FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dalten
Staff
Staff
Purpose

This article explains how to disable any non-essential features for a firewall-only FortiGate configuration.


Scope


Expectations, Requirements
Reduced memory usage.
Reduced number of processes running.

Configuration
In global VDOM:
config system global
   set wireless-controller disable
end
Disable FortiGuard services and updates:
config system fortiguard
    set antispam-force-off enable
    set antispam-cache disable
    set avquery-force-off enable
    set avquery-cache disable
    set webfilter-force-off enable
    set webfilter-cache disable
end
config webfilter fortiguard
    set cache-mem-percent 1
end
config system autoupdate schedule
    set status disable
end
Reduce IPS memory usage:
config ips global
    set socket-size 1
    set engine-count 1
end
Disable IPS engine (temporary until reboot):
diagnose test application ipsmonitor 2
Disable the FortiManager process:
config system central-management
    set status disable
end
Reduce log memory buffer (reboot required):
config log memory global-setting
    set max-size 65536
end
Per VDOM:

Delete session helpers that are not needed. DNS is a good candidate if the DNS server and DNS addresses are not used in the configuration.
config system session-helper
    delete <id>
end
Reduce the TTL for DNS sessions:
config system session-ttl
    set default 600
        config port
            edit 0
                set protocol 17
                set timeout 10
                set end-port 53
                set start-port 53
            next
        end
end
Disable memory logging:
config log memory setting
    set status disable
end
Disable disk logging:
config log disk setting
    set status disable
end


Troubleshooting


Contributors