FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains how to disable any non-essential features for a firewall-only FortiGate configuration.
Reduced memory usage. Reduced number of processes running.
In global VDOM:
config system global set wireless-controller disable end
Disable FortiGuard services and updates:
config system fortiguard set antispam-force-off enable set antispam-cache disable set avquery-force-off enable set avquery-cache disable set webfilter-force-off enable set webfilter-cache disable end config webfilter fortiguard set cache-mem-percent 1 end config system autoupdate schedule set status disable end
Reduce IPS memory usage:
config ips global set socket-size 1 set engine-count 1 end
Disable IPS engine (temporary until reboot):
diagnose test application ipsmonitor 2
Disable the FortiManager process:
config system central-management set status disable end
Reduce log memory buffer (reboot required):
config log memory global-setting set max-size 65536 end
Delete session helpers that are not needed. DNS is a good candidate if the DNS server and DNS addresses are not used in the configuration.
config system session-helper delete <id> end
Reduce the TTL for DNS sessions:
config system session-ttl set default 600 config port edit 0 set protocol 17 set timeout 10 set end-port 53 set start-port 53 next end end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.