Optimizing Fortigate Unit
Optimize the configuration with the following recommended settings.
1) Changing the IPSEngine algorithm to low and engine count to 4, makes IPS scaning slower but is less memory intensive
config ips global
set algorithm low
set socket-size 1
end
After changing the algorithm and socket size, restart the IPSEnigne using the following command
diag test app ipsmonitor 99
2) If you are using extended database for virus scan,please change it to normal
config antivirus settings
set default-db normal
end
3)Reducing some of the global timer can also reduce load, please run the following commands:
config system global
set tcp-halfclose-timer 60
set tcp-halfopen-timer 30
set tcp-timewait-timer 60
set udp-idle-timer 90
end
4)Also you can change the inspection mode to Flow based from proxy which would reduce the load on the box.
5)Change default session TTL:
config system session-ttl
set default 300
end
(7)Lower AV threshold
please go to Firewall->Protection Profile->profile in use->Anti-Virus, lower the oversize threshold to 2MB for all protocols.
(8)Log optimization:
- Enable logging on all policies which is required.
- Enable logging in UTM features which is required to log and disable logging on the others.
9)
- Disable logging to memory (Log&Report > Log Config > Log Setting).
- Disable unused protocols (HTTP, FTP, SMTP, POP, IMAP) from being antivirus scanned (Firewall>Protection Profile).
- Disable the DHCP server if it is not required (System > DHCP > Service and System > DHCP > Server).
- Disabling unnecessary IPS attack signatures can improve system performance and reduce the number of IPS log messages and alert emails. For example, if the network does not contain IIS web servers, the IIS signatures can be disabled.
1) Changing the IPSEngine algorithm to low and engine count to 4, makes IPS scaning slower but is less memory intensive
config ips global
set algorithm low
set socket-size 1
end
After changing the algorithm and socket size, restart the IPSEnigne using the following command
diag test app ipsmonitor 99
2) If you are using extended database for virus scan,please change it to normal
config antivirus settings
set default-db normal
end
3)Reducing some of the global timer can also reduce load, please run the following commands:
config system global
set tcp-halfclose-timer 60
set tcp-halfopen-timer 30
set tcp-timewait-timer 60
set udp-idle-timer 90
end
4)Also you can change the inspection mode to Flow based from proxy which would reduce the load on the box.
5)Change default session TTL:
config system session-ttl
set default 300
end
(7)Lower AV threshold
please go to Firewall->Protection Profile->profile in use->Anti-Virus, lower the oversize threshold to 2MB for all protocols.
(8)Log optimization:
- Enable logging on all policies which is required.
- Enable logging in UTM features which is required to log and disable logging on the others.
9)
- Disable logging to memory (Log&Report > Log Config > Log Setting).
- Disable unused protocols (HTTP, FTP, SMTP, POP, IMAP) from being antivirus scanned (Firewall>Protection Profile).
- Disable the DHCP server if it is not required (System > DHCP > Service and System > DHCP > Server).
- Disabling unnecessary IPS attack signatures can improve system performance and reduce the number of IPS log messages and alert emails. For example, if the network does not contain IIS web servers, the IIS signatures can be disabled.
Comments
Post a Comment