FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff
Article Id 287053
Description This article describes the factors that lead to FortiGate entering Conserve Mode during scheduled or manual FortiGuard updates.
Scope FortiGate
Solution

Desktop FortiGate hardware models, with memory usage already at 64-72% or higher, might activate memory conserve mode during FortiGuard updates. For example, FortiGate 30E, 40F, 60E, 60F, 70F, 80F, 90G etc. Refer to the Form Factor field in the product datasheet to identify the Hardware type.

Form Factor.png

 

A FortiGuard update process may consume an additional 10-20% memory, potentially surpassing the conserve mode threshold. Instances of conserve mode are especially evident during the download of the Internet Service Database and other database objects, requiring extraction and subsequent processing during updates.

As the databases grow with new objects and IP addresses on each update, the recommendation is to perform ISDB updates during quieter periods when memory usage is anticipated to be lower on the unit.

This recommendation applies not only to desktop FortiGate hardware models but also to Rackmount FortiGates, especially if the unit is already experiencing high memory consumption.

With the update implemented in October 2023, the size of the ISDB has surged by 30%. Consequently, there is an elevated risk of the system entering conserve mode, particularly on lower-end FortiGate hardware units that are already experiencing high memory consumption.

 

For FortiGate-VM, increase the RAM to more than or equal to 4GB.

 

To prevent FortiGate from Triggering Conserve Mode during FortiGuard Updates,

  1. Turn off automatic updates and activate scheduled updates to take place during non-production hours when memory usage is at its lowest:


config system autoupdate schedule
    set frequency weekly
    set time 15:00
    set day Sunday
end

 

  1. Turn on Automatic/Scheduled updates but disable FFDB updates:


config system fortiguard
    set update-ffdb disable <----- Enable to update the Internet Service Database only during low memory usage.
end

 

  1. Use on-demand FFDB which is supported on FortiOS v7.2.4 and above:


config system global
    set internet-service-database on-demand
end

 

  1. Use mini or regular ISDB, which is a small-sized Internet Service database with very limited IP addresses:


config system global
    set internet-service-database mini
end

 

For more information, refer to:
Technical Tip: Internet-service-database: On-demand 
Internet Service Database on-demand mode

 

  1. Consider disabling IPS Acceleration (IPSA) if the FortiGate model supports the feature (during a FortiGuard update, the ipshelper process can use up to 20% of available system memory for 5-10 seconds due to IPSA signatures needing to be compiled and loaded to the Content Processors).

    config ips global

        set cp-accel-mode none
    end

 

  1. Verify that no system daemon is consuming an unusual amount of memory, and implement appropriate memory optimization techniques to prevent the system from entering conserve mode during FortiGuard updates. 

 

Related articles:
Technical Tip: Steps on how to optimize Memory consumption 
Technical Tip: Free up memory to avoid conserve mode