Especially on Fortigates with little memory (e.g. FG60F, FG50G) it makes sense to configure the device in a memory-saving way. Ideally – of course – without reducing the memory by disabling certain features.
One possibility to do this is to optimize the ISDB settings. The internet service database is very useful if you want to grant (or deny) access to specific internet services without using application control (application control is more accurate than the ISDB, but it will cost more ressources). Please have a look at this article if you want to reduce memory on your firewall – regardless of whether you use the ISDB or not.
You can adjust the ISDB setting in the CLI with following options:
fgt # config system global
fgt (global) # set internet-service-database
mini Small sized Internet Service database with very limited IP addresses.
standard Medium sized Internet Service database with most IP addresses.
full Full sized Internet Service database with all IP addresses.
on-demand Internet Service database with customer selected IP addresses.
As you can see the ISDB can be downloaded in three different sizes (full, standard, mini) and starting with FortiOS 7.2.4 you can also choose “on-demand”.
No matter which settings is configured, in the WebUI you will see all ISDB entries. The difference is that the corresponding IP addresses are not downloaded for all entries – as you can see in the following examples with “internet-service-database=full” and “internet-service-database=mini”. And this of course reduces memory utilization!
The setting “on-demand” goes one step further: only the IPs for the ISDB entries that are actually used in the configuration are downloaded. Please notice in the following screenshot that we only see IP addresses (“Number of Entries”) where the “Ref.” column is not empty.
Let’s get to the big question: how much memory will this save us?
Unfortunately we didn’t find a way to measure the size of the ISDB database directly. But through indirect measurements we were able to determine the following difference (FG-VM64, 4GB memory & FOS 7.2 – please don’t nail us to the numbers, it’s just a rough estimate):
- there is no significant difference between “full” and “standard”, but
- there is a significant difference between “full” and “mini”. The reduction in memory has been about 200MB in our test. With 4GB memory this is about 5 percantage points.
- if you are using only few ISDB entries or no ISDB at all, then you can use the “on-demand” setting for best memory reduction. The difference between full and “on-demand” (with no ISDB usage) has been about 220 MB in our test, which is about 5-6 percantage points with 4GB memory.
Some additional remarks:
- if you use “mini” – please make sure that all ISDB entries that you are using have downloaded their appropriate IP addresses. If you are using ISDB entries that are not downloaded by “mini”, please change your configuration to “on-demand”, “full” or “standard”
- after changing the setting of “set internet-service-database …” you have to wait for a scheduled FortiGuard update (by default every hour) or you have to downlaod the appropriate ISDB manually (CLI: “exec update-now”). This also applies to setting “on-demand” when you are using additional ISDB entries that haven’t already been downloaded to the on-demand ISDB
- no matter which setting you are using, the ISDB is stored on the flash drive. So you will have no issues after a reboot.
Additional Links:
- New Features 7.2.4: Add ISDB on-demand mode to reduce the size stored on the flash drive
- Technical Tip: Internet-service-database: On-demand
- Technical Tip: Verifying which Internet Service database type and version installed on FortiOS-based units
