Hey Patrik -
From what I recall zScaler works over GRE and you’ll have to setup a tunnel to them for that. Since you are using zScaler, are you not using the local FortiGate for web filtering? The NGFW features are really what impact the sizing because all features turned on = much bigger FortiGate. a 60E should do ~100 mbps with full services, 280 mbps with partial services. However, given the quantity of users (which means more sessions), you may consider an 80E instead which would do a little higher throughput. Note, those models are not rack-mountable without an add-on rackmount kit, the 100E is the smallest rackable unit. A 100E would produce ~110 mbps with full security services. Generally, my recommendation would be a 100E for rackmount and scale given your user count, however you can probably get away with anything between 60E, 80E, 100E. I would not go with a 90E as it doesn’t have a SoC3 processor can’t do ASIC offload of VPN tunnels, but the other 3 can.
Also, the X1E version (61E, 81E, 101E) has a logging disk if you need local logging and don’t have a platform like FortiAnalyzer.
Curious to see where other people land with what I put forth.