Troubleshooting Tip: FortiOS Secure Module Access Violation (LOG_ID_SYS_SECURITY_WRITE_VIOLATION)

Description

This article describes how an Access Violation from the FortiOS Secure Module occurs when a process attempts to read or write to a protected resource, such as a file, library, or kernel memory, without the necessary permissions.

Scope

FortiGate.

Solution

The daemon miglogd (log forwarding) tries to read the shared‑memory file /data2/ffdb/ffdb_shm_file1 every few minutes.

Because the FortiOS Secure Module (the kernel‑level protection for FortiGuard databases such as the FFDB) detects an unauthorised read/write, it logs a Secure‑Module Access Violation (LOG_ID_SYS_SECURITY_WRITE_VIOLATION, log‑ID 20230).

The repeated violation consumes kernel memory, and after a prolonged period, the appliance exceeds its memory‑red threshold and automatically enters memory‑Conserve mode, disabling many security features.

Step 1: Confirm the exact log ID:

 diagnose log read event | grep -i  "SYS_SECURITY_WRITE_VIOLATION"

Verify that the log entry’s ID is 20230 (or 20232 for module‑load violations).

Step 2: Run Secure‑Module integrity check.

diagnose fortinet-secure-module image-integrity-check

Result → PASS → the module binary is intact; proceed to step 4.

Result → FAIL → the Secure Module image is corrupted → reinstall (step 3).

Step 3: Re‑install the Secure Module.

• Download the Secure Module package matching your FortiOS version from the Fortinet Support portal.

• Upload to the appliance (SCP/USB) and install:
  
  

execute restore secure-module <filename>
execute reboot

• After reboot, re‑run the integrity check to confirm PASS.

Step 4: Repair the FFDB database.

The shared‑memory file is a pointer to the FFDB. Deleting it forces FortiOS to rebuild a clean FFDB.

rm -f /data2/ffdb/ffdb_shm_file1
execute reboot

On boot, the system recreates the FFDB and the corresponding shared‑memory file.

Step 5: Reset the miglogd daemon.

diagnose sys process daemon-auto-restart disable miglogd
diagnose sys kill 9 $(pgrep miglogd)
diagnose sys process daemon-auto-restart enable miglogd

This clears any stale state that may still be trying to open the deleted file.

Step 6: Verify memory‑conserve thresholds

Adjust the thresholds to avoid premature conserve mode if the device runs close to its limits.

config system global
set memory-use-threshold-green 80
set memory-use-threshold-red   90
set memory-use-threshold-extreme 95
end

Step 7: Monitor for recurrence

• Let the appliance run for a few hours.

• Check that no new LOG_ID_SYS_SECURITY_WRITE_VIOLATION entries appear:
  
  

diagnose debug crashlog read
diagnose log read event | grep 20230

• Confirm the device stays out of conserve mode:
  
  

diagnose hardware sysinfo conserve

If the issue persists, refer to the Fortinet Support Portal for further assistance.

and provide:

• FortiOS version and Secure‑Module package version.

• Output of diagnose fortinet-secure-module image-integrity-check.

• A few minutes of raw logs that contain the violation (log‑ID 20230).

• Memory‑conserve status output.