CPU Usage Increase FortiGate 100D -> 90D

A few weeks ago I swapped a FortiGate 100D firewall to a 90D firewall. The 100D was defective and needed to be replaced. Since the customer only has a 20 Mbps ISP connection, I thought that a FortiGate 90D would fit for the moment, since it has a firewall throughput of 3,5 Gbps, compared to the lower value of 2,5 Gbps from the 100D.

Indeed, it worked. However, the CPU usage increase was huge, almost related to the NGFW throughput. Here are some graphs:

I migrated exactly the same configuration from the 100D to the 90D. Both devices running software version 5.2.7. There are about 100 devices surfing in the web. Around 10 VPN connections, and as already noted, only 20 Mbps to the Internet. Here are the graphs for CPU, connections, and wan1 usage over the last few weeks. Obviously, neither the connections nor the wan1 usage increased, but the CPU is almost always peaking at 100 % during working time. Even the average usage is about 50-70 %. (And even though only 10 Mbps are used!):

A look at the CLI (which is only a short time snapshot) looks like that:

FortiGate-90D # diagnose sys top-summary
   PID      RSS  ^CPU% MEM%   FDS     TIME+  NAME
 * 79       27M   44.3  1.5    15  17:18.77  reportd
   90       29M   22.3  1.6    15  00:04.99  sshd [x4]
   65      105M   12.4  5.7    46  00:15.90  ipsmonitor [x3]
   78       63M   11.3  3.5    14  51:24.34  sqldb
   479      44M    7.1  2.4  2259  55:50.97  proxyd [x3]
   62       23M    2.3  1.3    16  00:26.64  httpsd [x4]
   481      30M    0.4  1.7    20  08:50.22  urlfilter
   482      10M    0.0  0.6    14  00:00.20  ovrd
   485      14M    0.0  0.8    14  00:06.65  dsd
   287      10M    0.0  0.6    12  00:01.57  radvd
   38       24M    0.0  1.3    13  07:36.66  cmdbsvr
   296      14M    0.0  0.8    29  12:00.68  iked
   480      40M    0.0  2.2    31  04:37.14  scanunitd [x3]
   171      10M    0.0  0.6     8  00:00.00  getty
   2479     43M    0.0  2.4    12  00:31.70  pyfcgid [x4]
   48       11M    0.0  0.6    87  00:05.59  zebos_launcher [x12]
   59       10M    0.0  0.6    12  00:00.49  uploadd
   60       33M    0.0  1.8    55  28:54.36  miglogd [x2]
   61       10M    0.0  0.6     8  00:01.10  kmiglogd
   68       10M    0.0  0.6    11  00:11.12  merged_daemons
   CPU [|||||||||||||||||||||||||||||||||||     ]  89.0%
   Mem [||||||||||||||||||||||                  ]  56.0%  1045M/1834M
   Processes: 20 (running=1 sleeping=86)

I even had some situations, in which I got an “Error 500: Internal Server Error” when trying to change some address objects. Is this normal? Until the defective FortiGate 100D firewall (which ONLY showed such errors due to a hard disk error), I did not see these:

–> After a second look at the Fortinet Product Matrix, I gathered the big difference: While the FortiGate 100D has a “NGFW Throughput” of 210 Mbps, the 90D only has 25 Mbps! That is, I am not surprised anymore.

And I learned something (again) today: It does NOT depend on the “Firewall Throughput”, but on the IPS/SSL/Application/NFGW/Threat Throughput!