CPU Usage Increase FortiGate 100D -> 90D

A few weeks ago I swapped a FortiGate 100D firewall to a 90D firewall. The 100D was defective and needed to be replaced. Since the customer only has a 20 Mbps ISP connection, I thought that a FortiGate 90D would fit for the moment, since it has a firewall throughput of 3,5 Gbps, compared to the lower value of 2,5 Gbps from the 100D.

Indeed, it worked. However, the CPU usage increase was huge, almost related to the NGFW throughput. Here are some graphs:

I migrated exactly the same configuration from the 100D to the 90D. Both devices running software version 5.2.7. There are about 100 devices surfing in the web. Around 10 VPN connections, and as already noted, only 20 Mbps to the Internet. Here are the graphs for CPU, connections, and wan1 usage over the last few weeks. Obviously, neither the connections nor the wan1 usage increased, but the CPU is almost always peaking at 100 % during working time. Even the average usage is about 50-70 %. (And even though only 10 Mbps are used!):

A look at the CLI (which is only a short time snapshot) looks like that:

I even had some situations, in which I got an “Error 500: Internal Server Error” when trying to change some address objects. Is this normal? Until the defective FortiGate 100D firewall (which ONLY showed such errors due to a hard disk error), I did not see these:

CPU Usage FortiGate 100D - 90D 04 Address Object Error

–> After a second look at the Fortinet Product Matrix, I gathered the big difference: While the FortiGate 100D has a “NGFW Throughput” of 210 Mbps, the 90D only has 25 Mbps! That is, I am not surprised anymore. ;)

And I learned something (again) today: It does NOT depend on the “Firewall Throughput”, but on the IPS/SSL/Application/NFGW/Threat Throughput!

Featured image “Intel Pentium die shot” by Mark Sze is licensed under CC BY-NC-ND 2.0.

Leave a Reply

Your email address will not be published. Required fields are marked *