Description
This article describes general advice and configuration steps to save unit CPU and memory resources.
Scope
It is recommended to use the latest patch release available for the release version.
Solution
config global <- If VDOMs are used.
config system global
set tcp-halfclose-timer 30 <- Default 120s.
set tcp-halfopen-timer 30 <- Default 60 s.
set tcp-timewait-timer 0 <- Default 120 s (*1).
set udp-idle-timer 60 <- Default 120 s.
end
end <- If VDOMs are used.
(*1): A delay of 10 seconds is added on top of the value configured in 'tcp-timewait-timer', therefore a configuration of '0 second', would keep the session for 10 seconds after it is fully close. This is sufficient.
The following timers are vdom based so this configuration should be repeated for each vdom.
config vdom <- If VDOMs are used.
(vdom) # edit <vdom_name>
(<vdom_name>) # config system session-ttl
(session-ttl) # set default 300 <- Default 3600.
(session-ttl) # config port
(port) # edit 0 (*2)
(1) # set protocol 17
(1) # set timeout 10
(1) # set end-port 53
(1) # set start-port 53
# end
(session-ttl) # end
# end <- If VDOMs are used.
(*2): 'edit 0' would pick up the next available index in the table for more convenience. In this example, entry 1 is created.
Note: If needed, other protocols specific timers could be added. It is better to shorten the default timer and increase the timer for specific traffic on a protocol/port based. For instance, you may want your oracle or citrix or telnet or SSH sessions to last longer if no activity is seen.
If a significant amount of DNS transactions pass through the FortiGate and FortiGate Virtual IP address DNS translation or DNS server is not used, the dns-udp session helper should be removed to limit kernel resource processing for each DNS traffic.
To do this from the CLI:
config global [ optionally if using vdoms ]
config system session-helper:
../..
edit 14
set name dns-udp
set port 53
set protocol 17
next
../..
This is 14 in the following example.
(session-helper) # delete 14
(session-helper) # end
Each feature that is enabled has a resource cost. Disabling ‘nice to have’ features could make a difference.
For example:
Hardware acceleration takes computing cycles off of the FortiGate CPU. It should be used as much as possible.
For example, changing the ports used to maximize accelerated traffic makes a significant difference.
It is important to choose the ports used for traffic in a way that maximizes the ratio of hardware accelerated sessions.
Hardware acceleration can be done to offload traffic processing on interfaces, but also the IPsec encryption/decryption, 802.3ad link aggregation, SSL offload.
Refer to 'Hardware acceleration Technical Note' in this document for more details.
Particularly on low end units, some GUI widgets (Dashboard page) involving computing cycles can be removed.
The best example is the 'Top sessions' widget, which requires regular inspection of the full session table, especially if the session table is large.
Verification:
CPU, memory and session resources can monitored through SNMP or CLI commands.
For SNMP, refer to the proprietary MIB file for the version of code being used. This is available at http://support.fortinet.com in the Download Firmware section. First, load the generic MIB file 'FORTINET-CORE-MIB.mib' and the specific 'FORTINET-FORTIGATE-MIB.mib' file for the release.
Examples of useful MIB entries:
From the new structure using MIBS: FORTINET-CORE-MIB.mib + FORTINET-FORTIGATE-MIB.mib.
.1.3.6.1.4.1.12356.101.4.4.2.1.2.<processeur_id> with <processor_id> =1,2,3 or 4
Mib description: 'The processor's CPU usage (percentage), which is an average calculated over the last minute.'
In the CLI, use commands like the following:
diagnose system session stat
get system performance status
diagnose system top
diagnose hardware sysinfo memory
Note:
Configure automation stitches to monitor CPU utilization and send alerts or take specific actions, such as restarting a process, when thresholds are exceeded.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.