Technical Tip: How to troubleshoot memory usage with new commands starting from FortiOS 7.4.0

vtsonev · ‎12-19-2024

Description

This article describes how to use new commands implemented in FortiOS 7.4.0 to troubleshoot high memory usage on FortiGate.

Scope

FortiGate 7.2.0 and later.

Solution

In case of a disk full issue on a FortiGate, starting from FortiOS 7.2.0, there is an easy CLI tool to help. The tool helps to list disk file and folder statistics for troubleshooting purposes. For example, disk full usage is suspected due to high amount of logs on the disk. The logs are stored in '/var/log' folder on the system level. Using the command 'diag sys filesystem tree /var/log' will show a helpful report like file/folder tree, which will be presented in a well structured way. On the output can be easily seen the memory usage that each file/folder has.

Example from the output:

diag sys filesystem tree /var/log
Scanning path: /var/log...
==========================================================================
Name* - folder, name^ - symlink, file(folder) real size KB / disk size KB.
==========================================================================
/var/log*
├── user_count* (0.00KB / 4.00KB)
│ ├── 0.00KB / 4.00KB - 2024-12-18
│ └── 0.00KB / 0.00KB - 2024-12-19
├── nst* (0.00KB / 0.00KB)
├── root* (0.00KB / 0.00KB)
├── external* (0.00KB / 0.00KB)
├── wad_memory* (0.00KB / 0.00KB)
├── wad_crash* (0.00KB / 0.00KB)
│ └── table* (0.00KB / 0.00KB)
│ └── 0.00KB / 0.00KB - crash_table
├── log* (0.00KB / 0.00KB)
│ └── root* (0.00KB / 0.00KB)
│ ├── pol_sniffer* (0.00KB / 0.00KB)
│ ├── dlp_archive* (0.00KB / 0.00KB)
│ │ ├── cdr_files* (0.00KB / 0.00KB)
│ │ ├── ips_files* (0.00KB / 0.00KB)
│ │ ├── mms_files* (0.00KB / 0.00KB)
│ │ ├── http_files* (0.00KB / 0.00KB)
│ │ ├── ssh_files* (0.00KB / 0.00KB)
│ │ ├── ftp_files* (0.00KB / 0.00KB)
│ │ ├── im_files* (0.00KB / 0.00KB)
│ │ └── email_files* (0.00KB / 0.00KB)
│ ├── fams_report* (0.00KB / 0.00KB)
│ ├── upload* (0.00KB / 0.00KB)
│ │ └── dlp_archive* (0.00KB / 0.00KB)
│ │ ├── 2* (0.00KB / 0.00KB)
│ │ ├── 1* (0.00KB / 0.00KB)
│ │ └── 0* (0.00KB / 0.00KB)
│ └── offset* (0.00KB / 0.00KB)
├── ems_ztna_certs* (0.00KB / 0.00KB)
├── buf* (0.00KB / 0.00KB)
└── 0.01KB / 0.00KB - crash^

/var/log: 27 folders, 4 files, total occupied disk size 4.0000KB. (malloc/free counter: 64/64)
/var/log disk partition total inodes: 0, free inodes: 0.

Beside disk full usage issues, there could be a hardware level problem like file write error. If software level (disk full) can not identify the file write error problem, there is a hardware level tool 'diagnose sys filesystem last-modified-files'. This tool can list last modified files in different folders.

Example of the output:

diagnose sys filesystem last-modified-files /data2
Thu Dec 19 07:20:56 2024 - /data2/new_alert_msg
Thu Dec 19 04:53:49 2024 - /data2/report-runner/results/CoverageReport_1734612826171.jsongz
Thu Dec 19 04:53:49 2024 - /data2/report-runner/results/PostureReport_1734612826171.jsongz
Thu Dec 19 04:53:49 2024 - /data2/report-runner/results/OptimizationReport_1734612826171.jsongz
Thu Dec 19 00:43:50 2024 - /data2/report-runner/results/PostureReport_1734597826164.jsongz
Thu Dec 19 00:43:50 2024 - /data2/report-runner/results/CoverageReport_1734597826164.jsongz
Thu Dec 19 00:43:50 2024 - /data2/report-runner/results/OptimizationReport_1734597826164.jsongz
Wed Dec 18 21:06:02 2024 - /data2/crash
Wed Dec 18 20:33:49 2024 - /data2/report-runner/results/PostureReport_1734582826172.jsongz
Wed Dec 18 20:33:49 2024 - /data2/report-runner/results/OptimizationReport_1734582826172.jsongz