Fortinet 5.0 Patch 6 Logging performance

Fortinet 617 FortiWeb 5.0 Patch 6 Administration Guide

FortiWeb will be evaluating the string multiple times — not once — before it finds a

match. This significantly decreases performance.

When comparing single characters, use character classes such as:

[abc]

instead of alternative matches like

(a|b|c)

Match character by character, not word by word. If words begin with the same

characters, it is not efficient to evaluate the beginning of the match string multiple times

— once for each possible word.

For example, to match the words “the”, “then”, “this”, and “these”, this expression is

easy to read, but inefficient because it evaluates the first two characters (“th”) up to 4

times:

\b(this|the|then|these)\b

While harder to read, this expression improves performance, evaluating “th” once, and

will match the most common word in English (“the”) before considering less probable

words:

\bth(e(n|se)|is)\b

• Reduce nested quantifiers such as:

(abc){1,6}

(abc)+

Worst-case evaluations do not increase computation time linearly, but exponentially.

When such an expression is compiled, it also consumes much more RAM. Use the

smallest possible repetition, or an alternative expression.

• Avoid Unicode character properties such as /p{Nd} if you can use a character class

instead. Due to the huge numbers and complexity of potential matches in Unicode, these

can be dramatically slower.

• Avoid look-ahead match conditions such as:

?=abcdefge

?!abcdefge

To do this, FortiWeb must make additional computations — in the example above, 8 in the

best case scenario, an immediate match. FortiWeb also must keep the originally consumed

match string in memory while it does this, which increases RAM consumption.

Logging performance

• If you have a FortiAnalyzer, store FortiWeb’s logs on the FortiAnalyzer to avoid resource

usage associated with writing logs to FortiWeb’s own hard disks. See “Configuring log

destinations” on page 549.

• If you do not need a traffic log, disable it to reduce the use of system resources. See

“Enabling log types, packet payload retention, & resource shortage alerts” on page 546.

• Reduce repetitive log messages. Use the alert email settings, as shown in Figure 76, to

define the interval that emails are sent if the same condition persists following the initial

occurrence. See “Configuring email settings” on page 576.