When you configure your FortiWeb appliance and its features, there are many settings and practices that can yield better performance.
^.*/index\.html$
/index.html
If the worst possible match string is short and not complex to match, the regular expression may not be worth your time to optimize. |
For example, when using auto-learning to discover if street addresses are a valid input, scanning for postal codes or state abbreviations instead may dramatically improve performance. A pattern to fully match all possible street addresses is significantly more complex, involving many more computations, and the most difficult addresses to verify might be complex enough to impact traffic throughput.
Avoid nested parentheses with indefinite repeats such as:
^((a+)b+)*
which can take a very long time to evaluate, especially if a long string does not match, but this cannot be determined until the very last character is evaluated.
In the above example, both the +
and *
indicate matches that repeat potentially infinitely, forcing the regular expression engine to continue until it finds the longest possible match (or runs out of RAM; see Killing system-intensive processes). Using both in a nested set of parentheses compounds the problem.
Minimize capture groups and back-references such as:
(/a)(/b)/(c)
$0$1\?user=$2
To use back-references, FortiWeb must keep the text that matched the capture groups in memory, which increases RAM consumption.
Order matters if using alternate match patterns (i.e. multiple patterns are concatenated with a pipe ( |
)). Put rare patterns last. If you put less likely patterns first, most times FortiWeb will be evaluating the string multiple times — not once — before it finds a match. This significantly decreases performance.
When comparing single characters, use character classes such as:
[abc]
instead of alternative matches like
(a|b|c)
Match character by character, not word by word. If words begin with the same characters, it is not efficient to evaluate the beginning of the match string multiple times — once for each possible word.
For example, to match the words “the”, “then”, “this”, and “these”, this expression is easy to read, but inefficient because it evaluates the first two characters (“th”) up to 4 times:
\b(this|the|then|these)\b
While harder to read, this expression improves performance, evaluating “th” once, and will match the most common word in English (“the”) before considering less probable words:
\bth(e(n|se)|is)\b
Reduce nested quantifiers such as:
(abc)+
(abc){1,6}
Worst-case evaluations do not increase computation time linearly, but exponentially. When such an expression is compiled, it also consumes much more RAM. Use the smallest possible repetition, or an alternative expression.
/p{Nd}
if you can use a character class instead. Due to the huge numbers and complexity of potential matches in Unicode, these can be dramatically slower.Avoid look-ahead match conditions such as:
?!abcdefge
?=abcdefge
To do this, FortiWeb must make additional computations — in the example above, 8 in the best case scenario, an immediate match. FortiWeb also must keep the originally consumed match string in memory while it does this, which increases RAM consumption.
Generating reports can be resource intensive. To avoid performance impacts, consider scheduling report generation during times with low traffic volume, such as at night and on weekends. See the illustration Log&Report > Report Config > Report Config and Scheduling reports.
Keep in mind that most reports are based upon log messages. All caveats regarding log performance also apply.
When you configure a signature set as part of a web protection profile, consider limiting the scope and application of the Information Disclosure options shown in the illustration Disabling unnecessary server information disclosure signatures in Web Protection > Known Attacks > Signatures. (Click the blue arrow next to Information Disclosure to see the list.)
Do you need to watch for all information types? If not, disable them to increase performance. Disable signatures that do not apply to your web servers. For example, if your web server does not run Adobe ColdFusion, you could disable CF Source Code Leakage to omit that scan and improve performance. See Specifying URLs allowed to initiate sessions.
The Information Disclosure feature can potentially require the FortiWeb appliance to rewrite the header of every request from a server, resulting in reduced performance. Fortinet recommends enabling this feature only to help you identify information disclosure through logging, and until you can reconfigure the server to omit such sensitive information. Clear the All / None check box to disable the feature.
Unless you need to back up large files, reduce the setting for the Skip Files Larger Than option from the default of 10 240 KB.
Use the Skip Files With These Extensions option to exclude specific types of large files, such as compressed files and video clips.
Vulnerability scan performance depends on the speed and reliability of your network. It also can be impacted by your configuration. See Delay Between Each Request.
Packet capture can be useful for troubleshooting but can be resource intensive. (See Packet capture.) To minimize the performance impact on your FortiWeb appliance, use packet capture only during periods of minimal traffic. Use a local console CLI connection rather than a Telnet or SSH CLI connection, and be sure to stop the command when you are finished.