FortiGate optimization

How to avoid performance issues on FortiGate firewalls

How to avoid performance issues on FortiGate firewalls. Where to look for more power. How to limit Kernel Conserve Mode of fail session mode. FortiGate tunning checklist.

Possible error logs:
System has entered kernel conserve mode
System has activated session fail mode
System has reached connection limit
System has deactivated session fail mode


> Use FortiCloud Logging Service or FortiAnalyzer

> Disable logging to memory

> Disable logging to disk

> Use UDP between FortiGate and Fortianalyzer. Don't use TCP or IPsec connection

> Analyze traffic on FortiAnalyzer, FortiCloud rather then on FortiGate. Log source option

> Hide unused features in GUI. Specially on small devices

> Disable features that you don't need. Move non security features (such as DNS, DHCP) to other machines
In System -> Config -> Features you only hide options in GUI but you will not disable them.
You have to remove them from firewall policy so they will not process traffic.

Note: Killing process will bring nothing. It will be restarted after few seconds.

Features with high memory usage:
- Antivirus
- DNS Database
- Traffic optimization
- Log to memory
- Traffic shaping
- WebFiltering quota

Features with high CPU usage
- App Ctrl/IPS
- SSL Inspection

> Decrease default session TTL value

> Set custom very short session TTL value for some specific protocols (such as DNS)

> Decrease session timers values

> Deacrese cache limits for DNS and FortiGuard security features

> Remove session helpers

> Do you need VDOMs ?

> Change UTM mode from proxy to flow

> Limit AV scan file size

> Limit file compression in protocol options

> Do not use Inspection Ports: Any in Proxy Options

> Don't use FortiView for traffic analysis. Use SNMP

> Limit usage of internet BGP. High memory consumption

> Analyse firewall rules usage. Move high used rules higher

> Merge similar firewall rules

> Log only security events in firewall rules options when log rate is very high (for DNS connection for example)

> Try to block traffic using firewall rather than application control when possible

> Don't use Generate Logs when Sessions Starts. This will double log rate

> Don't use Extended UTM Log for APP Ctrl/IPS

> Use upload option: realtime. Don't use store-and-upload

> Remove GeoIP objects when you don't use them. Even unused they consume memory

> Use AV normal database

> Disable antivirus heuristic

> Don't scan for unpopular applications in APP Ctrl

> Use action accept when you don't want to receive application or web filter log

> Use Block rather than Reset action in App Ctrl/IPS

> Block bandwidth consuming application and web pages

> Add URLs manually when page is highly used. Don't create log (use allow action)

> Block files based on extensions. They will not be scaned by AV

> Don't use IPS Signatures with Low and Information severtiy

> Select IPS signatures based on open ports and used applications

> Don't use DLP Fingerprinting

> Scan file share for DLP watermarking during night

> If you really need WanOpt, use it on seperate device. Very high memory consumption

> Decrease VPN Encryption parameters (AES256 -> AES128, SHA-256 -> SHA-1, decrease DH group, turn off PFS)
You can also change encryption to 3DES. 3DES is slower than AES but when VPN encryption is handled by ASIC, no harm will be done to CPU. By doing this you will decrease vpn traffic. Less traffic = less content inspection.

> If you have hub and spoke VPN topology, change it to full mesh

> Use ASIC Offload. Check Hardware acceleration guide

> Block traffic before encryption rather than on second VPN endpoint

> Move SSO Authentication to DC server

> Use WiFi local bridge rather than Tunnel mode

> Use Detect and Identify Devices when FG is attached to clients subnet directly. Don't use it when only routers are connected

> Try to use http web cache before FG

> Keep service heavily used by FortiGate close (DNS, AD, Webcache)

> Enforce allowed application policy. Remove unwanted applications on stations

> Use SSL Certificate Inspection rather than Full SSL Inspection

> Do not NAT traffic in internal network. Fix routing instead

> Reorganize you network when huge traffic can impact firewall (for example backup)

> Block unwanted traffic with custom deny rules rather than waiting for implicit deny

> Always disable diagnostic mode wehn you not using it
diagnose debug disable
diagnose debug reset

> Don't analyse to much data using diagnostics
diagnose debug application ike -1
can kill vpn connections. Use instead
diagnose debug application ike 10

> Follow upgrade guide when patching

> Format disk when you downgrade

> Configuration firmware version and current device firmware version must be equal when restoring

Note: Active Active cluster will give you some extra performance but what will happen when one device will go down.

Note: Some actions will decrease security level