Technical Tip: Memory optimization techniques for FortiOS

rpmadathil_FTNT · ‎10-16-2014

Description

This article describes how to optimize the use of memory for FortiGate or FortiWiFi models running FortiOS 5.4 or 5.6.

Scope

All FortiGate and FortiWiFi units. Models 100D and lower may experience a greater benefit compared to larger models.

Solution

Set the antivirus database to normal:

config antivirus settings
set default-db normal
end
Reduce these TCP and UDP session timers:

config system global
set tcp-halfclose-timer 30
set tcp-halfopen-timer 8
set udp-idle-timer 90
end
Change the global inspection mode to flow-based from proxy:

Instructions for FortiOS 5.4 can be found here: Changing between proxy and flow mode.
Instructions for FortiOS 5.6 can be found here: Changing between proxy and flow mode.

Change default session TTL:

config system session-ttl
set default 300
end
Lower AV threshold to 1MB for all protocols in the 'default' proxy options profile:

If a custom proxy options profile has been created, then the 'edit default' line should be changed to 'edit {your profile name}'.

config firewall profile-protocol-options
    edit default
        config http
            set oversize-limit 1
        end
        config ftp
            set oversize-limit 1
        end
        config imap
            set oversize-limit 1
        end
        config mapi
            set oversize-limit 1
        end
        config pop3
            set oversize-limit 1
        end
        config smtp
            set oversize-limit 1
        end
        config nntp
            set oversize-limit 1
        end
    next
end

Disable logging to memory:

config log memory setting
set status disable
end

More info on memory optimization and how to avoid conserve mode, especially on low-end units:
Technical Tip: Free up memory to avoid conserve mode

Technical Tip: Memory optimization techniques for FortiOS

You are leaving our website