Description
This article describes the changes to conserve mode self protection mechanisms starting in version 5.6.
Scope
FortiGate version 5.6 and above.
Solution
The main differences are as follows:
- No more distinction between 'kernel' versus 'Proxy' or 'system' types of conserve mode.
- Definitions for 3 thresholds: 'green', 'red', 'extreme', all adjustable through the CLI.
- A new trigger based on 'memory used'.
- New event logs.
-
New diagnose command 'diagnose hardware sysinfo conserve'.
- New conserve mode stats in proxy stats via 'diag sys proxy stats all' (see the conserve_mode line).
3 memory thresholds: green, red, and extreme.
'red' and 'extreme': Both 'red' and 'extreme' are thresholds to enter in 'conserve mode' when the system memory used is over their thresholds.
When the used memory goes over the defined red threshold, the kernel raises the conserve mode state. FortiGate functions reacting to conserve mode state, like antivirus transparent proxies, would apply their own restriction based on their settings.
If the used memory continues to increase and reach the 'extreme' threshold, conserve mode actions taken with the red threshold are still active and additionally new sessions will be dropped.
'green': When used memory goes below the 'green' threshold, kernel releases the conserve mode state. FortiGate functions reacting to conserve mode state would stop their restriction measures.
• Extreme: FortiGate starts to drop new sessions
• Red: FortiGate enters conserve mode and No Quarantine or Sandboxing
• Green: FortiGate exits conserve mode
• Red: FortiGate enters conserve mode and No Quarantine or Sandboxing
• Green: FortiGate exits conserve mode
Configurable thresholds.
Though it is recommended to keep the default memory threshold, a new CLI command has been added to allow administrators to adjust the thresholds.
Default values are :
- Red: 88% of total memory is considered "used memory"
- Extreme: 95% of total memory is considered "used memory"
- Green: 82% of total memory is considered 'used memory'.
Configuration (CLI only):
config system global
set memory-use-threshold-extreme 95
set memory-use-threshold-red 88
set memory-use-threshold-green 82
end
Diag command: