Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
asharopov
Staff
Staff

Created on ‎08-30-2019 12:22 AM Edited on ‎01-31-2024 05:21 AM By Moderator

Article Id 192323

Technical Tip: Steps on how to optimize Memory consumption

Description

 

This article describes how to optimize memory consumption on low and middle-end models of FortiGate (smaller than 100D/E/F).
Every enabled feature on the FortiGate will consume some RAM memory. This may be critical, as the firewall may not have enough processing power for typical firewall tasks.

 

Scope

 

FortiGate appliances smaller than 100D/E/F.

Solution

 

  1. Disable features that are not required (e.g. DHCP, Reporting, Logging, etc).
  2. Use only truly necessary UTM features (like AV, WF, IPS, APPCTL, DNSF, and SSL-DI).
  3. Don’t use UTM scanning for trusted traffic (like Server <-> Storage).
  4. Fine-tune IPS signatures applied (for example, disable Linux/Mac signatures if only Windows is used).
  5. Tweak the IPS engine and profiles when necessary:

config ips settings
config ips sensor

 

  1. Tweak the AV engine and profiles when necessary:

conf antivirus profile
conf antivirus settings

 

Adjust ips process count:

 

config ips global

set engine-count 1
set cp-accel-mode none
set exclude-signatures none

end

 

  1. Schedule an update outside of business operating hours:

config system autoupdate schedule
     set frequency daily
     set time 03:00
end

  1. Disable dashboard widgets with dynamic content for ALL local users. The reason for doing this is that when the user logs in on the GUI, they will see the historical data in the widget (activity in the last 24 hours, etc). This means the widgets are always working in the background for all local users and consuming CPU/MEM resources.
  2. Disable on-device logging/reporting. Instead, log externally to FortiManager, FortiAnalyzer, FortiCloud, Syslog.


config log memory setting

set status disable

end

Advanced steps to optimize MEM utilization:


In addition to the steps above, it is possible to further optimize MEM consumption:

Attention: Caution should be taken when using the following steps as they affect the overall behavior of the system. They will, therefore, require preliminary analysis, preferably by the TAC engineers.

 

  1. Change the max file size for inspection:

conf firewall profile-protocol-options
    set oversize limit

  1. Reduce the FortiGuard TTL cache:

config system fortiguard
    set webfilter cache-ttl
    set antispam cache-ttl

 

  1. Reduce DNS cache size:

set dns cache-ttl

 

  1. Reduce TCP session timeouts:

config system global
    tcp halfopen-timer    <- (And others.)

 

  1. Reduce global session TTL:

config system global
    system session-ttl

 

  1. Reduce Firewall policy TTL & Service/port TTL (config firewall policy, config firewall address).

  2. Reduce logging to the only important events (config log setting).

  3. Reduce worker count:

config system global
    set miglogd-children 1
    set sslvpn-max-worker-count 1
    set wad-worker-count 1
    set scanunit-count 1
end

 

9. Reduce session-TTL to improve session recycling efficiency:


config system session-ttl

set default 600

config port

edit 1

set protocol 17
set timeout 120

next

end

end

 

Note: If the steps above do not produce satisfactory results, consider using a higher capacity FortiGate device.

Labels:
48820
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.