By default, FortiGate units handle SSL decryption/encryption using the SSL functionality built into their FortiASIC processors. In situations where the FortiGate unit processes large amounts of SSL traffic and has more than 4 CPUs, you may be able to optimize SSL encryption/decryption performance by changing how SSL processing is distributed to the CPUs. You can also use the following command to specify the number of CPUs to use for SSL processing (in the command, CPU is called an SSL worker):

The <worker-count> is the number of CPUs. The range depends on the number of CPUs in the FortiGate model (this feature only works for FortiGate units with 4 or more CPUs).

You can use the following command to display information about each CPU running in your FortiGate unit:

The command output numbers the CPUs starting at 0. For example, a FortiGate-5001B contains 8 CPUs and the command output for this model contains information about all 8 CPUs numbered 0 to 7. Here is the first few output lines for CPU 7:

If your FortiGate unit includes multiple CPUs and you want to improve SSL performance, use the following command to begin distributing SSL decryption/encryption to 4 CPUs:

Monitor FortiGate performance and if SSL performance improves without affecting other performance, you can either maintain this configuration or add another CPU to the configuration (if one is available). Continue in this manner until you achieve optimum performance for your FortiGate unit.

Continue monitoring performance in case you have to change this setting due changes in your network traffic patterns.