How to optimize the performance of the Apsara stack Firewall

 

I would like to thank the flying tower Technology Group Lu renjia for editing and sharing it with you.

Recently, many friends and friends often report high resource utilization after FortiOS is upgraded to 4.0 MR2. You can refer to the following suggestions;

1. The FortiGate device should have enough resources to cope with the attack. It is recommended that the resource utilization should not exceed 65% get sys performance status between 65% and 85%.
2. Only enable the required management service. If SSH or SNMP is not used, do not enable it to avoid opening available ports ..
3. The most frequently used or most important firewall policies should be executed first and foremost.
4. Enabling only the necessary traffic logs will reduce the system performance.
5. Only the required application layer protocols are enabled to check that the application layer checks are sensitive to system performance.
6. Minimize system alarms. If syslog or FAZ logs are configured, do not Configure SNMP or Email alarms as much as possible. 7. The update interval of the AV/IPS feature library is 4 or 6 hours, and server push and upgrade are enabled.
8. Streamline the number of protected content tables.
9. Delete unnecessary protection content tables.
10. Streamline the number of virtual domains to delete unnecessary virtual domains. It is best not to use virtual domains for low-end devices.
11. Avoid enabling Traffic Shaping if the performance is insufficient. This will reduce the traffic processing performance.

How to optimize firewall memory usage
1. Try not to enable memory logs
2. Try not to enable unnecessary AV scanning protocols
3. Reduce the upper limit for scanning virus files. Most files with viruses are smaller than 2 or 3 M
4. delete unused DHCP services
5. Cancel unused DNS forwarding services.
6. If IPS are not required, run the command to save the memory Diag ips global all status disable.
7. Change the session ttl value.
Set default 300 [conf sys session-ttl]
Set tcp-halfclose-timer 30 [config sys global]
Set tcp-halfopen-timer 20 [conf sys global]
8. Change the ttl value of fortiguard.
Set webfilter-cache-ttl [conf sys fortiguard]
Set antispam-cache-ttl [conf sys fortiguard]
9. Change the number of DNS caches.
Set dns-cache-limit [conf sys dns]
10. Do Not Enable DNS forwarding
Unset fwdintf [conf system dns]

The command shown above can be used in the CLI document.