Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akawade
Staff
Staff

Created on ‎10-07-2020 07:45 AM

Article Id 194420

Technical Tip: Best practice for performance enhancement

Description
This article describes how to improve FortiGate's performance.

Solution
Points which need to follow while configuring FortiGate:

- Disable any management features not necessary.
If any SSH or SNMP ar needed, disable them.
SSH also provides another possibility for would-be hackers to infiltrate the FortiGate.

-Put the most used firewall rules to the top of the interface list.

-Log only necessary traffic.
The writing of logs, especially if to an internal hard disk, slows down performance.

-Enable only the required application inspections.

-Keep alert systems to a minimum.

If logs to a syslog server are sent, SNMP or email alerts are not necessary, making for redundant processing.

-Establish scheduled FortiGuard updates at a reasonable rate.
Daily updates occurring every 4-5 hours are sufficient for most situations.
In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.

-Keep security profiles to a minimum.
If a profile on a firewall rule is not needed, do not include it.

-While configuring routing, always configure a default route.

-Add blackhole routes for subnets reachable using VPN tunnels.
This ensures that if a VPN tunnel goes down, traffic is not mistakingly routed to the Internet unencrypted.

-As per policy routing is considered keep the number of policy routes to a minimum to optimize performance in route lookup and to simplify troubleshooting.

-Keep VDOMs to a minimum.
On low-end FortiGate , avoid using them if possible.

-Avoid traffic shaping if maximum performance is needed.
Traffic shaping, by definition, slows down traffic.

-The default session TTL can be changed:
#config system session-ttl
    set default 300
end
-The logging to the memory can be disabled with below command:
# config log memory setting
    set status disable
end
-If the FortiGate has a Hard disk, it is enabled by default to store the logs.
If the FortiGate has only flash memory, disk logging is disabled by default, as it is not recommended.
Constant rewrites to flash drives can reduce the lifetime and efficiency of the memory.

-It has to be enabled in the CLI under config log disk setting.

-For some low-end models, disk logging is unavailable.
Check a product’s Feature Matrix for more information.
In either case, Fortinet recommends using either a FortiAnalyzer or the FortiCloud service.

Labels:
5608
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.