Technical Tip: Sustained TCP SYN flood traffic may trigger a Memory Leak and cause Conserve Mode after upgrading to FortiOS v7.4.10 or v7.4.11

This issue is under investigation with ID# 1260308. After the upgrade, a memory leak may be observed during a sustained TCP SYN flood DoS attack.

Symptoms:
All of the following requirements must be met to match the issue:

• 'diagnose sys session stat' shows an unexpectedly large number of 'SYN_SENT', or 'SYN_RECV' in TCP session state.
  

diagnose sys session stat
misc info: session_count=7894 setup_rate=0 exp_count=0 reflect_count=0 clash=1
memory_tension_drop=0 ephemeral=0/1146880 removeable=0 extreme_low_mem=0
npu_session_count=0
nturbo_session_count=0
delete=2, flush=162, dev_down=74/4003
session walkers: active=0, vf-194, dev-0, saddr-0, npu-0, wildcard-74
TCP sessions:
5 in ESTABLISHED state
5134 in SYN_SENT state
1874 in SYN_RECV state
827 in CLOSE state
...

• session_count value in 'diagnose sys session stat' output significantly greater than total session count retrieved from 'diagnose sys session list | grep total\ session'.

diagnose sys session stat
misc info: session_count=7894 setup_rate=0 exp_count=0 reflect_count=0 clash=1
...
diagnose sys session list | grep total\ session
total session: 59

• 'diagnose hardware sysinfo memory' shows unexpectedly high memory in 'SUnreclaim'.

diagnose hardware sysinfo memory
...
Slab: 1056956 kB
SReclaimable: 31168 kB
SUnreclaim: 1025788 kB

Note: Increased memory and CPU usage during a TCP SYN flood is expected. The issue under investigation is only matched if memory usage does not recover after a flood, or increases during a sustained incident without recovery.

This issue has been resolved in v7.4.12 (scheduled to be released in April 2026).
These timelines for firmware release are estimated and may be subject to change.

Workaround:
Reclaiming the memory requires a firewall reboot. As a temporary measure, an administrator can configure an automation stitch to reboot the firewall if conserve mode is entered.

config system automation-stitch

    edit "Reboot_FGT_When_Conserve_Mode"

        set trigger "Conserve Mode"

            config actions

                edit 1

                    set action "Reboot FortiGate"

                next

            end

     next

end

Until firmware v7.4.12 is released, it is recommended to revert to the previous firmware version v7.4.9 or earlier to address the issue. If available, it is recommended to use the 'execute set-next-reboot' command to rollback to the previous firmware and configuration as demonstrated in Technical Tip: Selecting an alternate firmware for the next reboot.

If a particular source IP address or group of addresses is associated with the TCP SYN flood, it is possible to prevent the increased memory usage by blocking the affected IP addresses.

config firewall address

    edit "DoS_Attack_Source_IP"

        set subnet X.X.X.X/YY

    next

end

config firewall acl

    edit <index>

        set name "Deny_DoS_Attack_Source_IP"

        set interface <incoming interface>

        set srcaddr "DoS_Attack_Source_IP"

        set dstaddr "all"

        set service "ALL"

    next

end