Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asostizzo_FTNT
Staff
Staff

Created on ‎07-13-2016 09:39 AM Edited on ‎10-23-2025 08:48 AM By Moderator

Article Id 198110

Technical Tip: High CPU and memory usage when when SSL deep inspection is enabled

Description

 
This article describes how to handle high CPU and memory usage when SSL deep inspection is enabled.
 
The overall performance of a FortiGate can be reduced when enabling SSL Deep Inspection on FortiGate units because all traffic needs to be decrypted, inspected, and re-encrypted, using SSL inspection.

Depending on how much traffic going through FortiGate is encrypted, enabling to inspect all the encrypted traffic may change drastically not just CPU usage but also memory allocation for UTM inspection according to the Security Profiles selected for the traffic. The impact in performance also varies depending on system size.

On FortiOS versions prior to 5.2.5 an increase in system resource usage by sslworker process may be observed in addition to but not limited to ipsengine and proxyworker processes. The later will depend on the UTM features that are enabled on the SSL Deep Inspection enabled security policy. On newer versions of FortiOS, SSL Inspection is no longer handled by the sslworker and were designated to proxyworker and ipsengine processes.
 
Scope
 
FortiGate.


Solution

 
The following are common best practices when implementing SSL/TLS traffic inspection:

  1. Know traffic – Know how much traffic is expected and what percent of the traffic is encrypted. It is also possible to limit the number of policies that allow encrypted traffic.

  2. Test real-world SSL inspection performance manually – Use the flexibility of FortiGate’s security policy to gradually deploy SSL inspection, rather than enabling it all at once.

  3. Be selective by using white lists or trimming policy to apply SSL inspection only where it is needed. For example, configure the SSL Inspection Profile to 'Exempt from SSL Inspection' for known and trusted encrypted traffic.

  4. Implement Traffic Shaping either on policies that perform SSL Deep Inspection or on other policies with less critical traffic. This will allocate more resources for SSL Inspection.

  5. Use hardware acceleration – FortiGate models with either the CP6 and greater CP processors can offload SSL/TLS processing for content scanning and SSL acceleration. For more information about this, see the Hardware Acceleration handbook.

 

Related document:
8636
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.