Re: Best practice for thwarting port scanning?
No, I don't see and don't expect any noticeable performance hit on firewalling. The 'work load' is done by FortiGuard, that is, determining the IP ranges for each country. These lists are continually updated and sent to the FGT. FortiOS only has to compile the blocked address ranges and offload it to the NPU.
The FGTs I manage (in Europe) get molested mainly by hosts in Brazil, China, Viet Nam, Ukraine. I can rule out any legitimate access from these countries. So, incoming traffic is reduced by, say, 80%.
Ede " Kernel panic: Aiee, killing interrupt handler!"