FortiGuard is the brain behind Fortinet's security effectiveness. Without a FortiGuard subscription, a FortiGate is a stateful firewall — functional, but blind to 99% of modern threats. This guide explains exactly what FortiGuard provides, how the three bundles differ, and which is right for your business.
What is FortiGuard?
FortiGuard Labs is Fortinet's threat intelligence and research organisation — one of the world's largest, with:
- 10 million+ global security sensors
- 100 billion+ security events processed daily
- Hundreds of researchers and analysts monitoring threats 24/7
- Real-time updates pushed to FortiGate (signature updates delivered within minutes of new threat discovery)
FortiGuard translates this intelligence into actionable security controls for your FortiGate:
- Updated IPS signatures for newly discovered exploits
- URL classifications for web filtering (blocking malicious/inappropriate sites)
- Application signatures for application control (identifying traffic)
- File hashes and behavioural patterns for antivirus
- DNS reputation data for DNS security
- Sandboxing capabilities for zero-day file analysis
When you subscribe to a FortiGuard bundle, your FortiGate automatically downloads and applies these updates. Without a subscription, your FortiGate's security databases stop updating — becoming progressively less effective against new threats.
The Three FortiGuard Bundle Tiers
Tier 1: UTP — Unified Threat Protection
Best for: Most Indian SMBs, offices with general internet access
UTP is the recommended starting point for the majority of businesses. It provides all the core NGFW security services in a single bundle.
Services included in UTP:
| Service | What It Does |
|---|---|
| IPS (Intrusion Prevention System) | Detects and blocks exploits against known vulnerabilities — updated continuously |
| Application Control | Identifies and controls 5,000+ applications — block gaming/streaming, allow business apps |
| Web Filtering | URL categorisation — block malicious/adult/gambling/social media sites by category |
| Antivirus (AV) | Gateway-level scanning of files downloaded via HTTP/HTTPS/FTP |
| Mobile Malware Security | Detects Android/iOS malware in network traffic |
| Botnet & C&C IP Reputation | Blocks communication with known botnet C&C servers (critical for ransomware protection) |
| DNS Security | Blocks DNS queries to malicious domains; prevents DNS tunnelling attacks |
| Industrial Security | Basic OT/ICS protocol detection (limited version; full version in Enterprise Bundle) |
| FortiCare 8×5 Enhanced Support | Business-hours support via Fortinet portal and phone |
What UTP is most effective at blocking:
- Network-level exploits targeting unpatched systems
- Drive-by downloads from malicious websites
- Command-and-control communications from infected devices
- Inappropriate web access during work hours
- Bandwidth abuse from streaming/file-sharing
Tier 2: ATP — Advanced Threat Protection
Best for: BFSI, healthcare, legal, any business handling sensitive personal or financial data
ATP includes everything in UTP plus services specifically designed to detect threats that evade signature-based detection.
Additional services in ATP (beyond UTP):
| Service | What It Does |
|---|---|
| FortiSandbox Cloud | Detonates suspicious files in an isolated cloud environment to detect zero-day malware |
| FortiGuard Virus Outbreak Protection | Detects malware before AV signatures are available using machine learning and file reputation |
| Content Disarm and Reconstruction (CDR) | Strips potentially malicious active content from Office documents and PDFs before delivery |
Why ATP matters for sensitive-data businesses:
Standard AV (in UTP) detects known malware using signature matching. Sophisticated attackers create custom malware specifically to evade known signatures — this is how targeted attacks against banks, law firms and healthcare providers work.
FortiSandbox executes the suspicious file in a controlled environment and observes what it does (does it try to contact external IPs? does it modify system files? does it disable security software?). This behavioural analysis catches threats that signature-based AV misses.
CDR (Content Disarm and Reconstruction) is particularly valuable for businesses receiving documents from external parties (customers, suppliers, regulatory authorities). It removes macros and active content from Office files before they reach employees — significantly reducing the risk of macro-based malware.
Tier 3: Enterprise Bundle
Best for: Large enterprise, regulated industries (banking, insurance, power/utilities, government), ISO 27001 certified businesses, multi-site enterprises
Enterprise Bundle includes everything in ATP plus:
| Service | What It Does |
|---|---|
| Security Rating Service | Automated assessment of your Fortinet configuration against best practices; generates a security score |
| IOT Detection | Identifies and classifies IoT devices on your network (CCTV, printers, sensors) |
| Industrial Security Service | Full OT/SCADA/ICS-aware IPS signatures — for manufacturing, utilities, infrastructure |
| FortiCare 360 | Premium support — 24×7 access, dedicated Technical Account Manager, enhanced SLA |
When Enterprise Bundle is worth the premium:
The Enterprise Bundle is most justified when:
- You undergo regular audits (ISO 27001, SOC 2, PCI-DSS) where the Security Rating Service generates compliance evidence
- You have IoT devices on your network (CCTV systems, smart HVAC, industrial sensors) that need classification and security monitoring
- You operate industrial/OT networks (manufacturing plant, water treatment, power substation) where ICS-specific IPS signatures are required
- You need 24×7 Fortinet support with a dedicated TAM for critical infrastructure
For a typical Indian IT/services office, ATP or even UTP with a FortiSandbox cloud add-on covers most requirements without the Enterprise Bundle premium.
FortiGuard Services — Individual vs Bundle
In addition to the three bundles, some FortiGuard services are available as individual purchases:
| Service | When to buy individually |
|---|---|
| FortiSandbox Cloud (only) | You have UTP and want to add zero-day sandboxing without buying ATP |
| FortiGuard AI-based Inline Malware Prevention | New AI-driven service; can be added to existing UTP deployments |
| SD-WAN Orchestration | Multi-site SD-WAN management beyond basic FortiGate SD-WAN |
| FortiConverter | Migration tool (one-time purchase for rule migration from other vendors) |
Cloudfy can advise whether a targeted add-on or a bundle upgrade makes more sense for your specific gap.
