FortiGate Performance Optimization and Best Practices
FortiGate performance optimization consists of setting the right throughput expectation, leveraging hardware acceleration (NP/CP offload), balancing UTM scan settings, and simplifying the policy/session structure. The goal is to maximize throughput without compromising security.
Reading Throughput Numbers Correctly
Throughput numbers are given separately for raw firewall, IPS, threat protection, and SSL inspection. For model selection and performance expectations, the value closest to real life is the 'Threat Protection' throughput.
Raw firewall throughput is the maximum measured with no UTM enabled and does not reflect real usage. The Threat Protection number measured with antivirus and IPS enabled is usually much lower; with SSL inspection enabled, throughput drops further.
That is why most performance issues stem from incorrect throughput expectations. Proper planning requires knowing your device's capacity under real workload.
For model capacities and selection criteria, see the model-selection section of our what is FortiGate guide.
Hardware Acceleration and NP Offload
Hardware acceleration offloads eligible traffic to NP (Network Processor) and CP (Content Processor) chips to relieve the CPU; this offload mechanism is the foundation of FortiGate performance.
Many sessions can be offloaded to NP chips when conditions allow, placing almost no load on the CPU. However, some configurations (e.g., certain UTM combinations or offload-incompatible features) pull traffic back to the CPU and reduce performance.
You can verify offload status and see which sessions are accelerated. Disabling unnecessary features that break offload can significantly increase throughput.
| Mechanism | Effect |
|---|---|
| NP offload | Processes packet routing/IPsec in hardware |
| CP offload | Accelerates IPS/AV/SSL scanning |
| asic-offload setting | Offloads eligible sessions to hardware |
| Pull back to CPU | Performance drops with offload-incompatible features |
Balancing UTM Scan Performance
UTM performance is managed through scan mode (flow vs proxy), inspection scope, and SSL decryption decisions; applying the deepest inspection to all traffic creates unnecessary load.
For high-volume traffic needing low latency, flow-based inspection may be preferred; for sensitive traffic needing deeper control, proxy-based is used. SSL deep inspection provides strong protection but is one of the costliest operations, so it should be applied selectively.
To apply UTM profiles at the right scope, see our UTM security profiles guide, and to attach profiles to policies our firewall policy management guide.
Policy and Session Optimization
Policy optimization means cleaning up unnecessary rules, moving frequently matched rules up, using narrow address/service objects, and keeping the session table healthy.
Many unnecessary or broad rules increase both security risk and evaluation load. Placing frequently matched rules in a good position reduces average match time. Clean up unused rules regularly.
Excessive logging can also affect performance; log only necessary events. Monitor session-table occupancy and session setup rate to catch bottlenecks early.
In environments needing high availability, to plan performance and resilience together, see our FortiGate HA configuration article.
Monitoring and a Performance Checklist
Performance monitoring continuously tracks metrics such as CPU, memory, session count, and conserve mode to detect bottlenecks early.
- Continuously monitor CPU and memory; persistently high values signal a capacity/configuration issue.
- Track session count and session setup rate.
- Watch for conserve mode alerts triggered under memory pressure.
- Verify offload status and review features that break offload.
- Keep firmware current; releases bring performance improvements.
To centrally monitor performance metrics, see our logging and monitoring with FortiAnalyzer article.
Frequently Asked Questions
Which throughput number should I size to?
The value closest to real life is the Threat Protection throughput measured with antivirus and IPS enabled. If you will use SSL inspection, also consider that figure; sizing to raw firewall throughput is misleading.
What is NP offload and why does it matter?
NP offload moves eligible traffic to Network Processor chips, reducing CPU load. This yields high throughput; when offload breaks, traffic returns to the CPU and performance drops.
Why does performance drop when UTM is enabled?
Antivirus, IPS, and especially SSL deep inspection add processing to every packet. This load lowers real-world throughput; you can manage the impact by balancing scan mode and scope.
What is conserve mode?
Conserve mode is when FortiGate takes protective measures under memory pressure, which can affect performance. Frequent conserve mode signals a capacity or configuration problem.
Do many policies affect performance?
Unnecessary and broad rules increase evaluation load. Moving frequently matched rules up, cleaning up unused ones, and using narrow objects improves performance.
Does a firmware update improve performance?
Often yes. New FortiOS releases include performance improvements and bug fixes. But prefer mature releases in production and test first.
Conclusion
FortiGate performance optimization is the combination of the right throughput expectation, full use of hardware acceleration, balanced UTM settings, and a clean policy structure. Continuous monitoring catches bottlenecks before they grow.
To assess and optimize the performance of your existing FortiGate environment, talk to the Sora Yazılım team.