This article describes how to optimize memory consumption on low-/middle end models (smaller than 100D/E/F).
Every enabled feature on the FortiGate will consume some RAM memory. This might be critical, as the firewall may not have enough processing power for firewalling tasks.
Here is the Step by Step guide:
1) Disable features that are not required (e.g. DHCP, Reporting, Logging, etc)
2) Use only really necessary UTM features (like AV, WF, IPS, APPCTL, DNSF, SSL-DI)
3) Don’t use UTM scanning for trusted traffic (like Server<->Storage)
4) Fine tune IPS signatures applied (like disable linux/mac signatures if only windows is used)
5) Tweak IPS engine and profiles– when necessary:
# config ips settings
# config ips sensor
6) Tweak AV engine and profiles– when necessary:
# conf antivirus profile
# conf antivirus settings
7) Disable dashboard widgets with dynamic content for ALL local users. The reason is that when the user logs in on the GUI, he will see the historical data in the widget (last 24 h, etc). This means the widgets are ALWAYS working in background for all local users and consuming CPU/MEM resources.
8) Disable on device logging/reporting, log externally to FortiManager, FortiAnalyzer, FortiCloud, Syslog.
Advanced steps to optimize MEM utilization:
In addition to the steps above, it’s possible to further optimize MEM consumption:
Attention: Caution should be taken when using the following steps as they affect the overall behavior of the system. They will, therefore, require preliminary analysis, preferably by the TAC engineers.
1) Change max file size for inspection:
# conf firewall profile-protocol-options2) Reduce FortiGuard TTL cache:
set oversize limit
# config system fortiguard3) Reduce DNS cache size:
set webfilter cache-ttl
set antispam cache-ttl
set dns cache-ttl4) Reduce TCP session timeouts:
# config system global5) Reduce global session TTL:
tcp halfopen-timer <----- (and others)
# config system global6) Reduce Firewall policy TTL & Service/port TTL (config firewall policy, config firewall address)
7) Reduce logging to the only important events (config log setting)
Note: If the steps above do not provide satisfactory results, getting a bigger device should be considered.