Category Archives: FortiOS 5.2 Best Practices

Performance – FortiOS 5.2 Best Practices

Performance

  • Disable any management features you do not need. If you don’t need SSH or SNMP, disable them. SSH also provides another possibility for would-be hackers to infiltrate your FortiGate unit.
  • Put the most used firewall rules to the top of the interface list.
  • Log only necessary traffic. The writing of logs, especially if to an internal hard disk, slows down performance.
  • Enable only the required application inspections.
  • Keep alert systems to a minimum. If you send logs to a syslog server, you may not need SNMP or email alerts, making for redundant processing.
  • Establish scheduled FortiGuard updates at a reasonable rate. Daily updates occurring every 4-5 hours are sufficient for most situations. In more heavy-traffic situations, schedule updates for the evening when more bandwidth can be available.
  • Keep security profiles to a minimum. If you do not need a profile on a firewall rule, do not include it.
  • Keep VDOMs to a minimum. On low-end FortiGate units, avoid using them if possible.
  • Avoid traffic shaping if you need maximum performance. Traffic shaping, by definition, slows down traffic.

General Considerations – FortiOS 5.2 Best Practices

General Considerations

1. For security purposes, NAT mode is preferred because all of the internal or DMZ networks can have secure private addresses. NAT mode policies use network address translation to hide the addresses in a more secure zone from users in a less secure zone.

2. Use virtual domains (VDOMs) to group related interfaces or VLAN subinterfaces. Using VDOMs will partition networks and create added security by limiting the scope of threats.

3. Use Transparent mode when a network is complex and does not allow for changes in the IP addressing scheme.