IDS/IPS effect for performance

Forum|Forum|20 years ago
December 14, 2005
3 replies
7032 views

Hi , Engineers , I am facing a big trouble and suffering attack from boss. Can someone help to explain it ? High preciate for explanation . 1, I need to understand the effect to performance when I enable the IDS/IPS on the FortiGate60 . Had better to get an exact number . 2, On this FortiGate 60 , there are 20 direct VPN channels , and in this LAN , there are about 60 PCs and 10 servers. Enabled Anti-Spam,IDS,Anti-Virus,Web blocking . The external broadband bandwidth is 2Mbps . In working time , the memory utilization always more than 70% , even arrive at 85% . Sometimes , the CPU utilization may more than 90% . Pls refer to figures . 3, At this time , (CPU 99%,Memory 85%) , then the trouble come , I can' t access external network in this LAN , I can' t access the LAN from other offices through VPN channels , even ping any machines behind this FortiGate . just can https this FortiGate , I have to restart this FortiGate , then the utilization reduce , then I can access those equipments behind this FortiGate from other offices through VPN channels. 4, I urgently want to know the reason and solution . Why the memory and CPU is so highly , although my total bandwidth is just 2M , and FortiGate can support 70Mbps on firewall performance, 20M 3DES VPN performance , session 50,000 , VPN channel number 40 . From my implementation , every items is less than the maxim value , why my FortiGate encounter hanging up . My FortiGate , total outgoing bandwidth 2 Mbps , 20 VPN channels , maxim session 3000, why it cause so highly utilization , CPU 99%, Memory 85% . 5, How to estimate each features effect for permance and throughput , e.g. Anti-Spam , Anti-Virus etc.

Vt57797.jpg

A

Anonymous_UserAuthor

Contributor

Attach figure to there , Come from MRTG server .

Ki18558.jpg

A

Anonymous_UserAuthor

Contributor

As Fortinet says: " the firewalls offer varying levels of performance depending on what model are being used" and " it may be tempting to get this " all-in-one" appliance and turn on all the bell and whistles, you should first consider the impact on your own network performance" This means that perhaps you have enabled too much functions without consider the really need of your enviroment. Avir, Webfilter, Antispam use MEMORY resource Vpn, Management, Update, Fw, IDS/IPS use CPU resource 70mbps troughput is an ipotetic value. Consider to divide it in 4 parts and you will have a 18Mbps real troughput. This is the same for the Vpn. 60 user behind this firewall are too much, if all are surfing. And you must consider the servers. They are always communicating with the internet (updates, mail traffic, dns etc..) Have the branch offices they own internet connection for surfing? I hope yes. What do you do with the tunnels (work with accounting programs like as400 or something else) The first thing you can do is: -enable Avir only for protocols you need -disable heuristic feature on the fw for memory performance -disable ids/ips for unimportant communications (like lan to wan etc...) -reduce the number of protocols and services scanned from ids/ips (disable imap, pop3,sql etc.. if you dont use them) -disable ntp, snmp, telnet, ssh, dhcp to reduce cpu utilization -disable unuseful logging on memory if you can -try to update your box on the latest firmware version I hope you will experience little better performances, but at the end consider to buy a right Fortigate Model ( like 200A/300A ) bye pman

A

Anonymous_UserAuthor

Contributor

Hello , Pman . Much thanks for your reply .

Have the branch offices they own internet connection for surfing?

Yes . In each branch offices , there is an internet export . In VPN channels , main traffic are EMail and database data transfer.

What do you do with the tunnels (work with accounting programs like as400 or something else)

I don' t understand as400 exactly , IBM AS400 system ? I just enable MRTG mornitoring .

-disable heuristic feature on the fw for memory performance

Where I can find this heuristic feature ? For AntiVrs or IPS ? Others , you said Firewall impact CPU utilization . Not Memory performance , right ?

-reduce the number of protocols and services scanned from ids/ips (disable imap, pop3,sql etc.. if you dont use them)

IDS/IPS doesn' t differentiate protocols seems . Just can choose " enable or disable " ,right ? IPS IPS Signature Enable (All services) IPS Anomaly Enable (All services

-disable ntp, snmp, telnet, ssh, dhcp to reduce cpu utilization

You mean I disable its in interface setting ? Or firewall services? In dead , I really want to update the FortiGate model , but I am facing another problem , due to I don' t know each features impact for performance , and each VPN channel will use how many utilization , and how many users A FortiGate can support ? For 60 clients , FortiGate 60 is not enough , then 100A or 200A can support it ? so I do on earth not know to choose FG200A/300A or 3000/4000. All in a word , how can I get an exact value and impact about performance ? so that I can estimate the most adapted model. Are there any documents to instruct the performance issue in FortiNet ? e.g. How much utilization will be used when I enable default IPS/IDS , AntiVrs , AntiSpam and Webfilter .

Avir, Webfilter, Antispam use MEMORY resource Vpn, Management, Update, Fw, IDS/IPS use CPU resource

How much Memory resource Avir will use , How much CPU A VPN channels will use ? Do we have a number or value to instruct it ? And so on.

A

Anonymous_UserAuthor

Contributor

There is a document that can explain you how to obtain the best performance from a Fortigate and this is the same document I use when I consider to put a right Fgt model into a network. the document does not explain which command you can use to better configure your box. http://kc.forticare.com/default.asp?SID=&Lang=1&id=237 For your answers: -HEURISTIC on the CLI configure antivirus heuristic ---> set mode " pass" or " block" or " disable" -Firewall process impacts the cpu. Traffic passes trough the hardware engine. -On the protection profile you must enable all signature/anomaly for scanning. In the 3.0 os version you can make some changes but is not still available

Remember you can disable/enable protocols on the IDS/IPS configuration tabs. -NTP, telnet etc... on both interfaces and firewall services if you dont really need them. -exact values arent available. Antivirus works on memory and use much resources .The 60 model is affected of this memory leak problems. (128Mb only) Reduce the threshold value or disable it for protocols you dont use. I have no more of 10 pc' s behind my fgt60 (test lab) and the memory usage is always more than 60%. No fear this is a normal behaviour for a 60 model.

-the encrypt engine use cpu resource for the encryption and decryption features on the vpn. You can monitor the usage of the resources by typing this command on the CLI: diagnose sys top and kill processes if you need. diag sys kill bye pman

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded