Description
This article describes how to optimize the system when high memory issue is happening with IPS process.
Scope
FortiGate.
Solution
Adjust the following settings.
config ips global
set socket-size [integer, 0-512] <----- IPS socket buffer size. Max and default value depend on available memory. Lower value reduces memory usage. However if set too low it may cause IPSengine to go into fail-open state.
set engine-count [integer, 0-255] <----- Number of IPS engines running. The default value of 0, FortiOS sets the number to optimize performance depending on the number of CPU cores. Reduce it in small increments, and monitor the CPU usage per core, the less IPSengines spawned, the more load will be focused on less number of cores. Find the balance between Memory and CPU usage.
set database [regular|extended] <----- Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
end
After changing the engine, database, and socket size, restart the IPSEngine using the following commands:
diag test app ipsmonitor 99
diag test app ipsengine 99
Example: In the below example engine count is set to 2:
config ips global
set socket-size 256
set engine-count 2
set engine-count 2
set database extended
end
end
To verify if the changes are applied or not run the below commands:
diag sys top
CTRL + c <----- To stop the debugs
diag sys top-mem <----- verify if the IPS engine process is running more than 2.
Verify overall memory usage on the FortiGate :
get system performance status
Related article:
