Description
The overall performance of a FortiGate can be reduced when enabling SSL Deep Inspection on FortiGate units because all traffic needs to be decrypted, inspected, and re-encrypted, using SSL inspection.
Depending on how much traffic going through FortiGate is encrypted, enabling to inspect all the encrypted traffic may change drastically not just CPU usage but also memory allocation for UTM inspection according to the Security Profiles selected for the traffic. The impact in performance also varies depending on system size.
On FortiOS versions prior to 5.2.5 an increase in system resource usage by sslworker process may be observed in addition to but not limited to ipsengine and proxyworker processes. The later will depend on the UTM features that are enabled on the SSL Deep Inspection enabled security policy. On newer versions of FortiOS, SSL Inspection is no longer handled by the sslworker and were designated to proxyworker and ipsengine processes.
Solution
The following are common best practices when implementing SSL/TLS traffic inspection:
1. Know your traffic – Know how much traffic is expected and what percent of the traffic is encrypted. You can also limit the number of policies that allow encrypted traffic.
2. Test real-world SSL inspection performance yourself – Use the flexibility of FortiGate’s security policy to gradually deploy SSL inspection, rather than enabling it all at once.
3. Be selective by using white lists or trimming your policy to apply SSL inspection only where it is needed. An example would be to configure the SSL Inspection Profile to "Exempt from SSL Inspection" known and trusted encrypted traffic.
4. Implement Traffic Shaping on either policies that perform SSL Deep Inspection or other policies with less critical traffic in order to allocate more resources for SSL Inspection.
5. Use hardware acceleration – FortiGate models with either the CP6 and greater CP processors can offload SSL/TLS processing for content scanning and SSL acceleration. For more information about this, see the Hardware Acceleration handbook.
