQDN without decrypting TLS and without holding your keys. Most deep-inspection and advanced threat features on a full NGFW only work once you enable SSL/TLS inspection — terminating and decrypting your own traffic, managing certificate trust on every workload, and dealing with the apps that break under inspection. Enforza gives you identity-aware L7 egress control with no man-in-the-middle and no key custody.

Cloud traffic is overwhelmingly service-to-service and human-to-service — workloads and APIs talking to each other and reaching out to the internet for updates and SaaS. It is not end-user-device traffic, and securing a user's laptop or phone belongs on the device itself, at the endpoint, not on a network firewall in your VPC. A large share of a full NGFW platform's feature surface is built for end-user-device security at a campus or branch edge — valuable there, largely beside the point for a cloud workload firewall. Enforza focuses on what the cloud path actually needs.

Enforza is a flat per-firewall licence — £179/month per firewall, dropping to £149 from your sixth — with no per-GB and no per-vCPU size tax, plus the Linux VM you already run. FortiGate-VM bills an hourly software charge that scales with the instance size you run (a larger VM for more throughput means a higher software rate), stacked on FortiCare support and FortiGuard subscriptions, and the real price typically sits behind partner quotes or FortiFlex points rather than a public self-estimate. Rates are directional and dated 2026-06-14 — use our savings calculator for your own numbers.

A self-administered firewall VM needs a reachable management interface to configure it — which is attack surface on the security device itself. Enforza's control plane is outbound-only to the Enforza cloud: there is no inbound management port to open and no admin UI to expose on the firewall instance. The firewall manages up to the cloud, never inward, so the device you put in front of your workloads does not itself become a thing to harden and guard.

Not its full feature depth — and we do not claim to. Fortinet's breadth and hardware-accelerated throughput pedigree are real. On the cloud firewall job, Enforza's measured numbers are strong: a single-pass packet classification and verdict engine with p99 ~49.5 µs first-packet classification, 98.5% of traffic enforced in-kernel on the fast path, and 4.35 Gbps single-stream measured on a small VM, scaling with the VM you choose. The trade we offer is focus and value: the capability a cloud team actually uses, without the breadth, the platform weight or the bill of a full enterprise NGFW.

Yes. Enforza has a genuine free tier — one firewall with L3/L4 policy and network objects, no card required. A 14-day trial unlocks the full feature set, including L7/FQDN filtering, compliance packs, log export and live logs. The paid plan is £179/month per firewall, dropping to £149 from your sixth, plus the Linux VM you already run. Fortinet's motion is demo- and partner-gated, with self-serve only via the cloud marketplaces.