FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes when policy configuration changes impact the established sessions and CPU usage.
Solution On a heavy-loaded system, plan configuration changes during low usage periods in order to minimize impact on CPU usage and established sessions. In this scenario, it is considered a best practice to de-accelerate the hardware accelerated sessions.
Configure de-accelerated behavior on hardware-accelerated sessions using CLI commands to control how the processor manages policy configuration changes. The following CLI commands are to be used:
# config system settings set firewall-session-dirty { check-all | check-new | check-policy-option } end
To get the following to be true:
- Check-all: CPU flushes all current sessions and re-evaluates them. This is the default option. - Check-new: CPU keeps existing sessions and applies policy changes to new sessions only. This reduces CPU load and the possibility of packet loss. - Check-policy-option: Use the option selected in the firewall-session-dirty field of the firewall policy (check-all or check-new, as above, but per policy).
