FortiOS 5.2 Best Practices

Logging and reporting The default log device settings must be modified so that system performance is not compromised. The FortiGate unit, by default, has all logging of FortiGate features enabled, except for traffic logging. The default logging location will be either the FortiGate unit’s system memory or hard disk, depending on the model. Units with […]

Using static IPs in a CAPWAP configuration In a large FortiAP deployment with more than 20 FortiAPs connecting to a Fortigate Wireless Controller (AC), it is recommended to use static IPs on the access points instead of DHCP, setting the AC IP statically and the AC discovery type to static (Type 1), instead of learning it […]

Wireless The following section contains a list of best practices for wireless network configurations with regard to encryption and authentication, geographic location, network planning, power usage, client load balancing, local bridging, SSIDs, and the use of static IPs. Encryption and authentication It is best practice to always enable the strongest user authentication and encryption method […]

Explicit proxy For explicit proxies, when configuring limits on the number of concurrent users, you need to allow for the number of users based on their authentication method. Otherwise you may run out of user resources prematurely. Each session-based authenticated user is counted as a single user using their authentication membership (RADIUS, LDAP, FSAE, local […]

Virtual Domains (VDOMs) VDOMs can provide separate firewall policies and, in NAT/Route mode, completely separate configurations for routing and VPN services for each connected network or organization. This section provides a list of best practices for configuring VDOMs. Per-VDOM resource settings While Global resources apply to resources shared by the whole FortiGate unit, per-VDOM resources […]

WAN Optimization WAN Optimization features require significant memory resources and generate a high amount of I/O on disk. Before enabling WAN Optimization, ensure that the memory usage is not too high. If possible, avoid other diskintensive features such as heavy traffic logging on the same disk as the one configured for WAN Optimization needs. In […]

FGCP High Availability Fortinet suggests the following practices related to high availability: Use Active-Active HA to distribute TCP and UTM sessions among multiple cluster units. An active-active cluster may have higher throughput than a standalone FortiGate unit or than an active-passive cluster. Use a different host name on each FortiGate unit when configuring an HA […]

Networking When configuring your network, ensure that there is no ‘back door’ access to the protected network. For example, if there is a wireless access point, it must be appropriately protected with password and encryption. Be sure to also maintain an up-to-date network diagram which includes IP addressing, cabling, and network elements. Routing configuration Always […]