|
FortiGate goes into a conserve mode state as a self-protection mechanism when system memory is highly utilized and reaches a specific threshold.
When FortiGate enters conserve mode, it activates protection measures to recover some memory space.
When enough memory is recovered, it exits the conserve mode state and deactivates the previous state.
Three memory thresholds can be configured:
config system global
set memory-use-threshold-extreme <integer>
set memory-use-threshold-green <integer>
set memory-use-threshold-red <integer>
end
In some cases, it may be necessary to increase the memory conserve mode thresholds to higher values to avoid going into conserve mode too early or to work around a known issue.
This article describes how conserve mode is triggered:
Technical Tip: How conserve mode is triggered - Fortinet Community.
Follow the steps below to manually free memory:
- Optimize session timers for TCP and UDP Traffic
config system global
set tcp-halfclose-timer 30 default is 120 sec
set tcp-timewait-timer 0 default is 1 sec
set udp-idle-timer 60 default is 180 sec
end
In this way, FortiGate will wait a shorter time for sessions to close.
-
Optimize session ttl settings so sessions stay active for less time on FortiGate:
config system session-ttl
set default 300 <---- the default value is 3600.
end
To specify different values for different protocols, configure them as below.
In the following example for DNS requests, the FortiGate will wait for a different length of time than the default value specified above:
config system session-ttl
config port
edit 0
set protocol 17
set timeout 10
set end-port 53
set start-port 53
end
end
For steps 1 and 2, additionally, refer to this article:
Technical Note: Session TTL values and Policy RST for Sessions
-
Reduce some service caches and free the space for other processes that require it:
config system dns
set dns-cache-limit 600 the default value is 5000.
end
config system fortiguard
set webfilter-cache-ttl 600 the default value is 3600.
set antispam-cache-ttl 600 the default value is 1800.
end
-
Reduce the maximum file size to inspect, the default is 10MB, it can be reduced to 2-3MB.
config firewall profile-protocol-options
edit <profile name>
config [http|ftp|pop3|smtp|imap]
set over size-limit <MB>
end
Refer to the following articles for more information:
Technical Tip: Steps on how to optimize Memory consumption.
Technical Note: Memory optimization techniques for FortiOS.
When enabled, IPS may consume a lot of resources. The following article describes how to optimize IPS engine values:
Technical Tip: IPS memory optimization steps - Fortinet Community.
Another effective way to reduce the overall memory usage of a device is to lower the amount of workers running. For more details, refer to the following article:
Technical Tip: Reduce memory usage by reducing the number of spawned daemons
|
