We have contract a new fibre optical data line with 300Mb symetrics, we have configured the fortinet mod. 60D with a policy and object like attached picture, with this configuration the speed of our line goes down a lot. (35Mb upload and 37Mb download)
Any sugestion for not lost our speed?
Thanks in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Fernando, if you connect a laptop directly into the ISP equipment, do you get 300 Mbps symmetric? Then, place your laptop behind the Fortigate on the desired LAN port and measure again. Do you get the committed speed rates? From the Fortigate Web UI/ CLI check for speed and duplex mismatches. Finally, attach your configuration.
Thank you
Fernando, if you connect a laptop directly into the ISP equipment, do you get 300 Mbps symmetric? Then, place your laptop behind the Fortigate on the desired LAN port and measure again. Do you get the committed speed rates? From the Fortigate Web UI/ CLI check for speed and duplex mismatches. Finally, attach your configuration.
Thank you
Fristly many thanks for your quickly answer.
I have done a changes in my configuration, I tell you...
If I disable in my policy the options: antivirus - application control and email control... I get the maximun spped (more or less) of my data line.( 285mb and 287Mb).
I think than I have the problem, in this configuration.
regards.
Great, now that you narrowed down the issue, the next step is to schedule a maintenance window and investigate your anti-virus and anti-spam profiles for configuration discrepancies. If you would like any further assistance just post your firewall configuration.
Thank you
Thanks.
I'm going to open ticket with fortinet.
Thank you Fernando! If you haven't yet, feel free to mark this thread as "Answered". See the green button on the very top right hand side.
Thank you
FG60D is not up for the task in this scenario. We have run into the same limitation just by adding a shaper to the policy. As soon as the FG has to use the CPU for something, the throughput drops to around 100-120Mbps. Even if the shaper is set to for example 800Mbps.
So anything that is not hardware offloaded (shaper, inspection) will drain the resources. Now, the FG60E is a different story. It uses SoC3, and blows the 60D out of the water. My guess is that any small E-model (with SoC3) would be sufficient.
-- Bjørn Tore
Also, it depends on what your security services setup look like, i.e. AV in a proxy inspection mode takes more resource resources than AV in flow mode.
I am not so sure how better 60E vs 60D is but just a reminder they both fall into the entry level enterprise firewall categories. I think the added benefit is for the models 100E and above whereas the addition of multi-CPU and CP9 engines makes a real difference.
FGT60D - specs
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60D_Series.pdf
FGT60E - specs
Firewall IPS NGFW Threat Protection Interfaces 3 Gbps (Firewall only) 400 Mbps (with IPS enabled) 250 Mbps (NGFW) 200 Mbps(ATP). Ref. https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_60E_Series.pdf
Fernando, There is nothing wrong with your profiles. The 60D is to small for 300Mbs NGFW. If you want to do NGFW, you have to buy a bigger box, I suggest 80E. The 60D have NGFW troughput of 30 Mbs. Otherwise you have to disable AV (and SSL Inspection) as they drop down most.
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf
Best,
Markus
________________________________________________________
--- NSE 4 ---
________________________________________________________
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.