Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Fortinet FortiGate is a leading enterprise next-generation firewall and SD-WAN platform combining stateful inspection, intrusion prevention, SSL inspection, web filtering, anti-bot and VPN. When deployed in front of websites via the FortiWeb WAF, it may set strictly necessary security challenge cookies. FortiGate appliances run on customer infrastructure, with FortiGuard cloud services hosted by Fortinet in the US, Canada and EU regions.
Fortinet FortiGate is the flagship next-generation firewall and SD-WAN platform from Fortinet, Inc., headquartered in Sunnyvale, California. It combines stateful firewall, intrusion prevention, SSL inspection, web filtering, application control, VPN, anti-malware and SD-WAN in a single appliance or virtual machine. The product line includes FortiWeb (WAF), FortiAnalyzer (logging), FortiManager and FortiGuard cloud threat intelligence.
FortiGate processes packet headers, IP addresses, ports, URLs, user agents, file hashes and, when SSL inspection is enabled, the decrypted content of TLS sessions. FortiWeb WAF can set strictly necessary security challenge cookies (cookiesession1, FortiGate session cookies) when a visitor passes through a security check. FortiGuard receives metadata queries (URL hash, IP, file hash) to look up reputation in real time.
FortiGate processes personal data (IPs, traffic metadata) as part of security operations. The customer is the data controller, Fortinet acts as a processor for cloud services. Security challenge cookies set by FortiWeb fall under the strictly necessary exemption of Art. 5(3) ePrivacy and do not require consent. SSL inspection raises significant proportionality issues: it should be limited to what is needed, exclude sensitive categories (banking, health portals) and be disclosed to staff and visitors.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
No visitor consent is required for the firewall function itself or for the strictly necessary security cookies. Consent is also not required for FortiGuard cloud reputation queries because they are essential to the security service. Internal users whose traffic is SSL-inspected should be informed and ideally have a clear acceptable use policy in place.
The FortiGate appliance itself runs on customer infrastructure, so the firewall does not by itself transfer data outside the EEA. FortiGuard cloud services and FortiCloud management add transfers to Fortinet US data centres, governed by SCCs and the EU US Data Privacy Framework. Customers can select EU FortiGuard endpoints in some configurations to minimise transfers.
Sign Fortinet''s Data Processing Agreement for cloud services, configure FortiGuard to use EU endpoints where available, restrict SSL inspection by URL category to avoid sensitive sites, define retention rules in FortiAnalyzer for traffic logs, document FortiGate as part of your security processing in the Record of Processing Activities, run a Legitimate Interest Assessment and align with NIS2 obligations if you are an essential or important entity.
Websites using Fortinet FortiGate must obtain user consent under GDPR regulations.
DPIA considerations
FortiGate processes network traffic, IP addresses, URLs and user agents for security purposes. Key DPIA considerations: (1) the appliance itself runs on customer infrastructure, so visitor data does not leave the customer environment until FortiGuard cloud is queried; (2) FortiWeb security challenge cookies are strictly necessary under Art. 5(3) ePrivacy and do not require consent; (3) SSL inspection decrypts TLS traffic to inspect content, which raises significant data minimisation and policy concerns; (4) FortiGuard threat intelligence sends URL, IP and file hash queries to Fortinet cloud, including in the US; (5) FortiAnalyzer logs IP addresses and traffic metadata that may qualify as personal data; (6) NIS2 imposes specific obligations on essential and important entities that operate FortiGate appliances.
Sample consent text
Our website is protected by Fortinet FortiGate and FortiWeb security appliances. These tools inspect incoming traffic, may set strictly necessary security cookies (cookiesession1) and query Fortinet's FortiGuard threat intelligence to block malicious traffic. The processing is based on our legitimate interest in security under Art. 6(1)(f) GDPR.
Third-party domains contacted
fortinet.comfortiguard.comforticloud.comsupport.fortinet.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| cookiesession1 | Functional | Session | Strictly necessary security cookie set by FortiWeb WAF in front of a protected website. Used to maintain the security session and validate that the visitor has passed an anti bot or rate limiting check. |
| FGT_PERSISTENT_SESSION | Functional | Session | Set by FortiGate when the appliance acts as a captive portal or load balancer to keep the visitor anchored to a specific backend server. |
Fortinet FortiGate is an essential service, but transparency matters. Manage all your consent with FlowConsent.
When FortiWeb WAF is in front of a website, it may set strictly necessary security cookies such as cookiesession1 to maintain a security session across requests and validate that a visitor has passed an anti bot check. These cookies do not store browsing behaviour and qualify as strictly necessary.
No. The cookies set for security challenges and session validation fall under the strictly necessary exemption of Art. 5(3) ePrivacy and Recital 66, because they are essential to the security service requested by the operator. Disclose them in the privacy notice without a consent banner.
Legitimate interest (Art. 6(1)(f) GDPR) for security, anti bot and abuse prevention. Legal obligation (Art. 6(1)(c) GDPR) for security incident logging under NIS2 or sector specific rules. SSL inspection of staff traffic should be balanced and disclosed; consider Art. 88 GDPR for employee monitoring rules.
The FortiGate appliance processes traffic on the customer's own infrastructure, so the firewall itself does not transfer data outside the EEA. FortiGuard threat intelligence and FortiCloud management run on Fortinet infrastructure in the United States, Canada and EU regions, with SCCs and the EU US Data Privacy Framework for US transfers.
A DPIA is recommended when SSL inspection is enabled, when logs are retained at scale or when FortiGate is deployed by an essential or important entity under NIS2. The DPIA should cover SSL inspection scope, log retention in FortiAnalyzer, FortiGuard transfers and the risks to individual visitors and employees.
Sign Fortinet's DPA for cloud services, restrict SSL inspection by URL category, exclude sensitive sites (banking, health, union or political), select EU FortiGuard endpoints where available, configure FortiAnalyzer retention, run a Legitimate Interest Assessment and align with NIS2 incident reporting obligations.
EU based firewall and security alternatives include Stormshield (France), genua (Germany), Rohde and Schwarz Cybersecurity (Germany), WatchGuard (US with EU options) and open source options such as pfSense and OPNsense. For WAF specifically, consider Imperva, Cloudflare WAF or open source ModSecurity.
Disclose that you protect your site with FortiGate and FortiWeb, name the strictly necessary security cookie (cookiesession1) and its purpose, explain that traffic metadata is processed under legitimate interest for security, mention FortiGuard cloud queries and the SCCs and EU US Data Privacy Framework that cover US transfers and link Fortinet's privacy notice and DPA.