FortiGuard vs Competitor Threat Intelligence
| Vendor | Threat Intelligence Network | Update Frequency |
|---|---|---|
| Fortinet FortiGuard | 10M+ sensors, 100B+ events/day | Every 1–2 minutes |
| Sophos X-Ops | Sophos MDR + Sophos Labs research | Every 5–10 minutes |
| Palo Alto Threat Prevention | PAN-OS signatures + WildFire sandbox | Every 5 minutes |
| Check Point ThreatCloud | 150K+ connected networks | Every 30 minutes |
Fortinet's update frequency and sensor scale are among the strongest in the industry. For businesses in industries actively targeted by nation-state actors (BFSI, defence suppliers, critical infrastructure), FortiGuard's scale is a meaningful advantage.
IPS Deep Dive
IPS (Intrusion Prevention System) is often the most impactful FortiGuard service for Indian businesses. Here's what it protects against:
Known Exploits (CVE-based Signatures)
When a vulnerability (e.g., Log4Shell, ProxyLogon, PrintNightmare) is disclosed, FortiGuard typically publishes an IPS signature within hours. Your FortiGate then blocks exploitation attempts against that vulnerability — even if the vulnerable software in your network hasn't been patched yet.
This is critical because:
- Windows patching in Indian SMBs often lags behind — many businesses still run systems months behind on patches
- Log4Shell and similar vulnerabilities affect dozens of applications, many of which are hard to enumerate
Protocol Anomaly Detection
IPS also detects unusual protocol behaviour — traffic that technically conforms to a protocol spec but is used in a way consistent with an attack. This catches techniques like DNS tunnelling, HTTP-based C&C communication, and SMB exploitation.
Botnet Communications
The Botnet/C&C IP Reputation service (included in UTP) maintains a list of IP addresses and domains known to be used for botnet command-and-control. When an infected device on your network tries to communicate with these IPs, FortiGate blocks the connection and generates an alert.
This is one of the most important features for ransomware defence: even if a device is infected, the ransomware's ability to receive commands or exfiltrate data requires C&C communication. Blocking that communication at the firewall limits the attacker's control.
Application Control — Practical Use Cases
Application control is frequently underutilised by businesses that initially deploy FortiGate. Here's what it can do:
Productivity Policies
- Block social media (Facebook, Instagram, TikTok) on work devices during business hours
- Allow LinkedIn and YouTube for specific user groups (HR, marketing)
- Limit video streaming bandwidth to 20% of total WAN capacity
Security Policies
- Block all file-sharing/torrent applications (P2P)
- Block anonymisers and VPN clients (prevents policy bypass)
- Block cryptocurrency mining applications
- Allow only approved remote access tools (block TeamViewer personal, allow only TeamViewer corporate)
Compliance Policies
- Log all access to banking and payment sites (PCI-DSS audit trail)
- Block cloud storage applications (Dropbox, Google Drive) for specific user groups handling confidential data
Web Filtering — Categories and Policies
FortiGuard web filtering categorises over 250 million URLs into 90+ categories. Common policies for Indian businesses:
| Policy Goal | Categories to Block |
|---|---|
| Basic workplace filtering | Adult, Gambling, Phishing, Malicious Sites |
| Productivity focus | Social Media, Video Streaming, Games |
| Strict compliance | File Sharing, Anonymisers, Newly Registered Domains |
| BFSI/regulated | All above + Remote Access Tools, Cryptocurrency |
Web filtering rules can be applied per user group or per network zone — so executives might have fewer restrictions than frontline staff, for example.
Choosing the Right Bundle
| Business Profile | Recommended Bundle |
|---|---|
| 10–50 users, office internet access, no compliance mandate | UTP |
| 50–500 users, general business, some remote workers | UTP |
| Any business handling customer financial/personal data | ATP |
| Healthcare, BFSI, insurance, legal | ATP minimum; consider Enterprise |
| Manufacturing with OT/SCADA equipment | Enterprise Bundle |
| ISO 27001 certified or pursuing certification | Enterprise Bundle (Security Rating helps) |
| Government, defence supply chain | Enterprise Bundle |
FAQ — FortiGuard Services
What happens if my FortiGuard subscription expires? FortiGate continues to operate as a basic stateful firewall. IPS signatures freeze at the last update (no new vulnerability coverage). Web filter stops updating (new malicious domains added after expiry date are not blocked). Application signatures stop updating. Support portal access is also restricted. Cloudfy sends renewal notices 90, 60 and 30 days before expiry.
Can I change bundles mid-year? Upgrading mid-term is possible (UTP → ATP, for example) — Fortinet calculates the pro-rata cost for the remaining term. Downgrading requires waiting until the next renewal.
Is FortiSandbox cloud or on-premise? The ATP bundle includes FortiSandbox Cloud — a cloud-hosted sandbox. A physical FortiSandbox appliance is a separate, optional product for organisations that cannot send files to external cloud services for policy/compliance reasons (certain government agencies, defence contractors).
Does FortiGuard include technical support? Yes. All bundles include a FortiCare support component. UTP and ATP include FortiCare 8×5 (business hours, email/portal). Enterprise Bundle includes FortiCare 360 with 24×7 access and a dedicated Technical Account Manager.
For help choosing the right FortiGuard bundle for your business, contact Cloudfy Systems — your authorised Fortinet FortiGate partner in India.
Phone/WhatsApp: +91 97600 50555
Email: connect@cloudfysystems.com