Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dayrl49
New Contributor

Fortigate 201F Deep SSL Inspection Performance

Hi guys,

We want to switch from a Sonicwall NSa 3650 to a Fortigate 201F because the DPI SSL is causing problems with the SonicWall. The throughput for single stream HTTPS downloads is limited to approx. 5 MB/s. We can run multiple download streams at the same time at 5 MB/s, but it's still not enough for us.

Support has confirmed this to us and it can't be changed.

 

Does anyone have experience whether this limitation also exists with the Fortigate 201F? How does it look with multiple streams? Does the performance drop?

What negative experiences can you report?

omegle xender
1 REPLY 1
Cajuntank
Contributor II

I have not run into that issue myself on an F series, but have run into the need to tweak some on some of my E series firewalls. Enabling all security profiles, looking at all of my traffic, all files for AV, Web, Extended IPS database, DPI, etc... brought a 500E to it's knees performance-wise (a few tweaks resolved though). Based on the 201F specs, it has a CP9 processor to offload those types of functions from the main network processor, so the 201F is spec'd at 4Gbps for SSL Inspection Throughput. Probably with other security profiles added in for traffic inspection (i.e.. AV, IPS, Web Filtering, App Control), you are probably looking closer to about 2-3Gbps throughput (just a wild guess as I have no idea what you are trying to protect or your traffic requirements, etc...).

To assist with that DPI performance, you are offered the ability to exempt web categories (i.e... Finance and Banking, Content Server, etc...), specific address sites (*.apple.com, *.gotomeeting.com, etc...), and Reputable websites (just a slide button where the sites are rated by FortiGuard web filtering). So utilizing those options will help free up CPU processing, thus give you better performance.

Labels
Top Kudoed Authors