Technical Tip: Memory optimization techniques for FortiOS
Description
Scope
Solution
- Set the antivirus database to normal:
config antivirus settings
set default-db normal
end - Reduce these TCP and UDP session timers:
config system global
set tcp-halfclose-timer 30
set tcp-halfopen-timer 8
set udp-idle-timer 90
end - Change the global inspection mode to flow-based from proxy:
- Instructions for FortiOS 5.4 can be found here: Changing between proxy and flow mode.
- Instructions for FortiOS 5.6 can be found here: Changing between proxy and flow mode.
- Change default session TTL:
config system session-ttl
set default 300
end - Lower AV threshold to 1MB for all protocols in the 'default' proxy options profile:
config firewall profile-protocol-options
edit default
config http
set oversize-limit 1
end
config ftp
set oversize-limit 1
end
config imap
set oversize-limit 1
end
config mapi
set oversize-limit 1
end
config pop3
set oversize-limit 1
end
config smtp
set oversize-limit 1
end
config nntp
set oversize-limit 1
end
next
end
-
Disable logging to memory:
config log memory setting
set status disable (Default: enable)
end
- Configure DNS cache:
config system dns
set dns-cache-ttl (enter an integer value from <60> to <86400>; default is 1800)
end
Note: If VDOM is enabled, the setting above needs to be configured under a particular VDOM.
More info on memory optimization and how to avoid conserve mode, especially on low-end units:
Technical Tip: Free up memory to avoid conserve mode