Tuning IPS on a desktop FortiGate

A desktop FortiGate does not have the same horsepower as a full size model and sometimes traffic can cause the IPS to spike the CPU for several seconds. However IPS is still a very valuable tool for protecting your network. This client has no internal systems exposed to the Internet, so the IPS is only looking at outbound traffic.

Here was the default IPS global config on the client’s FortiGate 90D:

FortiGate90D # config ips global
FortiGate90D (global) # show
config ips global
set traffic-submit enable

Here are the complete IPS global options and how they were set:

FortiGate90D (global) # get
fail-open : disable
database : regular
traffic-submit : enable
anomaly-mode : continuous
session-limit-mode : heuristic
intelligent-mode : enable
socket-size : 32 (MB)
engine-count : 0
algorithm : engine-pick
sync-session-ttl : disable
cp-accel-mode : advanced
deep-app-insp-timeout: 86400
deep-app-insp-db-limit: 100000
exclude-signatures : industrial

IPS can usually identify an intrusion within the first 2-3 MB of data, so that 32MB setting is more than necessary. We also want to ensure that IPS doesn’t overwhelm the desktop FortiGate, so we’ll set the algorithm to low.

Here are the changes made and the resulting config:

FortiGate90D (global) # set socket-size 2
FortiGate90D (global) # set algorithm low
FortiGate90D (global) # show
config ips global
set traffic-submit enable
set socket-size 2
set algorithm low

FortiGate90D (global) # end
ips socket buffer size is set to 2

Finally the IPS needs to restart so that the changes take effect:

FortiGate90D # diag test application ipsmonitor 99
restarting ipsmonitor

Our monitoring now shows that the IPS engine is no longer causing as many CPU spikes as before.

Fortinet Guru article by Norris Carden, NSE4

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos