Hot!Fortigate 300E - Losing internet connection of some users

Author
btdestek
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/17 04:08:10
  • Status: offline
2019/06/17 04:18:15 (permalink)
0

Fortigate 300E - Losing internet connection of some users

Hi everyone
 
We're using Fortigate 300E firewall. We have two devices working "Active-Active".
Our users access to the internet via FSSO integrated with Active Directory.
All policies are OK and working. 
But many random users losing the internet connection for 1 or 2 minutes. Then connection comes back. This occurs very often.
We have 250 users.
 
Is this capacity problem ? Is Fortigate 300E suitiable for 250 users ? 
How can we fix this connection problem ?
 
Thanks
 
#1
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: Fortigate 300E - Losing internet connection of some users 2019/06/17 07:49:32 (permalink)
0
Are you able to switch HA from Active-Active to Active-Passive? It would allow you to eliminate one potential reason. Which inspection mode you have set: proxy or flow? What is the memory consumption?
 
 
 
#2
btdestek
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/17 04:08:10
  • Status: offline
Re: Fortigate 300E - Losing internet connection of some users 2019/06/17 10:40:18 (permalink)
0
Switched to HA from Active-Active to Active-Pasive.  I'm going to monitor the firewall for any interruption.
 
Inspection mode is proxy. I don't know which one ise true setting.
 
Memory consumption ise about %47
#3
hubertzw
Gold Member
  • Total Posts : 192
  • Scores: 5
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: Fortigate 300E - Losing internet connection of some users 2019/06/17 13:42:26 (permalink)
0
Remember about A-A limitation:
 
"HTTPS, ICMP, multicast, and broadcast sessions are never load balanced and are always processed by the
primary unit. IPS, Application Control, flow-based virus scanning, flow-based web filtering, flow-based DLP, flowbased
email filtering, VoIP, IM, P2P, IPsec VPN, HTTPS, SSL VPN, HTTP multiplexing, SSL offloading, WAN
optimization, explicit web proxy, and WCCP sessions are also always processed only by the primary unit."
 
"Proxy-based security profile processing that is load balanced includes proxy-based virus scanning, proxy-based
web filtering, proxy-based email filtering, and proxy-based data leak prevention (DLP) of HTTP, FTP, IMAP,
IMAPS, POP3, POP3S, SMTP, SMTPS, IM, and NNTP, sessions accepted by security policies"
 
In your case - 'proxy' - more sessions can be processed by secondary units but still I would think twice before switching to A-A HA mode. Today there is more HTTPS than HTTP traffic, so most of the web traffic can be processed only by the primary unit. There is one problem with the traffic, which can be sent to the secondaries. It must be sent twice: once, initial traffic from the sender, and second time, when the primary unit forwards it to the secondary unit. Traffic consumes more bandwidth (2x) but only for the traffic which can be sent to the secondary unit - so only you know the volume and know the answer if it is a problem or not.
 
 
#4
Jump to:
© 2019 APG vNext Commercial Version 5.5