Contributor

Question

Dimensioning Fortigates

Forum|Forum|21 years ago
June 11, 2004
11 replies
7706 views

Does someone have any documentation about the dimensions (number of users, servers, etc.) that are supported by each type of fortigate (especially concerning the models of Fortigate 60 / 100 /200 /300 /400 /800) I would like to have the dimensions in (almost) worst case scenerio, so AV, IDS (may decrease highly the performances) and other possibilities activated After calculation, stress and load tests and ponderation i have found next scales: FG 60 : <15 machines (machines = PCs, workstations and servers) FG 100 : 50 machines FG 200 : 60 machines FG 300 : 135 machines FG 400 : 150 machines FG 500 : 130 machines FG 800 : <1000 machines Does any one has more experiences with this kind of calculations or in practic Thanks in advance, Bart - Ipelium

A

Anonymous_UserAuthor

Contributor

From what I gather, FG60' s should be used in site under 10 hosts and FG100' s in sites under 20. Although the hardware is there to handle more, more significant loads seems to cause frequent problems as the firmware code is still maturing.

A

Anonymous_UserAuthor

Contributor

After calculation, stress and load tests and ponderation i have found next scales: FG 60 : <15 machines (machines = PCs, workstations and servers) FG 100 : 50 machines FG 200 : 60 machines FG 300 : 135 machines FG 400 : 150 machines FG 500 : 130 machines FG 800 : <1000 machines

Wooohooo... My FG-300 outperforms an FG-500.

A

Anonymous_UserAuthor

Contributor

We have 60 nodes behind a Fortigate 60, no prob.

A

Anonymous_UserAuthor

Contributor

This is all very subjective. I can have one machine generate traffic of 100 machines, yet I can have 100 machines idling 99% of the time, thus generating a load of 1 machine. For example, my very popular UT server generates 700Gbytes/month. Just one machine.

A

Anonymous_UserAuthor

Contributor

[Deleted by Admins]

UkWizard

New Member

Christian, you are absolutely right, the smaller boxes have too little memory, especially as they also suffer from memory leaks. Thats exactly why the FGT50A was released, its the same as the FGT50 except for the memory expansion. Memory is cheap nowadays anyway, so dont know why they do that.

A

Anonymous_UserAuthor

Contributor

It is not an issue of machines rather than bandwidth and concurrent connections. I have a case of a 512kb line and a FGT-50 2.36 (not 50A) protecting 30 users a proxy and a mail-server. It works fine (ful AV, URL block of 40.000 urls and so). Memory is an issue when you have for example 50 users downloading files from the web and also have a 10mb (buffer size) for WEB antivirus. If these users start t0 download a 20mb file each one you would need 50x10=500 RAM free for antivirus checking only. If you reduce the web antivirus to 1mb (that is what I do) you need only 1mb for each user thus 50mb total. It is true that lines up to 1mb (internet connections) can be handled easily from any FGT (even 50A) with no problem (for up to 50 users or even more). You buy bigger machines only for LAN to LAN connections (which use 100mb networks or so). Bigger Fortigates are good for endurance (they will have more chances working with newer firmwares)

UkWizard

New Member

tmavr, Think it works for you because you are on the old firmware revision. Version 2.5 uses more memory, hence the FGT50 problems. Thats why support recommended my customers to drop to 2.36. But the problem is, there are bugs in the VPN on 2.36, so if you want that functionality, you have to go to 2.5. I can pretty much guarantee you will start seeing problems if you up the firmware.

A

Anonymous_UserAuthor

Contributor

[Deleted by Admins]

A

Anonymous_UserAuthor

Contributor

Has anyone ever tried opening their Fortigate to see if you could simply add a larger memory module? I have seen inside an FG-300. It has a DIMM that looks very replaceable. Of course, it may void any warranty that' s on the box. I wonder if the FortiOS for each model would address more memory or whether the memory amount is hardcoded into it.

A

Anonymous_UserAuthor

Contributor

Jbult, good to hear that someone actually has opened this black box. Come on thy a bigger DIMM and tell as if it worked. By the way... are any shields (marked tape or something) that can brake if you try to open the box? If not what is the risk to try it… And something more. We have installed FGT50A and 60 on some companies and they do well for quite many users (more than 50). for web use and couple of servers (mail web) fgt 50A is OK.

willem

New Member

Until FortiOS 4 came out I had a FGT-60 running with 1 GB RAM and a log disk :-) These old devices had indeed replaceble RAM and even the connectors (P-ATA) for a disk. Of course there was no room for a disk in the device, but I drilled a small hole in the housing to get the cables in. It recognized the disk without any issue. Too bad OS 4 is not supported on the old stuff anymore, because with the new devices this " tuning" became impossible :(

A

Anonymous_UserAuthor

Contributor

There were no shields or stickers that will break when opening the box. However, there was a sticker placed across the DIMM and slot so that if you tried to remove the DIMM from the slot, the sticker would break. Otherwise, the DIMM was just a regular Kingston brand DIMM, if I remember correctly.

noiz

New Member

my fortigate 100A running with 250node behind. no issue so far as the policy were setup accordingly...

emnoc

New Member

Numbers and size of FGT is not something that you can place on a scale. You have to factor in what your doing; any dynamic routing involved any advance security profiles in use ipsec traffic consideration sslvpn access number of interfaces in use etc... To say a FGT60 only can support 15 or less machines, would not be correct in all cases.

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded