Skip to main content
cgustave
Staff
cgustave
Staff
November 3, 2016

Technical Tip: Conserve mode changes in FortiGate 5.6 and above

  • November 3, 2016
  • 0 replies
  • 49576 views

Description

 

This article describes the changes to conserve mode self protection mechanisms starting in version 5.6.

 

Scope

 

FortiGate version 5.6 and above.

 

Solution

 

The main differences are as follows:

 
  • No more distinction between 'kernel' versus 'Proxy' or 'system' types of conserve mode.
  • Definitions for 3 thresholds: 'green', 'red', 'extreme', all adjustable through the CLI.
  • A new trigger based on 'memory used'.
  • New event logs.
  • New diagnose command 'diagnose hardware sysinfo conserve'.
  • New conserve mode stats in proxy stats via 'diag sys proxy stats all' (see the conserve_mode line).

3 memory thresholds: green, red, and extreme.

 

'red' and 'extreme': Both 'red' and 'extreme' are thresholds to enter in 'conserve mode' when the system memory used is over their thresholds.

When the used memory goes over the defined red threshold, the kernel raises the conserve mode state. FortiGate functions reacting to conserve mode state, like antivirus transparent proxies, would apply their own restriction based on their settings.
 
If the used memory continues to increase and reach the 'extreme' threshold, conserve mode actions taken with the red threshold are still active and additionally new sessions will be dropped.
  
'green': When used memory goes below the 'green' threshold, kernel releases the conserve mode state. FortiGate functions reacting to conserve mode state would stop their restriction measures.
 
Extreme: FortiGate starts to drop new sessions
Red: FortiGate enters conserve mode and No Quarantine or Sandboxing
Green: FortiGate exits conserve mode
 

Configurable thresholds.

 

Though it is recommended to keep the default memory threshold, a new CLI command has been added to allow administrators to adjust the thresholds.

 
Default values are : 
  • Red: 88% of total memory  is considered "used memory"
  • Extreme: 95% of total memory is considered "used memory"
  • Green: 82% of total memory is considered 'used memory'.

 

Configuration (CLI only):

 

config system global
set memory-use-threshold-extreme 95
set memory-use-threshold-red 88
set memory-use-threshold-green 82
end
 

Diag command:

 

 
1.png
Terms & ConditionsAccessibility statement