Solved

can fortinet affect internal applications?

Posted on 2010-11-21
3
467 Views
Last Modified: 2012-05-10
Hello experts!

Our IT group recently installed a fortinet appliance about 3 weeks ago. Almost immediately, we had DNS problems and no one could log into a critical-mission web-based application. That was resolved, but since then, we have been having major performance issues in that, sometimes, we are unable to log in or if we can log in, a simple search that used to take 1-2 seconds now takes 4-5 minutes, if it comes back at all. IT immediately ruled out the fortinet saying that becuase of it's location and function on the network, it does not affect internal applications. Hardware, network, virus, application, disk space, and MS SQL server have also been ruled out. IT is now recommending a complete re-install including OS, IIS and application, and if that doesn't work, next recommendation is to move the app out of the the HP Blade system it has been running on to a more traditional setup of individual servers.

I am not in system administration and such, instead I'm in data warehousing, so I really don't know much about this stuff. But, it seems to me that with all other things ruled out, it is just to big a coincidence that things broke as soon as fortinet was installed. is it really impossible for fortinet to affect internal applications, even in some indirect way? Any and all thoughts are welcomed!
0
Comment
Question by:Zugarus
3 Comments
 
LVL 33

Assisted Solution

by:shalomc
shalomc earned 150 total points
ID: 34185908
try taking out the fortinet and testing before reinstalling everything :)

I assume that you speak of the Fortinet IPS. It is installed on level 2, similar to a router, and inspects all traffic based on signatures. Despite the vendor's promises to support certain amounts of bandwidth and to be transparent to the traffic, it ain't necessarily so. Especially if the appliance was not sized correctly, or if the IPS is configured for overkill.

I was not responsible for the Fortinet in my previous job, but it took time and 3(!!) resizing sessions to make it work right.

Demand from IT to take out the fortinet BEFORE reinstalling everything.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 350 total points
ID: 34187406
It can.  Assuming you have a IPS and it is in-line you can image it as police check point on the road.  Every car must stop and be checked out.  It will back traffic up.  Now a properly sized and tuned IPS will add a very small amount of overhead and done correctly will not add any noticeable about of time to the end user's response time.

Do NOT allow IT re-install everything or move the server off of a blade yet.

Which Fortinet do you have?

Did it replace something else?

    If it replaced something else, was it in-line or out-of-band?

Where there other changes made?  

    New version of the application deployed?  
    New data loaded into the database?


If they are pushing moving away from blades to "traditional servers" then I would question everything they say.  Blades are just like "traditional servers."  The only difference is the physical connectors into the rest of the environment.  I'm a real networking guy and it took me 4 hours of architectural overview to get that through to the guys that manage our distributed servers.  If you don't understand how blade servers are setup, then you tend to think they can't perform as well as stand alone.  

The only time stand alone servers perform well is when need more resource than physical the capabilities a blade server can provide.  Example: You have an application that needs 32 "processors" or needs 512GB of RAM.  A blade server can't handle that (today), so you must go with a stand alone.
0
 

Author Comment

by:Zugarus
ID: 34193677
thank you for your insight. turns out that around the same time as installing fortinet, anti-virus software was also installed on these same machines....and exclusions specific to the application were not properly set up. those were added today and performance improved tremendously.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction A frequently used term in Object-Oriented design is "SOLID" which is a mnemonic acronym that covers five principles of OO design.  These principles do not stand alone; there is interplay among them.  And they are not laws, merely princ…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question