Skip to main content
ctanapip
ctanapip
New Member
March 13, 2026
Question

Memory Conserve Mode RCA

  • March 13, 2026
  • 3 replies
  • 272 views

What is the best way to do RCA on memory conserve mode on FortiGate? The conserve mode happened on Feb 9, 2026 as shown in the output below.

 

215: 2026-02-09 19:00:05 service=kernel conserve=on total="1918 MB" used="1688 MB" red="1687 MB"
216: 2026-02-09 19:00:05 green="1572 MB" msg="Kernel enters memory conserve mode"
217: 2026-02-09 19:00:06 MemTotal: 1964180 kB
218: 2026-02-09 19:00:06 MemFree: 30232 kB

 

Thanks

3 replies

denyanyany
denyanyany
New Member
March 13, 2026

Identify high-memory processes
Run:

diagnose sys top

Look for processes like wad, ipsengine, scanunitd, miglogd consuming large memory.

Check session usage

diagnose sys session stat

High session count can exhaust memory.

4️eview enabled security features
Heavy features like SSL inspection, IPS, Antivirus, Web Filtering increase memory usage.

:keycap_5: Verify firmware / known issues
Check version with:

get system status

Then confirm if that FortiOS build has known memory leaks.
Typical RCA conclusion: Memory usage exceeded the red threshold due to high process or session consumption, causing the FortiGate to enter memory conserve mode.

ctanapip
ctanapipAuthor
New Member
March 13, 2026

Does anyone know if version below might have had memory leaks? Thanks

Version: FortiGate-40F v7.0.17,build0682,250113 (GA.M)

denyanyany
denyanyany
New Member
March 13, 2026

On FortiOS 7.0.17 (build0682) there is no widely reported general memory-leak issue, so the most likely cause is high memory consumption from sessions or inspection processes (e.g., WAD/IPS) rather than a confirmed firmware bug.

Next checks:

diagnose sys top → identify high-memory process

diagnose sys session stat → check session count

Review enabled UTM features (IPS, SSL inspection, AV)

ctanapip
ctanapipAuthor
New Member
March 13, 2026

Is there a way to check by running those commands mentioned in the previous message for the conserve mode occured several weeks ago? Thanks 

Markus_M
Staff & Editor
Markus_M
Staff & Editor
March 13, 2026

No, this needs to run when the issue happens.

A general remark:

- Make sure generally to not spam the policies with all features that FortiOS offers. Many times these won't be needed but they use memory and can overwhelm a 40F if used to a large degree.

- Don't open your WAN interface to administrative access. It may lead to automated attempts to guess passwords where the FortiGate would each time need to respond to the request. This would be present in the logs that FortiGate keeps, but it would nto be available for several weeks, I think(!) at max 7 days. A FortiAnalyzer might hold logs available for a longer period.

Terms & ConditionsAccessibility statement