Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kckong
New Contributor III

Firewall through put drop 5/6 after enable IPS

Hi, I have a FGT-60B on my home for testing, running 4.0 MR2 Patch 7 My home BB is a 30Mb VDSL. When perform a test on www.speedtest.net, it shows the speed is close to 30Mb for download and upload. However, when I enable a IPS that used to protect client only in the firewall policy (I only have one rule for LAN to WAN1 in the policy), and run the speedtest again, the download & upload will be dropped to 5Mb or less, only 1/6 before. I' d like to know is it normal? Regards Danny
4 REPLIES 4
bmann
New Contributor

Performance drop after IPS activation is normal. Try to separate firewall policies for major protocols and limit IPS sensor due to protocols. For example: Set different policies for HTTP+HTTPS, POP3, IMAP, SSH, DNS etc. Do not know what are you using, but major will be http. Limit IPS sensors for client traffic, OS and protocol. It may be little faster, but there will be significant performance drop. Let us know result,thx.
kckong
New Contributor III

Hi bmann, I have tried to enable the IPS for http protocol only(i.e. I only select http in the IPS, not make a new firewall policy), and run the speedtest again, the firewall through put dropped back to 5Mb or less. I think it is not relate to how many protocol / application you enable in IPS. It seems that once you enable IPS, the firewall through put will drop a lot.
Radiosmurf
New Contributor

is it ' really' dropping traffic, or... thinking of my own problem http://support.fortinet.com/forum/tm.asp?m=73931&p=1&tmode=1&smode=1 can it be possible that the line is ' full' because ips is self generating traffic ?
kckong
New Contributor III

In my test, I stop / close all other application, just open one browser, and found that the bandwidth less 7X% after enable IPS scanning. I don' t think it is the traffic dropping by the firewall. Actually I have a FGT-100 running 3.0MR7 patch 10 before, but I do not notice such bandwidth drop at that time. I have tried on 4.0 MR3 patch 1 for this FGT-60B, same problem.
Labels
Top Kudoed Authors