Fortinet · Rate Limits
Fortinet Rate Limits
Fortinet device APIs (FortiOS REST, FortiManager JSON-RPC, FortiAnalyzer) execute against the customer-owned device or VM and are bound by device CPU/RAM rather than a platform-imposed RPS quota. FortiCloud SaaS APIs are subject to per-tenant throttles set per subscription tier. Numeric limits are not publicly published.
2 Limits
Throttle: 429
CybersecurityNetworkingFirewallRate Limiting
Limits
FortiOS / FortiManager / FortiAnalyzer device API device
bound by device CPU/memory; no platform-imposed quota
FortiCloud SaaS API per-tenant throttle tenant/api-key
per-tenant subscription tier; not publicly published
Policies
Backoff Strategy
Clients should implement exponential backoff with jitter on 429/5xx and honor Retry-After when present.
Session-Based Auth
Most Fortinet device APIs use session-based authentication; persist sessions across calls rather than re-authenticating per request to avoid log churn and device-CPU pressure.
Device Capacity Planning
Sustained API load against FortiGate/FortiManager directly impacts data-plane CPU; size capacity and offload heavy queries to FortiAnalyzer where possible.
HA / Cluster Routing
Direct API calls only to the active node in an HA cluster; queries to standby nodes return inconsistent state.