Description |
This article provides information when the CPU / Soft_irq process is high on FortiGate and traffic drops are seen. It explains how to track the traffic that may cause high CPU utilization on the FortiGate. |
Scope | FortiGate-6000 and 7000 Series. |
Solution |
When commands: 'get system performance status ' and 'diag sys mpstat' are used, high CPU utilization is seen. There could be so many reasons why the CPU could be higher. One of the most common reasons is due to most of the traffic is being processed by the CPU and not offloaded to the hardware.
Some troubleshooting steps that can be followed to track the traffic:
Sender --> Flow-Rule --> FW ACL Policy --> FW Policy
Sender: Traffic can be blocked at the sender itself. Flow-Rule: Traffic can be blocked by creating a flow rule. This traffic will not go to the CPU. FW ACL Policy: Traffic can be blocked by creating acl policy using CLI. In this case, very little CPU will be used. This can be configured under VDOM level: 'show firewall acl'. FW-Policy: Traffic can be blocked using a firewall policy but this uses high CPU.
diagnose debug enable diag debug flow filter ... <----- Set filters accordingly. diag debug flow trace start 10 <----- Capture flow trace.
Find the reasons for packets being processed by the slow path, and then modify the config accordingly.
EX: msg = --> Reverse path check fails, drop. --> Denied by policy 0 (did not match any firewall policy). --> Send to IPS. --> Send to the application layer (UTM).
To improve performance with fragmentation traffic, change below load-balance settings. These changes will cause all the existing sessions to drop and new sessions start forming again. Due to this, these changes should be performed during your maintenance window:
config load-balance setting dp-fragment-session : disable<----- Change it to enable. dp-load-distribution-method: src-dst-ip-sport-dport<----- Do not change. sw-load-distribution-method: src-dst-ip-sport-dport<----- Change to src-dst-ip. |