|
FortiGate Devices with 4GB memory like the FortiGate100F/101F (Hardware Revision: Rev1) may enter conserve mode when certain IPS or APP control features are enabled.
FortiGate-100F# get hardware status
Model name: FortiGate-100F
ASIC version: SOC4
CPU: ARMv8
Number of CPUs: 8
RAM: 3614 MB
EMMC: 3662 MB(MLC) /dev/mmcblk0
Hard disk: not available
USB Flash: not available
Network Card chipset: FortiASIC NP6XLITE Adapter (rev.)
Hardware Revision: Rev1
The Node and wad_ips processes are observed to consume excessive memory over a period of time, leading the device to enter conserve mode.
FortiGate-100F# diagnose sys top-mem 50
node (30780): 78686kB
node (30782): 77173kB
node (30781): 68144kB
node (30769): 65424kB
wad_ips (31350): 151433kB
FortiGate-100F # get sys perf status
Memory: 3701376k total, 3174480k used (85.8%), 312896k free (8.5%), 214000k freeable (5.7%)
logid="0100022815" type="event" subtype="system" level="notice" vd="root" logdesc="Scanunit loaded AV Database" action="update" msg="scanunit=manager pid=1204 loading AV database successful"
FortiGate-100F # diag sys top-all 2 100
Run Time: 0 days, 0 hours and 20 minutes
25U, 0N, 0S, 75I, 0WA, 0HI, 0SI, 0ST; 3614T, 643F
ipshelper 263 R 99.9 3.5 4
wad_ips 1338 R 99.5 1.8 2
bcm.user 133 S < 2.9 0.5 1
newcli 1333 S 1.4 0.7 0
FortiGate-100F # diagnose sys top-mem 250
ipshelper (263): 369914kB
wad_ips (1338): 195507kB
ipshelper is part of the IPS engine and wad_ips is WAD's ips/appctl database builder
This issue is resolved in FortiGate v7.6.2 Firmware and is scheduled to be released in March 2025.
Note that these timelines for firmware release are estimates and may be subject to change. This article will be updated periodically with the latest information.
The workaround is to disable proxy-inline-ips and cp-acceleration.
- Disable proxy-inline-ips (This feature will be disabled by default on all lower-end FortiGates with <=4GB RAM).
config ips settings
set proxy-inline-ips disable
end
Note: The inline IPS feature allows HTTP/HTTPS traffic to be processed directly in WAD for application control and IPS UTM features, reducing reliance on the IPS Engine.
- Configure cp-accel-mode to ‘none’ which will disable accelerating security processes such as virus scanning, attack detection, encryption and decryption to Content Processors.
config ips global
set cp-accel-mode none
end
Logs required by FortiGate TAC for investigation:
- System info and Other Statistics.
get system status
get hardware status
get sys perf status
diagnose sys session stat
diagnose sys session6 stat
diagnose hardware sysinfo memory
diagnose hardware sysinfo slab
diagnose hardware sysinfo shm
diagnose sys top-mem 50
diagnose sys vd list | grep fib
diagnose sys cmdb info
diagnose sys top-fd 30
diagnose sys mpstat 1 3
diagnose sys top-all 2 50
diagnose sys top-fd 20
diagnose sys top-mem 20
diagnose ips session status
diagnose ips memory status
diagnose ips packet status
diagnose test application ipsmonitor 24
diagnose ips session list by-flowav-mem 50
diagnose ips session list by-idle 50
diagnose ips session list by-created-queries 50
diagnose ips dissector dump
diagnose ips raw status
diagnose ips session performance
diagnose ips session list by-mem
fnsysctl df -k
fnsysctl df -m
fnsysctl ls -l /tmp
fnsysctl du -i /tmp
fnsysctl du -ax /tmp
fnsysctl du -a / -d 1
fnsysctl du -i /dev/shm
fnsysctl du -ax /dev/shm
fnsysctl ls -l /dev/shm
fnsysctl du -i /node-scripts
fnsysctl du -ax /node-scripts
fnsysctl ls -l /node-scripts
- TAC Report:
execute tac report
- The configuration file of the FortiGate.
|
