Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kevin_Ericson
New Contributor

MR6 and MyDoom/Netsky

I' ve got a FGT-50 that is sitting in front of mail server that has perhaps 35 email accounts. Also a couple of " brochure" type Websites (just one or two pagers that get maybe 5 hits a day). I' ve got AV turned on on SMTP only and after about 3-5 hours (reprents perhaps 200 email messages) it stops passing SMTP traffic all together. The CPU is running about 10% and memory in the 70-80% range. I can turn AV scanning off but SMTP remains dead until I do a reboot on the box. The pre-sales brochure I' ve got for the 50 says that it should be able to handle 3K concurrent session, 300 new sessions per second and 30 Mbps. I' ve got 1/2 a T-1 and way less traffic than specs so that " shouldn' t" be a problem. The Model 50' s whole reason for existance is to provide AV protection for this little mail server so turning AV off is not an option (when I do turn it off it' ll run for weeks without a problem). Anyone with any ideas?
Kevin Ericson, Pres., FCNSP Certified Fortinet Engineer Deadbolt Security Networks 9791 W Stanford Ave #5D Denver, CO 80123
Kevin Ericson, Pres., FCNSP Certified Fortinet Engineer Deadbolt Security Networks 9791 W Stanford Ave #5D Denver, CO 80123
6 REPLIES 6
Not applicable

[Deleted by Admins]
Kevin_Ericson
New Contributor

I have checked disk space and it still doesn' t have any! OK, OK I' m being a wise guy. The Model 100 and lower have no hard drive... and the 50 can' t even log to memory.
Kevin Ericson, Pres., FCNSP Certified Fortinet Engineer Deadbolt Security Networks 9791 W Stanford Ave #5D Denver, CO 80123
Kevin Ericson, Pres., FCNSP Certified Fortinet Engineer Deadbolt Security Networks 9791 W Stanford Ave #5D Denver, CO 80123

I have a 50 running in simular setup but without the websites internaly. Mine doesn' t lock up and apart from installing the latest firmware has never had to be rebooted. I know this isn' t a solution, and it might not suit your setup, but I prevent all executable attachments there are from passing the firewall (in smtp). (exe, pif, scr etc ) By doing this they are not scanned simply rejected straight away. I don' t think I have ever rejected a ' real' email from doing this but sure has caught 1000' s of virus emails. I have now blocked zip files as well, which by using the safe senders list is still usable, if inconvienent. BTW are safe senders still scanned for viruses? Just seen this on another thread
You can set the action which is to occur for SMTP messages by modifing the splice command. splice {enable | disable} and get your current setting via get antivirus service smtp splice. Here is info from the CLI Man:quote: When splice is enabled for smtp, the FortiGate unit simultaneously scans an email and sends it to the SMTP server. If the FortiGate unit detects a virus, it terminates the server connection and returns an error message to the sender, listing the virus name and infected filename. In this mode, the SMTP server is not able to deliver the email if it was sent with an infected attachment. Throughput is higher when splice is enabled for smtp.-------------------------------------------------------------------------------- When splice is disabled for smtp, the FortiGate unit scans the email first. If the FortiGate unit detects a virus, it removes the infected attachment, adds a customizable message, and sends the email to the SMTP server for delivery.-------------------------------------------------------------------------------- Selecting enable for the splice keyword returns an error message to the sender if an attachment is infected. The receiver does not receive the email or the attachment. --------------------------------------------------------------------------------Selecting disable for the splice keyword removes an infected attachment and forwards the email (without the attachment) to the SMTP server for delivery to the receiver. -Hope this helps Regards, Matt
From here worth checking out, to see if it makes any difference. (I' d still block exe etc, then you only have zip to worry about...)
gbaharoff
New Contributor

We' ve seen the Fortigate 50 with 2.50, doesn' t matter the MR version, cause massive performance degradation even in small environments. It isn' t what you want to hear, but we' ve actually downgraded to 2.36 and the performance spike is remarkable. The downside obviously is the feature set of the 2.50 isn' t available.
Greg Baharoff Fortinet Certified System Engineer MTBW Services, Inc. 327 E Ridgeville Blvd 154 Mount Airy MD 21771 301-829-5925
Greg Baharoff Fortinet Certified System Engineer MTBW Services, Inc. 327 E Ridgeville Blvd 154 Mount Airy MD 21771 301-829-5925
Not applicable

The last post was correct. Issues have been seen with the FGT-50 running any MR of 2.5. [image][/image]Actually, tech support is not recommending 2.5 on the FGT if you have more than five users or if you have a server sitting behind the FGT-50. The recommendation is to downgrade to 2.36 or purchase a larger unit. You may want to talk to your reseller about the new FGT-50A. The main functionality that will be lost is Email Filtering. I hope this helps.
Mailfence
New Contributor

At Forest Hills Audiology nyc, we believe that everyone deserves to live life to the fullest, which is why we're committed to providing top-quality hearing healthcare services to individuals of all ages. Whether you need a hearing evaluation, hearing aids, or any other hearing-related service, our expert team of audiologists is here to help. Contact us today to schedule your appointment and start your journey towards better hearing!

Labels
Top Kudoed Authors