Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
xshkurti
Staff
Staff

Created on ‎12-29-2022 07:54 AM Edited on ‎11-21-2024 05:26 AM By Moderator

Article Id 241415

Technical Tip: Free up memory to avoid conserve mode

Description This article describes how to free up memory to avoid FortiGate entering conserve mode when its resources are highly utilized.
Scope FortiOS.
Solution

FortiGate goes into a conserve mode state as a self-protection mechanism when system memory is highly utilized and reaches a specific threshold.


When FortiGate enters conserve mode, it activates protection measures to recover some memory space.

When enough memory is recovered, it exits the conserve mode state and deactivates the previous state. 

 

Three memory thresholds can be configured:

 

config system global

    set memory-use-threshold-extreme <integer>

    set memory-use-threshold-green <integer>

    set memory-use-threshold-red <integer>

end

 

Those are in percent of total memory. And have the following values: minimum 70, maximum 97, and default as below:

 

memory-use-threshold-extreme - Threshold at which memory usage is considered extreme. Default value: 95

memory-use-threshold-red - Threshold at which memory usage forces the FortiGate to enter conserve mode. Default value: 88

memory-use-threshold-green - Threshold at which memory usage forces the FortiGate to exit conserve mode. Default value: 82

 

Reference: config system global.


In some cases, it may be necessary to increase the memory conserve mode thresholds to higher values to avoid going into conserve mode too early or to work around a known issue.

 

This article describes how conserve mode is triggered:
Technical Tip: How conserve mode is triggered - Fortinet Community.

 

Follow the steps below to manually free memory:

 

  • Reduce memory logging.

    Memory logging and reporting, 'GUI -> Logging and Reporting'., is one of the most intensive memory uses (especially if the log is also used in firewall policies for 'all traffic').
    Try to configure on each policy if possible, the Log for 'security events' or 'UTM' instead 'ALL'.

 

Untitled1.gif

 

Try to Log in to an external device, like FortiAnalyzer or Syslog, whenever possible. This is not just a way to reduce the memory footprint on FortiGate but is also a more secure method.


Capture.png

 

As such logs are difficult to tamper and compromise in case of security events. They could also contain much longer log history (depending on external device log disk capacity and settings). Or be re-used in some SIEM systems to detect, or even predict, security events.

 

Pay attention to:


config log memory setting
    set status <enable/disable>
end

config log memory filter --> And settings in there.

config log setting


Here pay attention to global log settings like the below and consider if it is truly necessary for example that the implicit policy hits logged:

 

  • fwpolicy-implicit-log.
  • resolve-ip / resolve-port.
  • extended-log.
  • log-policy-comment.

Reference: CLI reference log 7.2.6.

 

  • Reduce Security Rating submissions:

config system global
    set security-rating-result-submission disable
    set security-rating-run-on-schedule disable
end

  • Set the antivirus database to normal:

Reduce sizes of local copies of used FortiGuard databases.

     

config antivirus settings
    set default-db normal
end

  • Shift databases updates to off-peak hours.

Set updates to off-peak hours: (the example uses 3 AM, feel free to change as appropriate for the expected environment).

 

config system autoupdate schedule
    set frequency daily
    set time 03:00
end

  • Switch the ISDB database to be used only when needed - on-demand.

    config sys global
        set internet-service-database on-demand
    end
    execute update-ffdb-on-demand

Or:

 

Switch the ISDB database to keep a small-sized Internet Service database with very limited IP addresses.

 

config sys global
    set internet-service-database mini
end

execute update-now

 

  • Optimize session timers for TCP and UDP Traffic.

In this way, FortiGate will wait a shorter time for sessions to close.

 

config system global

    set tcp-halfclose-timer 30     <--- Default is 120 sec.

    set tcp-timewait-timer 0        <--- Default is 1 sec.

    set udp-idle-timer 60            <--- Default is 180 sec.

end

  • Optimize session TTL settings so sessions stay active for less time on FortiGate:

     

config system session-ttl

    set default 300     <---- The default value is 3600.

end

 

To specify different values for different protocols, configure them as below.

In the following example for DNS requests, the FortiGate will wait for a different length of time than the default value specified above:

 

config system session-ttl

    config port
        edit 0
            set protocol 17
            set timeout 10
            set end-port 53
            set start-port 53
    end
end

 

For steps 1 and 2, additionally, refer to this article:

Technical Note: Session TTL values and Policy RST for Sessions 

 

  • Reduce system service caches and free the space for other processes that require it:

     

config system dns
    set dns-cache-limit 600       <--- The default value is 5000.

end

 

config system fortiguard
    set webfilter-cache-ttl 600   <--- The default value is 3600.

    set antispam-cache-ttl 600  <--- The default value is 1800.

end

 

  • Reduce system workers count:

    config system global
        set miglogd-children 1
        set sslvpn-max-worker-count 1
        set wad-worker-count 1
        set scanunit-count 2
    end

    diag test application ipsmonitor 99
    config ips global
        set engine-count 2
        set cp-accel-mode none
        set exclude-signatures none

 

  • Reduce the maximum file size to inspect, the default is 10MB, but it can be reduced to 2-3MB.

     

    config firewall profile-protocol-options

        edit <profile name>

            config [http|ftp|pop3|smtp|imap]

                set over size-limit <MB>

    end

     

Refer to the following articles for more information:

Technical Tip: Steps on how to optimize Memory consumption

Technical Note: Memory optimization techniques for FortiOS

 

When enabled, IPS may consume a lot of resources. The following article describes how to optimize IPS engine values:
Technical Tip: IPS memory optimization steps - Fortinet Community

 

Another effective way to reduce the overall memory usage of a device is to lower the amount of workers running. For more details, refer to the following article:

Technical Tip: Reduce memory usage by reducing the number of spawned daemons

 

Note:
If the steps above do not produce satisfactory results, consider using a higher-capacity FortiGate device.

Switch the ISDB database to be used only when needed
75733
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.