Hot!5.2 vs 5.4 CPU usage

Author
bobm
Silver Member
  • Total Posts : 89
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/07/15 12:32:22
  • Status: offline
2017/08/28 11:51:14 (permalink)
0

5.2 vs 5.4 CPU usage

Hi,
I know we're behind the curve, but I'm looking at finally upgrading our 90D to FW 5.4.x in the near future.  Right now we're running 5.2.7, but I think some of the 5.4 logging and reporting abilities would really be useful.
 
The issue is, though, that our 90D is really too small for our environment.  We have 40-50 users running data and voice, with Web Filtering and load balanced WAN.  I had to turn IPS off because the CPU kept spiking, and even now it spends way too much time in the 60-80% range for my taste. 
 
So my question is, how does CPU utilization compare between 5.2 and 5.4 for these small boxes? Is there a version of 5.4 that seems to be better than others for CPU efficiency? Or will 5.4 just completely overwhelm the box as I have it?
 
Thanks
post edited by bobm - 2017/11/13 08:00:06
#1

13 Replies Related Threads

    MikePruett
    Platinum Member
    • Total Posts : 672
    • Scores: 13
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/08/28 13:27:02 (permalink)
    0
    My utilization got a little better. That being said, you definitely want to upgrade that 90D. I had one in a smaller environment and hated it.

    Mike Pruett
    Fortinet GURU
    #2
    bobm
    Silver Member
    • Total Posts : 89
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/07/15 12:32:22
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/08/28 13:49:33 (permalink)
    0
    OK, thanks
    post edited by bobm - 2017/11/13 08:00:57
    #3
    bobm
    Silver Member
    • Total Posts : 89
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/07/15 12:32:22
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/09/14 06:05:47 (permalink)
    0
    OK, got the box up to 5.2.11 this morning seemingly OK (I thought the suggested path was 5.2.7-5.2.9-5.2.11 but the box told me to go straight to 11). Now to upgrade to 5.4 in the next week or two so we're only one major rev behind.
     
    Any recommendations on which 5.4 build will be most stable,  least disruptive and best use of limited resources?
     
    Thanks
    #4
    ede_pfau
    Expert Member
    • Total Posts : 5255
    • Scores: 334
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/09/14 07:45:44 (permalink)
    0
    That would be v5.4.5 naturally. Next patch is coming up in a few weeks.
     
    On a small FGT (80C) I had disappointing experience with upgrading. It worked but memory usage went up to 67% from about 55%. And kept climbing. Had to downgrade again.
    I would only upgrade if the HW had at least 2 GB RAM. v5.2.11 is very stable and offers a lot of features. In your case, new FGT first, nicer features afterwards.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #5
    bobm
    Silver Member
    • Total Posts : 89
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/07/15 12:32:22
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/09/14 08:14:01 (permalink)
    0
    Thanks for the tip.  I am kind of nervous about this. 
     
    But the box does have 2GB, and even though the CPU is pushing pretty hard, the memory tends to hang somewhere in the 30s.  Probably because I disabled so much and am pushing all logging up to the cloud. 
     
    At least I know i'm using a stable rev now, so if I have to downgrade i can rest easy.  It's only been a few hours, but seems to be running better already. 
    post edited by bobm - 2017/11/13 08:01:58
    #6
    bobm
    Silver Member
    • Total Posts : 89
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/07/15 12:32:22
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/09/25 11:11:10 (permalink)
    0
    So now that our renewal date is coming close, there actually may be a possibility of a new box coming my way if I can justify the spending.  I was looking at the 100D/E since they seem to be the next logical step up, but someone recommended I take a look at the 80E instead.  Similar price to the 90D but the numbers do look a lot better. 
     
    Can I configure it for redundant/load balanced WAN?
     
    Anyone have experience with it? Worth looking into for my environment, or should I stick with going bigger box?
    post edited by bobm - 2017/09/25 12:24:30
    #7
    MikePruett
    Platinum Member
    • Total Posts : 672
    • Scores: 13
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/09/25 12:31:59 (permalink)
    0
    Get the 80E and yes you can configure it for redundant / load balanced WAN.
     
    You will be much happier with the performance of it.
     
    The 90D's were dogs and the 80E is way better IMO. Only jump up to the 100E model range if your users are flowing enough bandwidth beyond the device (internal to WAN) to justify the other performance numbers and in turn cost.

