FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asharopov
Staff
Staff

Description
This article describes how to optimize memory consumption on low-/middle end models (smaller than 100D/E/F).
Every enabled feature on the FortiGate will consume some RAM memory. This might be critical, as the firewall may not have enough processing power for firewalling tasks
.

Solution
Here is the Step by Step guide:

1) Disable features that are not required (e.g. DHCP, Reporting, Logging, etc)
2) Use only really necessary UTM features (like AV, WF, IPS, APPCTL, DNSF, SSL-DI)
3) Don’t use UTM scanning for trusted traffic (like Server<->Storage)
4) Fine tune IPS signatures applied (like disable linux/mac signatures if only windows is used)
5) Tweak IPS engine and profiles– when necessary:

# config ips settings
# config ips sensor

6) Tweak AV engine and profiles– when necessary:

# conf antivirus profile
# conf antivirus settings
7) Disable dashboard widgets with dynamic content for ALL local users. The reason is that when the user logs in on the GUI, he will see the historical data in the widget (last 24 h, etc). This means the widgets are ALWAYS working in background for all local users and consuming CPU/MEM resources.
8) Disable on device logging/reporting, log externally to FortiManager, FortiAnalyzer, FortiCloud, Syslog.

Advanced steps to optimize MEM utilization:


In addition to the steps above, it’s possible to further optimize MEM consumption:

Attention: Caution should be taken when using the following steps as they affect the overall behavior of the system. They will, therefore, require preliminary analysis, preferably by the TAC engineers.

1) Change max file size for inspection:
# conf firewall profile-protocol-options
    set oversize limit
2) Reduce FortiGuard TTL cache:
# config system fortiguard
    set webfilter cache-ttl

    set antispam cache-ttl
3) Reduce DNS cache size:
    set dns cache-ttl
4) Reduce TCP session timeouts:
# config system global
    tcp halfopen-timer    <----- (and others)
5) Reduce global session TTL:
# config system global
    system session-ttl
6) Reduce Firewall policy TTL & Service/port TTL (config firewall policy, config firewall address)

7) Reduce logging to the only important events (config log setting)

Note: If the steps above do not provide satisfactory results, getting a bigger device should be considered.

Contributors