FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to improve FortiGate's performance.
Solution Points which need to follow while configuring FortiGate:
- Disable any management features not necessary. If any SSH or SNMP ar needed, disable them. SSH also provides another possibility for would-be hackers to infiltrate the FortiGate.
-Put the most used firewall rules to the top of the interface list.
-Log only necessary traffic. The writing of logs, especially if to an internal hard disk, slows down performance.
-Enable only the required application inspections.
-Keep alert systems to a minimum.
If logs to a syslog server are sent, SNMP or email alerts are not necessary, making for redundant processing.
-Establish scheduled FortiGuard updates at a reasonable rate. Daily updates occurring every 4-5 hours are sufficient for most situations. In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.
-Keep security profiles to a minimum. If a profile on a firewall rule is not needed, do not include it.
-While configuring routing, always configure a default route.
-Add blackhole routes for subnets reachable using VPN tunnels. This ensures that if a VPN tunnel goes down, traffic is not mistakingly routed to the Internet unencrypted.
-As per policy routing is considered keep the number of policy routes to a minimum to optimize performance in route lookup and to simplify troubleshooting.
-Keep VDOMs to a minimum. On low-end FortiGate , avoid using them if possible.
-Avoid traffic shaping if maximum performance is needed. Traffic shaping, by definition, slows down traffic.
-The default session TTL can be changed:
#config system session-ttl set default 300 end
-The logging to the memory can be disabled with below command:
# config log memory setting set status disable end
-If the FortiGate has a Hard disk, it is enabled by default to store the logs. If the FortiGate has only flash memory, disk logging is disabled by default, as it is not recommended. Constant rewrites to flash drives can reduce the lifetime and efficiency of the memory.
-It has to be enabled in the CLI under config log disk setting.
-For some low-end models, disk logging is unavailable. Check a product’s Feature Matrix for more information. In either case, Fortinet recommends using either a FortiAnalyzer or the FortiCloud service.
