- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Signs a firewall needs to be replaced
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Signs a firewall needs to be replaced
Hey folks. Newbie here.
I'm not a networking person (more software pm and technical sales), so please excuse my ignorance on the subject.
Our IT consultancy says that we should considering purchasing new firewall appliances to replace our 60D models; the organization has grown over the past few years, but not astronomically. My understanding from networking friends is that problems are often more related to software license limits than CPU. Its justification is that mobile device traffic isn't being covered (they say our firewalls couldn't handle the extra coverage) and that we're 'on the edge' of normal operation.
We see no evidence that they're operating "on the edge". What are the signs we should look for that will tell us we do need a new firewall and how can we monitor that and be alerted when it happens? Thank you.
-d
Solved! Go to Solution.
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There!
"...What are the signs we should look for that will tell us we do need a new firewall and how can we monitor that and be alerted when it happens?..:"
There are a lot things to consider, but i think this is the basics:
1) CPU Usage: If most times is working around 100 %
2) RAM Usage: If enters in conserve mode frequently, ie: the Ram usage is over 80% most of the times.
3) Sessions: The numbers of new and concurrent sessions is near 4000 and 500.000 respectively
4) You reached another maximum value like policy, routes, throughput, etc...
5) Because the growth, you need more interfaces available.
You can check here the specs of the Fortigate 60D: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60D_Series.pdf
Hope it helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With Fortigates, limits you most often meet are UTM performance and memory size. Licensing is not a concern as all features are covered by a bundle license which only concerns the methods to scan traffic (i.e. signatures for AV, IPS, AppControl, webfilter), even features added during use.
If either UTM has to scan too much traffic or in too many respects the CPU usage will get high; IMHO a proper sized FGT will not see 50% CPU load constantly so that there's room for peak loads. OTOH some UTM and proxy features need memory - the more you scan the higher the memory footprint. If it exceeds 80% then the FGT will start switching off services so this should never happen. If you see 20-40% memory load after a reboot, slowly increasing to <= 50%, you probably have a right-sized FGT.
With new threats coming on constantly, and the current switch to HTTPS-only websites, more performance is needed from a FGT (keyword is "deep scanning" of SSL encrypted traffic). In the desktop, entry models (everything below a 100D) CPU performance is quite limited. Some figures like firewalling troughput and IPsec VPN throughput (which is encrypted as well) look quite good, others like SSLVPN do not. On the bigger models, specialized ASICs process traffic which offloads the CPU substantially.
So, depending on the number of UTM features used, the number of users and the WAN bandwidth, it might very well be that you've outgrown a 60D. Seems your consultant may have made a valid point.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also to add to the above,
You need to take advantage of newer features and your FortiOS OSes is limit of EoL. ( yes I had a customer who struggle to get off FortiOS 3.x and his FGT300s) ;)
Other issues that can requires a upgrade;
you need more thru-put (duh)
you need more vdom
you need faster processor for off-load
you need faster interfaces 100 ver 1000 ver 10000 megs for example
you plan to deploy a wireless overlay and the hardware can't support it ( FAPs and FAP models and types )
Etc...
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi There!
"...What are the signs we should look for that will tell us we do need a new firewall and how can we monitor that and be alerted when it happens?..:"
There are a lot things to consider, but i think this is the basics:
1) CPU Usage: If most times is working around 100 %
2) RAM Usage: If enters in conserve mode frequently, ie: the Ram usage is over 80% most of the times.
3) Sessions: The numbers of new and concurrent sessions is near 4000 and 500.000 respectively
4) You reached another maximum value like policy, routes, throughput, etc...
5) Because the growth, you need more interfaces available.
You can check here the specs of the Fortigate 60D: https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60D_Series.pdf
Hope it helps!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With Fortigates, limits you most often meet are UTM performance and memory size. Licensing is not a concern as all features are covered by a bundle license which only concerns the methods to scan traffic (i.e. signatures for AV, IPS, AppControl, webfilter), even features added during use.
If either UTM has to scan too much traffic or in too many respects the CPU usage will get high; IMHO a proper sized FGT will not see 50% CPU load constantly so that there's room for peak loads. OTOH some UTM and proxy features need memory - the more you scan the higher the memory footprint. If it exceeds 80% then the FGT will start switching off services so this should never happen. If you see 20-40% memory load after a reboot, slowly increasing to <= 50%, you probably have a right-sized FGT.
With new threats coming on constantly, and the current switch to HTTPS-only websites, more performance is needed from a FGT (keyword is "deep scanning" of SSL encrypted traffic). In the desktop, entry models (everything below a 100D) CPU performance is quite limited. Some figures like firewalling troughput and IPsec VPN throughput (which is encrypted as well) look quite good, others like SSLVPN do not. On the bigger models, specialized ASICs process traffic which offloads the CPU substantially.
So, depending on the number of UTM features used, the number of users and the WAN bandwidth, it might very well be that you've outgrown a 60D. Seems your consultant may have made a valid point.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also to add to the above,
You need to take advantage of newer features and your FortiOS OSes is limit of EoL. ( yes I had a customer who struggle to get off FortiOS 3.x and his FGT300s) ;)
Other issues that can requires a upgrade;
you need more thru-put (duh)
you need more vdom
you need faster processor for off-load
you need faster interfaces 100 ver 1000 ver 10000 megs for example
you plan to deploy a wireless overlay and the hardware can't support it ( FAPs and FAP models and types )
Etc...
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you all for your help.
Related Posts
- connect fortigate to 2 sophos at... 25 Views
- Firewall between 192.168.1.50 and 192.168.1.60 ... 78 Views
- ZTNA not working. Help please. 45 Views
- IPSec client is blocked by implicit... 201 Views
- Create branch office VPN so that... 96 Views
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.