Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akawade
Staff
Staff

Created on ‎10-07-2020 07:45 AM Edited on ‎11-05-2025 03:36 AM By Moderator

Article Id 194420

Technical Tip: Best practice for performance enhancement

Description

 

This article describes how to improve FortiGate's performance.

 

Scope

 

FortiGate.

Solution

 

Points that need to be followed while configuring FortiGate:

  • Disable any management features not necessary.
    If any SSH or SNMP are needed, disable them.
    SSH also provides another possibility for would-be hackers to infiltrate the FortiGate.

  • Put the most used firewall rules to the top of the interface list.

  • Log only necessary traffic.
    The writing of logs, especially if to an internal hard disk, slows down performance.

  • Enable only the required application inspections.

  • Keep alert systems to a minimum.
    If logs to a syslog server are sent, SNMP or email alerts are not necessary, making for redundant processing.

  • Establish scheduled FortiGuard updates at a reasonable rate.
    Daily updates occurring every 4-5 hours are sufficient for most situations.
    In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.

  • Keep security profiles to a minimum.
    If a profile on a firewall rule is not needed, do not include it.

  • While configuring routing, always configure a default route.

  • Add blackhole routes for subnets reachable using VPN tunnels.
    This ensures that if a VPN tunnel goes down, traffic is not mistakenly routed to the Internet unencrypted.

  • As per policy, routing is considered to keep the number of policy routes to a minimum to optimize performance in route lookup and to simplify troubleshooting.

  • Keep VDOMs to a minimum.
    On a low-end FortiGate, avoid using them if possible.

  • Avoid traffic shaping if maximum performance is needed.
    Traffic shaping, by definition, slows down traffic.

  • The default session TTL can be changed:

 

config system session-ttl

    set default 300
end

 

  • The logging to the memory can be disabled with below command:

 

config log memory setting

    set status disable
end

 

  • If the FortiGate has a Hard disk, it is enabled by default to store the logs.
    If the FortiGate has only flash memory, disk logging is disabled by default, as it is not recommended.
    Constant rewrites to flash drives can reduce the lifetime and efficiency of the memory.

  • It has to be enabled in the CLI under the config log disk setting.

  • For some low-end models, disk logging is unavailable.
    Check a product’s Feature Matrix for more information.
    In either case, Fortinet recommends using either a FortiAnalyzer or the FortiCloud service.

  • Regularly monitor CPU, memory, and session usage during peak traffic; if any consistent overutilization, review policy order, session limits, or consider offloading traffic through SD‑WAN or hardware boosters.
Labels:
8191
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.