On systems where a high CPU load is suspected to be caused by IPS-based scanning, the IPS engines can be set to 'bypass' mode.

The following command can be used for testing to confirm if the CPU load is caused by IPS.

Note that this will bypass all IPS scanning.

The commands are intended for testing or in urgent cases of high CPU load as a temporary workaround.

Use the command below to bypass the IPS engine.

diagnose test application ipsmonitor 5
bypass: enable

In this mode, the IPS is running, but it is not inspecting traffic.

• If the CPU usage decreases, the test indicates that the volume of traffic inspected is too high for that particular FortiGate model.
• If the CPU usage is still high, the test indicates that the problem is not with the IPS engine.

After proceeding to disable the bypass with the same command:

diagnose test application ipsmonitor 5
bypass: disable

As an alternative to bypassing traffic inspection, it is also possible to temporarily stop and restart all IPS engines.
This approach can be useful when IPS processes become unresponsive or continue to consume excessive CPU even after being bypassed.

Use the following commands:

Stopping the IPS engines will immediately halt all IPS inspection and related background processes.
After verifying system stability, it is recommended to restart the IPS engines to restore normal inspection functionality.

Related document:
Technical Tip: Debugs for troubleshooting high CPU Issues