FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 241415
Description This article describes how to free up memory to avoid FortiGate entering conserve mode when its resources are highly utilized.
Scope FortiOS.

FortiGate goes into a conserve mode state as a self-protection mechanism when system memory is highly utilized and reaches a specific threshold.

When FortiGate enters conserve mode, it activates protection measures to recover some memory space.

When enough memory is recovered, it exits the conserve mode state and deactivates the previous state. 


Three memory thresholds can be configured:


config system global

set memory-use-threshold-extreme <integer>

set memory-use-threshold-green <integer>

set memory-use-threshold-red <integer>


In some cases, it may be necessary to increase the memory conserve mode thresholds to higher values to avoid going into conserve mode too early or to work around a known issue.


This article describes how conserve mode is triggered:
Technical Tip: How conserve mode is triggered - Fortinet Community.



Follow the steps below to manually free memory:


  1. Optimize session timers for TCP and UDP Traffic


config system global

set tcp-halfclose-timer 30    default is 120 sec

set tcp-timewait-timer 0    default is 1 sec

set udp-idle-timer 60    default is 180 sec



In this way, FortiGate will wait a shorter time for sessions to close.


  1. Optimize session ttl settings so sessions stay active for less time on FortiGate:


    config system session-ttl

    set default 300     <---- the default value is 3600.



    To specify different values for different protocols, configure them as below.

    In the following example for DNS requests, the FortiGate will wait for a different length of time than the default value specified above:


    config system session-ttl

        config port
            edit 0
                set protocol 17
                set timeout 10
                set end-port 53
                set start-port 53


    For steps 1 and 2, additionally, refer to this article:

    Technical Note: Session TTL values and Policy RST for Sessions 



  2. Reduce some service caches and free the space for other processes that require it:


    config system dns
        set dns-cache-limit 600   the default value is 5000.



    config system fortiguard
        set webfilter-cache-ttl 600   the default value is 3600.
        set antispam-cache-ttl 600   the default value is 1800.




  3. Reduce the maximum file size to inspect, the default is 10MB, it can be reduced to 2-3MB.


    config firewall profile-protocol-options

        edit <profile name>

            config [http|ftp|pop3|smtp|imap]

                set over size-limit <MB>



Refer to the following articles for more information:

Technical Tip: Steps on how to optimize Memory consumption.

Technical Note: Memory optimization techniques for FortiOS.


When enabled, IPS may consume a lot of resources. The following article describes how to optimize IPS engine values:
Technical Tip: IPS memory optimization steps - Fortinet Community.


Another effective way to reduce the overall memory usage of a device is to lower the amount of workers running. For more details, refer to the following article:

Technical Tip: Reduce memory usage by reducing the number of spawned daemons