Solved

can fortinet affect internal applications?

Posted on 2010-11-21
3
464 Views
Last Modified: 2012-05-10
Hello experts!

Our IT group recently installed a fortinet appliance about 3 weeks ago. Almost immediately, we had DNS problems and no one could log into a critical-mission web-based application. That was resolved, but since then, we have been having major performance issues in that, sometimes, we are unable to log in or if we can log in, a simple search that used to take 1-2 seconds now takes 4-5 minutes, if it comes back at all. IT immediately ruled out the fortinet saying that becuase of it's location and function on the network, it does not affect internal applications. Hardware, network, virus, application, disk space, and MS SQL server have also been ruled out. IT is now recommending a complete re-install including OS, IIS and application, and if that doesn't work, next recommendation is to move the app out of the the HP Blade system it has been running on to a more traditional setup of individual servers.

I am not in system administration and such, instead I'm in data warehousing, so I really don't know much about this stuff. But, it seems to me that with all other things ruled out, it is just to big a coincidence that things broke as soon as fortinet was installed. is it really impossible for fortinet to affect internal applications, even in some indirect way? Any and all thoughts are welcomed!
0
Comment
Question by:Zugarus
3 Comments
 
LVL 32

Assisted Solution

by:shalomc
shalomc earned 150 total points
Comment Utility
try taking out the fortinet and testing before reinstalling everything :)

I assume that you speak of the Fortinet IPS. It is installed on level 2, similar to a router, and inspects all traffic based on signatures. Despite the vendor's promises to support certain amounts of bandwidth and to be transparent to the traffic, it ain't necessarily so. Especially if the appliance was not sized correctly, or if the IPS is configured for overkill.

I was not responsible for the Fortinet in my previous job, but it took time and 3(!!) resizing sessions to make it work right.

Demand from IT to take out the fortinet BEFORE reinstalling everything.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 350 total points
Comment Utility
It can.  Assuming you have a IPS and it is in-line you can image it as police check point on the road.  Every car must stop and be checked out.  It will back traffic up.  Now a properly sized and tuned IPS will add a very small amount of overhead and done correctly will not add any noticeable about of time to the end user's response time.

Do NOT allow IT re-install everything or move the server off of a blade yet.

Which Fortinet do you have?

Did it replace something else?

    If it replaced something else, was it in-line or out-of-band?

Where there other changes made?  

    New version of the application deployed?  
    New data loaded into the database?


If they are pushing moving away from blades to "traditional servers" then I would question everything they say.  Blades are just like "traditional servers."  The only difference is the physical connectors into the rest of the environment.  I'm a real networking guy and it took me 4 hours of architectural overview to get that through to the guys that manage our distributed servers.  If you don't understand how blade servers are setup, then you tend to think they can't perform as well as stand alone.  

The only time stand alone servers perform well is when need more resource than physical the capabilities a blade server can provide.  Example: You have an application that needs 32 "processors" or needs 512GB of RAM.  A blade server can't handle that (today), so you must go with a stand alone.
0
 

Author Comment

by:Zugarus
Comment Utility
thank you for your insight. turns out that around the same time as installing fortinet, anti-virus software was also installed on these same machines....and exclusions specific to the application were not properly set up. those were added today and performance improved tremendously.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A Change in PHP Behavior with Session Write Short Circuit (http://php.net/manual/en/book.session.php#116217) (Winter 2014)** With the release of PHP 5.6 the session handler changed in a way that many think should be considered a bug.  See the note …
Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now