Fortinet · Rate Limits

Fortinet Rate Limits

Fortinet device APIs (FortiOS REST, FortiManager JSON-RPC, FortiAnalyzer) execute against the customer-owned device or VM and are bound by device CPU/RAM rather than a platform-imposed RPS quota. FortiCloud SaaS APIs are subject to per-tenant throttles set per subscription tier. Numeric limits are not publicly published.

Fortinet Rate Limits is the machine-readable rate-limit profile for Fortinet on the APIs.io network, conforming to the API Commons Rate Limits specification.

It captures 2 rate-limit definitions, measuring requests_per_second and varies.

The profile also includes 4 backoff/retry policies defined and response codes documented for throttled and serviceUnavailable.

Tagged areas include Cybersecurity, Networking, Firewall, and Rate Limiting.

2 Limits Throttle: 429
CybersecurityNetworkingFirewallRate Limiting

Limits

FortiOS / FortiManager / FortiAnalyzer device API device
requests_per_second
bound by device CPU/memory; no platform-imposed quota
FortiCloud SaaS API per-tenant throttle tenant/api-key
varies
per-tenant subscription tier; not publicly published

Policies

Backoff Strategy
Clients should implement exponential backoff with jitter on 429/5xx and honor Retry-After when present.
Session-Based Auth
Most Fortinet device APIs use session-based authentication; persist sessions across calls rather than re-authenticating per request to avoid log churn and device-CPU pressure.
Device Capacity Planning
Sustained API load against FortiGate/FortiManager directly impacts data-plane CPU; size capacity and offload heavy queries to FortiAnalyzer where possible.
HA / Cluster Routing
Direct API calls only to the active node in an HA cluster; queries to standby nodes return inconsistent state.

Sources