Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.2.4 Administration Guide
7.2.4
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Enabling the ISDB cache in the FortiOS kernel NEW

Enabling the ISDB cache in the FortiOS kernel NEW

A software ISDB cache can be enabled in the FortiOS kernel. This ISDB cache can be used to enhance lookup performance by circumventing the ISDB lookup penalty when revisiting the same resources.

The ISDB cache can be enabled using the following command:

config system settings
    set internet-service-database-cache {enable | disable}
end

Example

In the following example, after enabling the software ISDB cache, traffic will be generated twice to the same resource. Since the ISDB cache is enabled, no new query will occur in the ISDB. Instead, the ISDB lookup in performed in the cache table.

To enable the software ISDB cache:

  1. Enable the ISDB cache:

    config system settings
    set internet-service-database-cache enable
end

  2. Create an ISDB firewall policy:

    config firewall policy
    edit 1
        set internet-service enable
        set internet-service-name "Google-DNS" "Google-Other" "Google-Web"
        set internet-service6 enable
        set internet-service6-name "Google-DNS" "Google-Other" "Google-Web"
    next
end

  3. Generate traffic to access the resource which matches the ISDB ID in the firewall policy.

  4. Check the Internet Service cache lists:

    # diagnose firewall internet-service-cache list
List Internet Service (IPV4) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=2 isdb_cache_hit_count=0 isdb_query_count=2
proto=6 port=443 IP=10.151.118.105 id=1245185 country_id=840 region_id=283 city_id=21065 reputation=5 insert_timestamp=4302579542 cache_hit_count=0
proto=6 port=443 IP=10.8.8.8 id=65537 country_id=840 region_id=283 city_id=15905 reputation=5 insert_timestamp=4302579760 cache_hit_count=0

# diagnose firewall internet-service6-cache list
List Internet Service (IPV6) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=1 isdb_cache_hit_count=0 isdb_query_count=1
proto=6 port=443 IP=2600:140a:1000:196::b33 id=7929993 country_id=124 region_id=65535 city_id=65535 reputation=4 insert_timestamp=4302580009 cache_hit_count=0

  5. Generate traffic to access the same resource again.

  6. Check the Internet Service cache lists:

    # diagnose firewall internet-service-cache list
List Internet Service (IPV4) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=2 isdb_cache_hit_count=1 isdb_query_count=2
proto=6 port=443 IP=10.151.118.105 id=1245185 country_id=840 region_id=283 city_id=21065 reputation=5 insert_timestamp=4302579542 cache_hit_count=0
proto=6 port=443 IP=10.8.8.8 id=65537 country_id=840 region_id=283 city_id=15905 reputation=5 insert_timestamp=4302579760 cache_hit_count=1

# diagnose firewall internet-service6-cache list
List Internet Service (IPV6) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=1 isdb_cache_hit_count=1 isdb_query_count=1
proto=6 port=443 IP=2600:140a:1000:196::b33 id=7929993 country_id=124 region_id=65535 city_id=65535 reputation=4 insert_timestamp=4302580009 cache_hit_count=1

    The ISDB lookup is performed in the cache table so there is no new query in the full ISDB.

Previous
Next

Enabling the ISDB cache in the FortiOS kernel NEW

A software ISDB cache can be enabled in the FortiOS kernel. This ISDB cache can be used to enhance lookup performance by circumventing the ISDB lookup penalty when revisiting the same resources.

The ISDB cache can be enabled using the following command:

config system settings
    set internet-service-database-cache {enable | disable}
end

Example

In the following example, after enabling the software ISDB cache, traffic will be generated twice to the same resource. Since the ISDB cache is enabled, no new query will occur in the ISDB. Instead, the ISDB lookup in performed in the cache table.

To enable the software ISDB cache:

  1. Enable the ISDB cache:

    config system settings
    set internet-service-database-cache enable
end

  2. Create an ISDB firewall policy:

    config firewall policy
    edit 1
        set internet-service enable
        set internet-service-name "Google-DNS" "Google-Other" "Google-Web"
        set internet-service6 enable
        set internet-service6-name "Google-DNS" "Google-Other" "Google-Web"
    next
end

  3. Generate traffic to access the resource which matches the ISDB ID in the firewall policy.

  4. Check the Internet Service cache lists:

    # diagnose firewall internet-service-cache list
List Internet Service (IPV4) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=2 isdb_cache_hit_count=0 isdb_query_count=2
proto=6 port=443 IP=10.151.118.105 id=1245185 country_id=840 region_id=283 city_id=21065 reputation=5 insert_timestamp=4302579542 cache_hit_count=0
proto=6 port=443 IP=10.8.8.8 id=65537 country_id=840 region_id=283 city_id=15905 reputation=5 insert_timestamp=4302579760 cache_hit_count=0

# diagnose firewall internet-service6-cache list
List Internet Service (IPV6) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=1 isdb_cache_hit_count=0 isdb_query_count=1
proto=6 port=443 IP=2600:140a:1000:196::b33 id=7929993 country_id=124 region_id=65535 city_id=65535 reputation=4 insert_timestamp=4302580009 cache_hit_count=0

  5. Generate traffic to access the same resource again.

  6. Check the Internet Service cache lists:

    # diagnose firewall internet-service-cache list
List Internet Service (IPV4) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=2 isdb_cache_hit_count=1 isdb_query_count=2
proto=6 port=443 IP=10.151.118.105 id=1245185 country_id=840 region_id=283 city_id=21065 reputation=5 insert_timestamp=4302579542 cache_hit_count=0
proto=6 port=443 IP=10.8.8.8 id=65537 country_id=840 region_id=283 city_id=15905 reputation=5 insert_timestamp=4302579760 cache_hit_count=1

# diagnose firewall internet-service6-cache list
List Internet Service (IPV6) Cache in Kernel:
MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=1 isdb_cache_hit_count=1 isdb_query_count=1
proto=6 port=443 IP=2600:140a:1000:196::b33 id=7929993 country_id=124 region_id=65535 city_id=65535 reputation=4 insert_timestamp=4302580009 cache_hit_count=1

    The ISDB lookup is performed in the cache table so there is no new query in the full ISDB.

Previous
Next