Description
This article describes that in FortiOS there are some processes such as the IPS engine, WAD and SSL VPN which are spawning a child process for each CPU core.
Each of the spawned child processes will have some memory allocated to it regardless of the traffic load.
For some units with multi-core CPUs and less amount of memory, mainly 'E' series such as 30E, 60E and 90E this can create an issue with memory usage.
Solution
To solve such issues, it is recommended to decrease the number of instances spawned by those processes.
Confirm the number of instances spawned:
# diagnose sys top-summary
CPU [| ] 4.8%
Mem [||||||||||||||||| ] 44.0% 836M/1866M
Processes: 20 (running=1 sleeping=130)
PID RSS CPU% ^MEM% FDS TIME+ NAME
* 144 163M 0.0 8.7 390 00:18.49 ipsmonitor [x6]
217 66M 0.0 3.6 197 00:20.76 wad [x9]
In the example above, there are x6 instances of the IPS engine and x9 of WAD, which all consume 8.7+3.6 = 12.3% of the memory while this unit processes almost no traffic at all.
By using the commands below, it is possible to decrease the number of those instances spawned by the parent processes:
# config system global
set wad-worker-count 2
end
# config ips global
set engine-count 2
end
Now using the same command, to confirm:
# diagnose sys top-summary
CPU [| ] 4.8%
Mem [||||||||||||||| ] 38.0% 722M/1866M
Processes: 20 (running=1 sleeping=127)
PID RSS CPU% ^MEM% FDS TIME+ NAME
* 284 102M 0.0 5.5 236 00:13.71 ipsmonitor [x4]
323 38M 0.0 2.0 132 00:11.17 wad [x7]
Verify that both have decreased their spawned child processes.
There will be 2 WAD workers and 2 IPS engine instances.
'diagnose sys top-summary' is not supported in FortiOS 6.4 or later, however, 'diagnose sys top <delay> <number of processes>' will return the list of processes/workers:
Run Time: 33 days, 4 hours and 16 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1863T, 463F
cw_wtpd 196 R 0.4 0.5
newcli 6591 R 0.4 0.3
ipsengine 6826 S < 0.0 4.5
ipsengine 6828 S < 0.0 4.3
ipsengine 6829 S < 0.0 4.3
ipsengine 6827 S < 0.0 4.3
There are some instances that cannot be disabled, like IPS monitor and IPS helper or WAD manager.
That is why x4 IPS monitor and x7 WAD are still visible.
However, notice the memory decreased to 7.5% for both processes.
Almost 5% additional memory was released.
The number of other spawned daemons can also be reduced.
The numbers used in the example below are recommended on low-end devices like 60E.
But it is possible to experiment and adjust as needed:
# config system global
set miglogd-children 1
set sslvpn-max-worker-count 2
set wad-worker-count 2
set scanunit-count 2
end
# config ips global
set engine-count 2
end
In case of reducing Spawn Processes in an HA-cluster, perform this on both Master and Slave Units because it is hardware-specific configuration and will not sync automatically.
For example, to reduce WAD worker count on HA-cluster, configure the below commands on both HA-cluster units.
FGT # config system global
FGT (global)# set wad-worker-count 2
FGT(global)# end
