| Description | This article describes how to free up memory to avoid FortiGate entering conserve mode (Technical Tip: How conserve mode is triggered) when its resources are highly utilized. |
| Scope | FortiGate. |
| Solution |
FortiGate goes into a conserve mode state as a self-protection mechanism when system memory is highly utilized and reaches a specific threshold.
When enough memory is recovered, it exits the conserve mode state and deactivates the previous state.
Three memory thresholds can be configured:
config system global set memory-use-threshold-extreme <integer> set memory-use-threshold-green <integer> set memory-use-threshold-red <integer> end
Those are in percent of total memory and have the following values: minimum 70, maximum 97. The default values are listed below:
memory-use-threshold-extreme - Threshold at which memory usage is considered extreme. Default value: 95 memory-use-threshold-red - Threshold at which memory usage forces the FortiGate to enter conserve mode. Default value: 88 memory-use-threshold-green - Threshold at which memory usage forces the FortiGate to exit conserve mode. Default value: 82
In some cases, it may be necessary to increase the memory conserve mode thresholds to higher values to avoid going into conserve mode too early or to work around a known issue. If conserve modes are observed frequently, it is recommended to increase the default values to:
config system global set memory-use-threshold-extreme 97 set memory-use-threshold-green 90 set memory-use-threshold-red 94 end
Related documents: Troubleshooting-Tip-How-to-optimize-memory-usage
This article describes how conserve mode is triggered: Technical Tip: How conserve mode is triggered - Fortinet Community
Follow the steps below to manually free memory:
Try to log in to an external device, like FortiAnalyzer or Syslog, whenever possible. This is not just a way to reduce the memory footprint on FortiGate, but is also a more secure method.
As such, logs are difficult to tamper with and compromise in case of security events. They could also contain much longer log history (depending on the external device log disk capacity and settings). Or be reused in some FortiSIEM systems to detect, or even predict, security events.
Pay attention to:
Reference: CLI reference log 7.2.6
config system global
config antivirus settings
Signature database updates can allocate a lot of memory at once and could move the device into a conserve mode. Set updates to off-peak hours: (the example uses 3 AM, feel free to change as appropriate for the expected environment).
config system autoupdate schedule
Or:
Switch the ISDB database to keep a small-sized Internet Service database with very limited IP addresses.
config sys global
execute update-now
In this way, FortiGate will wait a shorter time for sessions to close. As a result less sessions will be stored in memory.
config system global set tcp-halfclose-timer 30 <--- Default is 120 sec. set tcp-halfopen-timer 5 <--- Default is 10 sec. set tcp-timewait-timer 0 <--- Default is 1 sec. set udp-idle-timer 60 <--- Default is 180 sec. end
config system session-ttl set default 300 <---- The default value is 3600. end
To specify different values for different protocols, configure them as below. In the following example for DNS requests, the FortiGate will wait for a different length of time than the default value specified above:
config system session-ttl config port
For steps 1 and 2, additionally, refer to this article: Technical Note: Session TTL values and Policy RST for Sessions
config system dns end
config system fortiguard set antispam-cache-ttl 600 <--- The default value is 1800. end
config system global set socket-size 64 or 128 [integer, 0-512] set database regular end
Refer to the following articles for more information: Technical Tip: Steps on how to optimize Memory consumption Technical Note: Memory optimization techniques for FortiOS
When enabled, IPS may consume a lot of resources. The following article describes how to optimize IPS engine values:
The main values to look for are the following:
config ips global
set socket-size 256 <----- 256 is the default value; a smaller socket size reduces memory use.
set engine-count 0 <----- 0 is the default value, suggested value equal to the core number. set database extended <----- Suggested to set to regular.
end
Another effective way to reduce the overall memory usage of a device is to lower the number of workers running. For more details, refer to the following article: Technical Tip: Reduce memory usage by reducing the number of spawned daemons
FortiGates with memory usage already high might activate memory conserve mode during FortiGuard updates. As the databases grow with new objects and IP addresses on each update, the recommendation is to perform ISDB updates during quieter periods when memory usage is anticipated to be lower on the unit.
With the update implemented in October 2023, the size of the ISDB has surged by 30%. Consequently, there is an elevated risk of the system entering conserve mode, particularly on lower-end FortiGate hardware units that are already experiencing high memory consumption. Refer to the following KB article: Technical Tip: FortiGate is entering into Conserve Mode during FortiGuard Updates
FortiGate offers another setting that will log generation, which, on the other hand, will decrease memory usage for log storing and forwarding. As a consequence, CPU usage will also decrease.
Enabling session table entry of dropped traffic will reduce the number of log messages generated. This can be achieved by enabling session table entries under system settings.
config system settings set ses-denied-traffic enable end
Note: Technical Tip: How to optimize the Memory consumption Technical Tip: Script for reducing memory usage in small FortiGates experiencing conserve mode Technical Note: Priority of session-ttl settings in FortiGate |
