A desktop FortiGate does not have the same horsepower as a full size model and sometimes traffic can cause the IPS to spike the CPU for several seconds. However IPS is still a very valuable tool for protecting your network. This client has no internal systems exposed to the Internet, so the IPS is only looking at outbound traffic.

Here was the default IPS global config on the client’s FortiGate 90D:

FortiGate90D # config ips global
FortiGate90D (global) # show
config ips global
set traffic-submit enable
end

Here are the complete IPS global options and how they were set:

FortiGate90D (global) # get
fail-open : disable
database : regular
traffic-submit : enable
anomaly-mode : continuous
session-limit-mode : heuristic
intelligent-mode : enable
socket-size : 32 (MB)
engine-count : 0
algorithm : engine-pick
sync-session-ttl : disable
cp-accel-mode : advanced
skype-client-public-ipaddr:
deep-app-insp-timeout: 86400
deep-app-insp-db-limit: 100000
exclude-signatures : industrial

IPS can usually identify an intrusion within the first 2-3 MB of data, so that 32MB setting is more than necessary. We also want to ensure that IPS doesn’t overwhelm the desktop FortiGate, so we’ll set the algorithm to low.

Here are the changes made and the resulting config:

FortiGate90D (global) # set socket-size 2
FortiGate90D (global) # set algorithm low
FortiGate90D (global) # show
config ips global
set traffic-submit enable
set socket-size 2
set algorithm low
end

FortiGate90D (global) # end
ips socket buffer size is set to 2

Finally the IPS needs to restart so that the changes take effect:

FortiGate90D # diag test application ipsmonitor 99
restarting ipsmonitor

Our monitoring now shows that the IPS engine is no longer causing as many CPU spikes as before.

Fortinet Guru article by Norris Carden, NSE4
Security Forethought