Purpose
This article explains how to disable any non-essential features for a firewall-only FortiGate configuration.
ScopeExpectations, Requirements
Reduced memory usage.
Reduced number of processes running.
Configuration
In global VDOM:
config system global
set wireless-controller disable
end
Disable FortiGuard services and updates:
config system fortiguard
set antispam-force-off enable
set antispam-cache disable
set avquery-force-off enable
set avquery-cache disable
set webfilter-force-off enable
set webfilter-cache disable
end
config webfilter fortiguard
set cache-mem-percent 1
end
config system autoupdate schedule
set status disable
end
Reduce IPS memory usage:
config ips global
set socket-size 1
set engine-count 1
end
Disable IPS engine (temporary until reboot):
diagnose test application ipsmonitor 2
Disable the FortiManager process:
config system central-management
set status disable
end
Reduce log memory buffer (reboot required):
config log memory global-setting
set max-size 65536
end
Per VDOM:
Delete session helpers that are not needed. DNS is a good candidate if the DNS server and DNS addresses are not used in the configuration.
config system session-helper
delete <id>
end
Reduce the TTL for DNS sessions:
config system session-ttl
set default 600
config port
edit 0
set protocol 17
set timeout 10
set end-port 53
set start-port 53
next
end
end
Disable memory logging:
config log memory setting
set status disable
end
config log disk setting
set status disable
end
Troubleshooting
