Hello, we have a lot of customers with 30E and for a part of them, the performance of downloading decrease drasticaly. (generally, it fall to +/-3mbps on download but stay at 20mbps on upload for ex)
We try to update firmware, downgrade firmware, reset device, reinstall from scatch and nothing solve the problem.
So we replace them by 40F.
Have you an idea or do you know the problem ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For one, the 30E is _the_ lowest end FGT. I used to say that every model below "60x" is not a Fortigate. So, the 30E is fighting with low memory and a weak CPU. For instance, upgrading can take 10 minutes (while you sit there and wonder if it ever will come up again).
In contrast, the 40F is quite useable. Next generation, not as starved as the 30E.
<rant off>
Now to your problem at hand:
1- might it be that the 30Es are using PPPoE on the WAN interface? that protocol is not offloadable and will be a burden on the CPU. Only remedy I can think of is to install (any) WAN modem supporting PPPoE and to put it into "bridge mode". This will effectively hand down the public IP to the FGT. WAN interface will be configured as 'static' then.
This applies to a 40F as well but you might not notice it as much as the CPU is a bit more powerful.
Any cheapo WAN modem from Far East will do 1 Gbps easily, in hardware. FGTs are just not built for this. I've used D-Link (meh), and Draytek for (European) DSL and VDSL up to 250 Mbps with good results.
2- you could try to cut back on UTM on the 30Es. AV will be OK, IPS will eat a lot of memory in comparison. If your branches are connected to HQ via VPN, you might set the default route to HQ and apply UTM there, centrally. Less memory usage and less CPU cycles used in the branch FGT.
3- as long as you use IPsec VPN you're fine. Using SSLVPN will again be a burden on the CPU as it cannot be offloaded to an NP. Besides, SSLVPN is causing grief a lot, security-wise, and has been for years.
When I did the tests, I tried config after a "factory reset" with the Wan in dhcp mode was connected on a modem or on a switch without any UTP package or complexe usage. The download stay very low.
Uh-oh. DHCP mode doesn't affect CPU much.
Who is the culprit? If you really want to find out, open a shell (CLI) and issue
"diag sys top"
and sort by CPU load (press 'p') or memory usage (press 'm'). Quit by 'Ctrl-C'.
That should give you a hint at the current load.
If none of these figures are tale-telling have a look at the logs (system events, or denied traffic). Is the latency to the internet high? 'exec ping 1.1.1.1' for example.
30E/50E units have a known issue that occasionally pops up.
Please open a support ticket with the TAC. They should be able to quickly confirm if that's the case, and will proceed if RMA if needed.
Hello, the 30E are not under contract so, I can't do a ticket
Nobody know this issue ?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.