    Mike Pruett
    Fortinet GURU
    #8
    bobm
    Silver Member
    • Total Posts : 89
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/07/15 12:32:22
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/11/13 08:09:30 (permalink)
    0
    Got and IPS enging upgrade in the past week, and the box went into fail open mode when it installed, even though IPS is disabled, so we're looking at the new box now.  The Boss doesn't want to spend money for a bigger box just to get caught behind in a few years again, so asked me to make sure we're sizing up enough to run all the features we may want in the next few years.
     
    So to recap - roughly 50 users running data and voice.  Most traffic is WAN (email, SalesForce, Leadmaster, etc) running over a pair of redundant/balanced 20MB pipes.  Lots of web filtering, and we'd like to actually use IPS and Virus. Maybe vulnerability scan? No VPN today, but possibly limited use in the future. One vendor tried to push me into the 200 series, but that seems overkill to me.  Is the 100 a good fit for us in the real world?
     
    Thanks again to all
    #9
    bobm
    Silver Member
    • Total Posts : 89
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/07/15 12:32:22
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/11/14 05:06:19 (permalink)
    0
    Finally got in touch w/a Fortinet rep, and looks like we're going 100E.  Looks like all the desktop models max out around 50 users, but the 100 series is approved for up to 150. 
    #10
    FGTuser
    Silver Member
    • Total Posts : 83
    • Scores: 5
    • Reward points: 0
    • Joined: 2013/03/11 12:10:25
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/11/15 04:41:54 (permalink)
    0
    60E/80E/100E is basically the same SoC3 box, 100E just has 4GB RAM (60E/80E have 2GB).
     
    With 100E you get:
    - more LAN ports
    - SSL offload/ Link aggregation (disabled in desktop models - even though they could handle it)
    - rackmount box
    - ext. RPS possibility
    - more RAM, but it's questionable if you will utilize it
     
    Depends on those features, if it's worth for you to pay triple for 100E. 
    And there is absolutely no reason to pay almost double for 80E comparing to 60E, unless you want  4 more GE ports :D
     
    I still don't understand why FTNT is producing so many almost equal (regarding performance, not price :)) models.
    post edited by FGTuser - 2017/11/15 09:48:21
    #11
    bobm
    Silver Member
    • Total Posts : 89
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/07/15 12:32:22
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/11/20 08:35:31 (permalink)
    0
    Doesn't make much sense to me either, just makes it tougher to make a decision.  I think the boss is going to go 100E just because when we went from 60C to 90D a few years ago we thought we were in great shape for the future. Then we added voice, and more customers added their own secure CRM sites to the mix for our reps to log into.  He wants to make sure we're planning ahead. And talking with our Fortinet rep, the 80E is still only recommended for up to 50 users, which is where we are now.  And as FW revs go up and more features come in, CPU load only goes up in general. If he's OK with paying for it, I'm much happier with the bigger box to work with.  Maybe I can start using the box to it's potential for a change.
    #12
    FGTuser
    Silver Member
    • Total Posts : 83
    • Scores: 5
    • Reward points: 0
    • Joined: 2013/03/11 12:10:25
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/11/20 08:48:18 (permalink)
    0
    Up to you and your boss. CPU is exactly the same 60E/80E/100E and it's quite weak. I don't know where does the 50 user recommendation come from. Yes, 100E will handle more sessions due to RAM, and that's all. But very unlikely >50 users will kill 60E/80E due to sessions.
     
    FTNT is doing lot of changes in low end models with every line (C/D/E). Sometimes it's CPU based model (e.g. 80D, 100D), sometimes SoC model (e.g. 90D, 80E, 100E)...huge difference (good and bad - depends what kind of performance you need).
    So decision based on history or model number is not good.
     
    If money is not a problem and you want something future proof, go for 200E.
     
    Also if you need disk, get xx1E not xx0E.
    But FAZ-VM is much more recommended instead of disk model.
     
    post edited by FGTuser - 2017/11/20 08:53:24
    #13
    btp
    Bronze Member
    • Total Posts : 25
    • Scores: 1
    • Reward points: 0
    • Joined: 2007/09/26 02:02:57
    • Status: offline
    Re: 5.2 vs 5.4 CPU usage 2017/11/20 08:59:35 (permalink)
    0
    I upgraded a FG60D HA running at 5.2.7. to 5.4.6, due to some bugs that have been around until this release (BGP/IPSEC and hardware offloading). We use BFD to shorten failover-time in case of fail, and with the default settings the route kept flapping when traffic increased. The CPU was overwhelmed.
     
    For this particular setup there was no BFD before, so I can't really say that it was the new firmware that did this - but it runs fine other places on 5.2.7.
    #14
    Jump to:
    © 2017 APG vNext Commercial Version 5.5