Desktop FortiGate hardware models, with memory usage already at 64-72% or higher, might activate memory conserve mode during FortiGuard updates. For example, FortiGate 30E, 40F, 60E, 60F, 70F, 80F, 90G etc. Refer to the Form Factor field in the product datasheet to identify the Hardware type.
A FortiGuard update process may consume an additional 10-20% memory, potentially surpassing the conserve mode threshold. Instances of conserve mode are especially evident during the download of the Internet Service Database and other database objects, requiring extraction and subsequent processing during updates.
As the databases grow with new objects and IP addresses on each update, the recommendation is to perform ISDB updates during quieter periods when memory usage is anticipated to be lower on the unit.
This recommendation applies not only to desktop FortiGate hardware models but also to Rackmount FortiGates, especially if the unit is already experiencing high memory consumption.
With the update implemented in October 2023, the size of the ISDB has surged by 30%. Consequently, there is an elevated risk of the system entering conserve mode, particularly on lower-end FortiGate hardware units that are already experiencing high memory consumption.
For FortiGate-VM, increase the RAM to more than or equal to 4GB.
To prevent FortiGate from Triggering Conserve Mode during FortiGuard Updates,
- Turn off automatic updates and activate scheduled updates to take place during non-production hours when memory usage is at its lowest:
config system autoupdate schedule set frequency weekly set time 15:00 set day Sunday end
- Turn on Automatic/Scheduled updates but disable FFDB updates:
config system fortiguard set update-ffdb disable <----- Enable to update the Internet Service Database only during low memory usage. end
- Use on-demand FFDB which is supported on FortiOS v7.2.4 and above:
config system global set internet-service-database on-demand end
- Use mini or regular ISDB, which is a small-sized Internet Service database with very limited IP addresses:
config system global set internet-service-database mini end
For more information, refer to: Technical Tip: Internet-service-database: On-demand Internet Service Database on-demand mode
- Consider disabling IPS Acceleration (IPSA) if the FortiGate model supports the feature (during a FortiGuard update, the ipshelper process can use up to 20% of available system memory for 5-10 seconds due to IPSA signatures needing to be compiled and loaded to the Content Processors).
config ips global set cp-accel-mode none end
- Verify that no system daemon is consuming an unusual amount of memory, and implement appropriate memory optimization techniques to prevent the system from entering conserve mode during FortiGuard updates.
Related articles: Technical Tip: Steps on how to optimize Memory consumption Technical Tip: Free up memory to avoid conserve mode
|