Fortinet 5.0 Patch 6 Antivirus performance, Regular expression performance tips

Fortinet 615 FortiWeb 5.0 Patch 6 Administration Guide

continue checking for the server's responsiveness. See “Configuring server up/down

checks” on page 254.

• Use the least intensive, earliest possible scan to deflect attacks. See “Sequence of scans”

on page 23.

• Use Period Block if possible as the Action setting for DoS protection rules. This allows

FortiWeb to conserve scanning resources that will by definition be under heavy demand

during a DoS or DDoS attack.

Antivirus performance

• Disable scanning of BZIP2 if it is not necessary.

• Reduce the scanning buffer to the minimum necessary.

• Reduce the number of redundant levels of compression that FortiWeb will scan. Normally,

people will not put a ZIP file within a ZIP file, because it is inconvenient to open and does not

offer significant compression ratio improvements. Nested compression is usually used by

viruses to bypass antivirus scanners.

Regular expression performance tips

•Use a simple string instead if possible. Generally, regular expressions should only be used

when defining all matching text requires a complex pattern. Regular expressions such as:

^.*/index\.html$

are usually more computationally intensive than a literal string comparison such as:

/index.html

•Reduce evaluation complexity.

For example, when using auto-learning to discover if street addresses are a valid input,

scanning for postal codes or state abbreviations instead may dramatically improve

performance. A pattern to fully match all possible street addresses is significantly more

Short regular expressions can sometimes be more complex to compute. Don’t look at the

number of characters in the regular expression. Instead, think of both the usual and worst

possible case in the match string: the maximum number of characters that must be

compared to the pattern before a match can be verified or not.

The usual case will tell you the average CPU and RAM load. The worst case will tell you if

your regular expression could sometimes cause potential hang-like conditions, temporarily

blocking traffic throughput until it finishes evaluating.

If the worst possible match string is short and not complex to match, the regular expression

may not be worth your time to optimize.