FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.


This article describes that in FortiOS there are some processes such as the IPS engine, WAD and SSL VPN which are spawning a child process for each CPU core.

Each of the spawned child processes will have some memory allocated to it regardless of the traffic load.

For some units with multi-core CPUs and less amount of memory, mainly 'E' series such as 30E, 60E and 90E this can create an issue with memory usage.


To solve such issues, it is recommended to decrease the number of instances spawned by those processes.

Confirm the number of instances spawned:


# diagnose sys top-summary
    CPU [|                                       ]   4.8%
  Mem [|||||||||||||||||                       ]  44.0%   836M/1866M
  Processes: 20 (running=1 sleeping=130)
  PID      RSS   CPU% ^MEM%   FDS     TIME+  NAME
* 144     163M    0.0  8.7   390  00:18.49  ipsmonitor [x6]
  217      66M    0.0  3.6   197  00:20.76  wad [x9]


In the example above, there are x6 instances of the IPS engine and x9 of WAD, which all consume 8.7+3.6 = 12.3% of the memory while this unit processes almost no traffic at all.

By using the commands below, it is possible to decrease the number of those instances spawned by the parent processes:


# config system global
    set wad-worker-count 2

# config ips global
    set engine-count 2


Now using the same command, to confirm:


# diagnose sys top-summary
  CPU [|                                       ]   4.8%
  Mem [|||||||||||||||                         ]  38.0%   722M/1866M
  Processes: 20 (running=1 sleeping=127)
  PID      RSS   CPU% ^MEM%   FDS     TIME+  NAME
* 284     102M    0.0  5.5   236  00:13.71  ipsmonitor [x4]
  323      38M    0.0  2.0   132  00:11.17  wad [x7]


Verify that both have decreased their spawned child processes.
There will be 2 WAD workers and 2 IPS engine instances.


'diagnose sys top-summary' is not supported in FortiOS 6.4 or later, however, 'diagnose sys top <delay> <number of processes>' will return the list of processes/workers:


Run Time: 33 days, 4 hours and 16 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1863T, 463F
cw_wtpd    196       R       0.4    0.5
newcli        6591     R       0.4    0.3
ipsengine  6826    S <    0.0    4.5
ipsengine  6828    S <    0.0    4.3
ipsengine  6829    S <    0.0    4.3
ipsengine  6827    S <    0.0    4.3

There are some instances that cannot be disabled, like IPS monitor and IPS helper or WAD manager.
That is why x4 IPS monitor and x7 WAD are still visible.

However, notice the memory decreased to 7.5% for both processes.
Almost 5% additional memory was released.

The number of other spawned daemons can also be reduced.

The numbers used in the example below are recommended on low-end devices like 60E.

But it is possible to experiment and adjust as needed:


# config system global
    set miglogd-children 1
    set sslvpn-max-worker-count 2
    set wad-worker-count 2
    set scanunit-count 2

# config ips global
    set engine-count 2


In case of reducing Spawn Processes in an HA-cluster, perform this on both Master and Slave Units because it is hardware-specific configuration and will not sync automatically.

For example, to reduce WAD worker count on HA-cluster, configure the below commands on both HA-cluster units.

FGT # config system global

FGT (global)# set wad-worker-count 2

FGT(global)# end