|Disable IPS engines
||Stops a variety of UTM scanning from taking place including application control, IPS and any flow-based UTM features (default for all is proxy-based). This will free up CPU cycles. Significant benefit.
||To stop the IPS engines:|
diag test app ipsmonitor 98
diag test app ipsmonitor 99
Should be performed during a maintenance window. Ideally under supervision of Fortinet Tech Support.
Note this setting is not retained after a reboot. Also, if using an HA cluster, it should be ran on both units to ensure it is disabled on both.
|Reduce or remove UTM scanning
||Will free up more CPU cycles for core packet processing. Significant benefit, depending on how much UTM was in place before, and how much has been removed or tuned back.
||Performed manually by adjusint or removing UTM from policies.|
|Check and increase proxyworker count
||Minimal benefit. Should balance UTM demand across cores. Increase value to match the number of CPU cores.
||conf sys global|
set proxy-worker-count <value> - should be the number of CPU cores.
||Minimal to significant benefit.
|Configure high availability with active-active
||Minimal to significant benefit, depending on how much UTM is configured. The more UTM, the larger a positive impact this will make. If traffic can be segmented, it is more efficient to segment the traffic to separate units.
||Significant benefit, will resolve issue if unit is sized appropriately for current and future traffic.
# diag hard sysinfo interrupts