Technical Tip: Firewall policy sequence may cause high CPU during policy add/modify
Description
This article describe that this issue of high CPU may occur when there are more than 2,000 firewall policies in the same VDOM and the majority of the traffic is passing through the policy at the bottom of the list. Any changes made to the firewall policy will result in a high CPU for a few seconds and may cause interruption to traffic. This is due to traffic that needs to be rechecked with all the policies after changes have been made.
Scope
FortiGate.
Solution
To resolve this issue, move the policies with higher traffic load to the top of the firewall policy list. For the following policy list, sequence 2384 has the highest traffic load.
By moving this policy to sequence 1 it will help to resolve the high CPU issue during policy add/modify.
Alternatively, it is possible to change the default behavior of how policy changes are handled. By default, all sessions affected by a firewall policy change are flushed from the session table. When new packets are received they are re-evaluated by state-full inspection and re-added to the session table.
By changing the firewall-session-dirty setting to check-new new sessions are evaluated according to the new firewall policy configuration and the old sessions are not flushed.
config system settings
set firewall-session-dirty check-new
end