FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff
Article Id 287053
Description This article describes the factors that lead to FortiGate entering Conserve Mode during scheduled or manual FortiGuard updates.
Scope FortiGate.
Solution

Desktop FortiGate hardware models, with memory usage already at 64-72% or higher, might activate memory conserve mode during FortiGuard updates. For example, FortiGate-30E, 40F, 60E, 60F, 70F, 80F, 90G etc. Refer to the Form Factor field in the product datasheet to identify the Hardware type.

Form Factor.png

 

A FortiGuard update process may consume an additional 10-20% of memory, potentially surpassing the conserve mode threshold. Instances of conserve mode are especially evident during the download of the Internet Service Database and other database objects, requiring extraction and subsequent processing during updates.

As the databases grow with new objects and IP addresses on each update, the recommendation is to perform ISDB updates during quieter periods when memory usage is anticipated to be lower on the unit.

This recommendation applies not only to desktop FortiGate hardware models but also to Rackmount FortiGate devices, especially if the unit is already experiencing high memory consumption.

With the update implemented in October 2023, the size of the ISDB has surged by 30%. Consequently, there is an elevated risk of the system entering conserve mode, particularly on lower-end FortiGate hardware units that are already experiencing high memory consumption.

 

  • For FortiGate-VM: Ensure the virtual machine is allocated at least 4 GB of RAM to prevent entering conserve mode during FortiGuard updates.
  • Firmware Enhancements: As of December 2024, advancements in FortiOS versions v7.2.11, v7.4.6, and v7.6.1 aim to reduce the likelihood of conserve mode activation during update processes.
    • In v7.4.7,  an enhancement will be introduced to prevent system freezes when conserve mode is imminent. This feature is already implemented in v7.2.11 and v7.6.1.

 

To prevent FortiGate from Triggering Conserve Mode during FortiGuard Updates:

  1. Turn off automatic updates and activate scheduled updates to take place during non-production hours when memory usage is at its lowest. In the following example change frequency to daily if preferred:

config system autoupdate schedule
    set frequency weekly
    set time 03:60
    set day Sunday
end

 

  1. Turn on Automatic/Scheduled updates but disable FFDB updates:

config system fortiguard
    set update-ffdb disable <--- Enable to update the Internet Service Database only during low memory usage.
end

 

  1. Use on-demand FFDB which is supported on FortiOS v7.2.4 and above:

config system global
    set internet-service-database on-demand
end

 

Use mini or regular ISDB if 'on-demand' is not available, which is a small-sized Internet Service database with very limited IP addresses:

 

config system global
    set internet-service-database mini
end

 

For more information, refer to:

 

  1. Consider disabling IPS Acceleration (IPSA) if the FortiGate model supports the feature (during a FortiGuard update, the ipshelper process can use up to 20% of available system memory for 5-10 seconds due to IPSA signatures needing to be compiled and loaded to the Content Processors).

     

    config ips global
        set cp-accel-mode none
    end

    Refer to: Troubleshooting Tip: Conserve mode due to ipshelper in lower end models

  2. Refer to the following articles for more memory optimization tips: