Enabling the ISDB cache in the FortiOS kernel NEW
A software ISDB cache can be enabled in the FortiOS kernel. This ISDB cache can be used to enhance lookup performance by circumventing the ISDB lookup penalty when revisiting the same resources.
The ISDB cache can be enabled using the following command:
config system settings set internet-service-database-cache {enable | disable} end
Example
In the following example, after enabling the software ISDB cache, traffic will be generated twice to the same resource. Since the ISDB cache is enabled, no new query will occur in the ISDB. Instead, the ISDB lookup in performed in the cache table.
To enable the software ISDB cache:
-
Enable the ISDB cache:
config system settings set internet-service-database-cache enable end
-
Create an ISDB firewall policy:
config firewall policy edit 1 set internet-service enable set internet-service-name "Google-DNS" "Google-Other" "Google-Web" set internet-service6 enable set internet-service6-name "Google-DNS" "Google-Other" "Google-Web" next end
-
Generate traffic to access the resource which matches the ISDB ID in the firewall policy.
-
Check the Internet Service cache lists:
# diagnose firewall internet-service-cache list List Internet Service (IPV4) Cache in Kernel: MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=2 isdb_cache_hit_count=0 isdb_query_count=2 proto=6 port=443 IP=10.151.118.105 id=1245185 country_id=840 region_id=283 city_id=21065 reputation=5 insert_timestamp=4302579542 cache_hit_count=0 proto=6 port=443 IP=10.8.8.8 id=65537 country_id=840 region_id=283 city_id=15905 reputation=5 insert_timestamp=4302579760 cache_hit_count=0 # diagnose firewall internet-service6-cache list List Internet Service (IPV6) Cache in Kernel: MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=1 isdb_cache_hit_count=0 isdb_query_count=1 proto=6 port=443 IP=2600:140a:1000:196::b33 id=7929993 country_id=124 region_id=65535 city_id=65535 reputation=4 insert_timestamp=4302580009 cache_hit_count=0
-
Generate traffic to access the same resource again.
-
Check the Internet Service cache lists:
# diagnose firewall internet-service-cache list List Internet Service (IPV4) Cache in Kernel: MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=2 isdb_cache_hit_count=1 isdb_query_count=2 proto=6 port=443 IP=10.151.118.105 id=1245185 country_id=840 region_id=283 city_id=21065 reputation=5 insert_timestamp=4302579542 cache_hit_count=0 proto=6 port=443 IP=10.8.8.8 id=65537 country_id=840 region_id=283 city_id=15905 reputation=5 insert_timestamp=4302579760 cache_hit_count=1 # diagnose firewall internet-service6-cache list List Internet Service (IPV6) Cache in Kernel: MAX_ISDB_CACHE_ENTRY_SIZE=1024 num_isdb_cache_entry=1 isdb_cache_hit_count=1 isdb_query_count=1 proto=6 port=443 IP=2600:140a:1000:196::b33 id=7929993 country_id=124 region_id=65535 city_id=65535 reputation=4 insert_timestamp=4302580009 cache_hit_count=1
The ISDB lookup is performed in the cache table so there is no new query in the full ISDB.