Troubleshooting Tip: Excessive memory consumption by httpsd daemon triggers memory conserve mode on FortiGate

FortiGate devices running FortiOS v7.4.9, v7.4.10 and v7.4.11 may enter memory conserve mode due to high memory utilization caused by the httpsd process (approximately 50–70% memory usage).

In some cases, this condition may result in partial configuration loss, particularly affecting locally installed certificates.
At the time of the issue, CPU utilization of the httpsd daemon may also spike to 80–100%, as shown in the sample output below:

   diagnose sys top 2 50

httpsd 2617 R 82.1 11.2 2
httpsd 2617 S 81.0 14.1 0
httpsd 2617 R 82.0 16.8 10
httpsd 2617 R 86.1 19.7 2
httpsd 2617 R 81.0 22.4 0
httpsd 2617 R 85.0 25.3 2
httpsd 2617 S 84.1 28.1 6
httpsd 2617 R 79.0 30.7 2
httpsd 2617 R 86.0 33.6 2
httpsd 2617 R 82.1 36.3 2
httpsd 2617 R 81.0 39.0 2
httpsd 2617 R 85.0 41.9 7
httpsd 2617 R 82.1 44.6 7
httpsd 2617 R 78.0 47.3 6
httpsd 2617 R 84.0 50.0 6
httpsd 2617 R 98.0 51.1 6
httpsd 2617 R 99.9 51.8 6
httpsd 2617 R 99.9 52.6 6
httpsd 2617 R 99.9 52.6 6
httpsd 2617 R 99.0 52.6 6
httpsd 2617 S 76.0 52.6 2

In environments where the FortiGate HA cluster manages a large number of downstream devices (for example, 20+ FortiSwitches and FortiAPs), the issue may be triggered when navigating to:

Security Fabric -> Logical/Physical Topology.

Within 5-10 seconds of accessing this menu, the httpsd process may consume approximately 60% of system memory, triggering:

• Memory conserve mode.
• Temporary traffic interruption and session drops.

Notably, the httpsd daemon may consume high memory even when administrative HTTPS access and Device identification across the unit are disabled.

This issue is currently under investigation by the development team. The article will be updated with the latest information once a fix is available.

Workaround: Configure a Python script to terminate the httpsd daemon whenever the httpsd daemon appears in the output of 'diagnose sys top-mem'.

A local workaround consists of creating an automation script in the FortiGate:

config system auto-script
    edit "restart_https"
        set interval 28800         <----- Interval of time in seconds to execute the task, for example, every 8 hours.
        set repeat 0               <----- Time of repeats, 0 means always. The default is 1.
        set start auto             <---- If set to auto, the process would start by the system automatically; manual is the default, where it is necessary to start the process.
        set script "fnsysctl killall httpsd"
    next
end