Description
The article describes how FortiGate’s intrusion prevention system (IPS) manages traffic when the IPS socket buffer is full—specifically, the mechanisms for bypassing (fail-open) or dropping new sessions, as well as how to view and configure the IPS buffer/socket size.
Scope
IPS in FortiGate.
Solution
Fail-open.
A fail-open condition is triggered when the IPS raw socket buffer becomes full. In this state, the IPS engine lacks sufficient memory to create additional sessions and must decide whether to drop the sessions or bypass them without inspection.
Note: If nTurbo hardware acceleration is enabled, IPS fail-open cannot be triggered because nTurbo does not use raw sockets — a mechanism typically involved when the data path is handled by the kernel or in software. In this scenario if IPS engine runs out of buffer during a traffic overload, traffic will be dropped even if fail-open is enabled—unless hardware acceleration is disabled (not recommended, as this increases main CPU load).
IPS fail-open is configurable with the following command:
config ips global
set fail-open {enable | disable}
end
-
Default: disable (IPS blocks new sessions when the buffer is full)
-
Enable: New sessions bypass IPS inspection when fail-open mode is active
IPS fail-open events are recorded in the crash log, which can be viewed with:
diagnose debug crashlog read
To check if nTurbo is enabled or disabled to determine if IPS fail open would get triggered, run the following command:
config ips global
set np-accel-mode <none|basic|advanced>
end
-
Default: advanced (Offload more types of pattern matching resulting in higher throughput than basic mode.)
-
basic: Offload basic pattern matching to CPx processors.
- none: CPx acceleration/offloading disabled.
Note: nTurbo would also be disabled if NPU hardware acceleration is disabled in firewall policy or globally on the FortiGate. To check whether NPU acceleration is disabled, see Technical Tip: FortiGate Disable Hardware Acceleration.
IPS buffer size.
To check the current socket size (which may be the default), use the following command:
diagnose test application ipsmonitor 1
Example:
diagnose test application ipsmonitor 1
pid = 147, engine count = 5
0 - pid:158:158 cfg:1 master:0 run:1
1 - pid:253:253 cfg:0 master:1 run:1
2 - pid:254:254 cfg:0 master:0 run:1
3 - pid:255:255 cfg:0 master:0 run:1
4 - pid:256:256 cfg:0 master:0 run:1
pid: 253 index:1 master version: 07002000FLEN07700-00007.00002.00212-2203222338
up time: 5 days 23 hours 1 minutes
init time: 0 seconds
socket size: 32(MB) <---IPS socket size to receive data from kernel
database: regular
bypass: disable
pid: 254 index:2
Adjust the size of the IPS buffer with the command below:
config ips global
set socket-size <int>
end
The acceptable range and the default size vary by the FortiGate model and its memory size. It is possible to see the current memory size by entering the '?' symbol after the 'set socket-size' command.
'Socket-size' determines how much data the kernel passes to the IPS engine each time the engine samples packets.
Setting the value too high might lead to high memory usage by the IPS engine process and potentially the conserve mode.
Setting it too low may trigger fail-open mode too early.
If the regular traffic is triggering fail-open mode and the memory usage of the firewall is relatively low, consider increasing the size.
If the memory usage of the IPS engine process is too high and the fail-open mode still does not trigger, consider decreasing the size.
In most common situations, the default value is sufficient for a normal operation.
A good starting point is usually to double the previous socket size. For example, increasing from 64 MB to 128 MB.
When reducing the socket size, consider halving the previous size. For example, reducing from 256 MB to 128 MB.
Related article:
Troubleshooting Tip: IPS entering fail open mode
