Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ITHRBruce
New Contributor

FortiGate 100E CPU Usage maxes out when downloading

Hi,

 

We have been using a FortiGate 100E for about 6 months or so without incident. We have a 1GB pipe out to the net and have around 60 users here. We are on firmware v5.4.5, build 6225 (GA).

 

Recently we have noticed that CPU Usage starts to max out if anyone does even a moderate download. My ISP manages the firewall as I am not a firewall expert. They have contacted Fortinet and at their request sent over usage logs a few times, but without a solution being offered. My ISP have made a lot of changes and done a great job to reduce the scanning footprint which seems to cause this, and this has made things run much, much better. However we can still get a bad peak, albeit smaller. I myself downloaded a 2GB file from a reputable website (Veritas), in about 8 mins, and the CPU Usage peaked at about 60%. While this was nowhere as bad, why should it go so high when the device is capable of handling thousands of connections? It seems the scanning is quite aggressive, or way too many resources are being allocated to it.

 

And of course I am concerned if just a few users started a large download. I have seen it go up when someone starts up their email and downloads a few hundred meg, all very legit stuff. Very perplexing. Anyone have any idea as what could be going on here?

 

Many thanks.

 

11 REPLIES 11
romanr
Valued Contributor

Hi,

 

first of all, you run the shipment firmware, which is somehow out of the normal support tree and you should really consider upgrading your box to 5.4.8.

 

If you want to reach speed in the area of ~1GBit with a 100E -> you should consider running the firewall in flow mode - or at least use flow mode profiles on your high speed/volume policies.

 

Br,

Roman

ITHRBruce

Thanks I will ask my ISP if this can be enabled.

Hosemacht
Contributor II

Hey there,

 

first of all we need to know witch features are used on the Internet facing policy.

Yes the Fortigate 100E has 7,7 Gbit Firewall throughput but when it comes to ssl inspection it falls down to 190Mbit.

You can check this in the datasheet : https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_100E_Series.pdf.

 

Unfortunately i guess your Internet is simply too fast :)

 

PS.: ill recommend you to upgrade to 5.4.8 and try to tune you security Profiles

sudo apt-get-rekt

sudo apt-get-rekt
ITHRBruce

Thanks Giraffe guy, we'll look at that.

ede_pfau

Any chance you connect to WAN via PPPoE?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ITHRBruce

Not sure, would have to check with my ISP who manage it. If so, what action would you recommend they take? Thanks.

ede_pfau

Background: the smaller FGTs have a known weakness if they have to sustain a PPPoE connection beyond 100 Mbps. The workaround/solution is to use a standalone modem instead (pass-through).

Just a thought. Your setup might well be completely different.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
ITHRBruce

Interesting, although I haven't seen those speeds when I've been monitoring. Thank you.

ITHRBruce

Hi,

 

We have now had the firewall's firmware upgraded to the latest version, 5.4.8. So far, so good.

However, when some of my developers try to access a website such as https://abc123.domain.com/ by browsing to just https://abc123/ (abc123 has been noted in the local hosts file with its IP address) they can no longer hit that web site and instead get the firewall's standard access denied error message.

 

This was fine before the firmware upgrade. We can get around it by setting an 'allow' rule for the whole FQDN but my guys have about 90 test domains that they want to hit by just specifying the sub-domain.

 

Any idea what setting can be changed to accommodate this usage?

 

Thanks!

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors