Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff
Staff

Created on ‎02-08-2023 02:13 AM Edited on ‎10-15-2024 04:39 AM By Moderator

Article Id 245124

Technical Tip: Restart WAD or IPS when conserve mode hits (Automation Stitch)

Description

This article describes how to create automation to restart a process when the FortiGate reaches conserve mode.

 

This can be adapted to execute other commands or restart other processes depending on the issue.

 

This should only be applied as a temporary workaround while waiting for a bug fix.
Scope FortiGate v7.0, v7.2, v7.4
Solution

Create an Automation Stitch to try restarting the WAD or IPS processes.

 

Result:

 

JNDias_4-1675849122524.png

 

It is possible to apply these settings directly in the CLI (as shown at the bottom of this article) or in the GUI (as shown below).

 

Steps in the GUI:

 

Create Action (Automation stitches).

 

JNDias_0-1675849073012.png

 

Script for wad process:

 

diagnose test application wad 99

 

Script option for IPS process:

 

diagnose test application ipsmonitor 99

 

Create a trigger.

 

JNDias_1-1675849079062.png

 

JNDias_2-1675849086977.png

 

Create a Stitch.

 

JNDias_3-1675849094937.png

 

CLI Option.

 

config system automation-action

    edit "RestartWAD"

        set action-type cli-script

        set minimum-interval 5

        set script "diag test app wad 99"

        set accprofile "super_admin"

    next

end

 

config system automation-trigger

    edit "Enters Conserve Mode"

        set event-type low-memory

    next

end

 

config system automation-stitch

    edit "Restart processes"

        set trigger "Enters Conserve Mode"

            config actions

                edit 1

                    set action "RestartWAD"

                    set required enable

                next

            end

    next

end

Alternative time-based triggers instead of memory.

 

It is recommended to restart WAD or IPS daily during a time of low use in order to avoid impacting the network. Otherwise, the FortiGate device may miss automation when in conserve mode because of non-viable memory.

 

2024-10-15_12-18.png

 2024-10-15_12-25.png

 

config system automation-trigger
   edit "Daily_at_3AM"
      set trigger-type scheduled
      set trigger-hour 3
   next
end

config system automation-stitch
  edit "Restart processes"
    set trigger "Daily_at_3AM"
      config actions
       edit 1
         set action "RestartWAD"
         set required enable
       next
       edit 2
         set action "Restart_ipsmonitor"
         set required enable
       next
      end
  next
end

 

Note for WAD:

There is a new alternative technique to restart WAD from FortiOS v7.2:

New FortiOS mechanism to automatically restart WAD workers.

This can be applied as a safeguarding mechanic along with the steps outlined in this article.

 

Related documents:
11685
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.