Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎11-23-2023 06:37 AM Edited on ‎08-29-2025 01:10 AM

Article Id 285711

Technical Tip: Memory optimization script for FortiGate Desktop devices

Description

This article describes an optimization steps to free up resources, with a primary focus on memory on FortiGate Desktop and FortiWiFi models such as 40F, 60E, 60F, 80E, 90E, and Rugged 60F (only the 2 GB versions).

These devices are often configured to run multiple features simultaneously, operating in oversubscription due to misuse or incorrect sizing.

Any system operating constantly above 65% of RAM usage is at high risk of performance degradation or service disruption due to the lack of available headroom to handle unexpected or unpredictable loads, which are common in security infrastructure.

As part of the optimization process, it is strongly recommended to use the FortiOS version appropriate for the FortiGate model in use.

See the Technical Tip: Recommended Release for FortiOS to find the best version of FortiOS to use fo....

 

Another important point is the maximum capacity of FortiGate Desktop (Entry-Level) devices, including awareness of their limitations and correct deployment by assigning appropriate roles.

Accurate sizing helps avoid performance issues caused by misplacement or misuse.

Refer to Technical Tip: FortiGate Role Alignment and Capacity Planning for further details on the importance of correct sizing.

 

Below also are available some key points to explain the restrictions affecting entry-level FortiGate devices (with less than 2GB of RAM) starting from FortiOS version 7.4.4.
Scope FortiGate. FortiOS 7.x.
Solution

Suggested actions:

  • It is recommended to perform these steps during a maintenance window.
  • After implementation, a reboot is mandatory.
  • After implementation, monitor the FortiGate. If the problems persist, consider upgrading to a FortiGate with a larger capacity or, for more details, open a ticket with TAC.

 

Configuration steps:

 

Global System Configuration:


config system global

    set memory-use-threshold-extreme 97
    set memory-use-threshold-green 90
    set memory-use-threshold-red 95
    set tcp-halfclose-timer 30
    set tcp-timewait-timer 0
    set udp-idle-timer 60
    set miglogd-children 1
    set sslvpn-max-worker-count 2
    set wad-worker-count 2
    set scanunit-count 2

end

 

IPS Configuration:

 

config ips global

    set np-accel-mode none

 set engine-count 2
 set socket-size 32

 set exclude-signatures none

end

 

Session TTL Configuration:


config system session-ttl

    set default 300

        config port

            edit 0

                set protocol 17
                set timeout 10
                set end-port 53
                set start-port 53

            next

        end

end

 

DNS Configuration:


config system dns

    set dns-cache-limit 600

end

 

FortiGuard Configuration:

 

config system fortiguard

    set webfilter-cache-ttl 600
    set antispam-cache-ttl 600

    set frequency daily
    set time 03:00

end

 

Automation Action Configuration:


config system automation-action

    edit "RestartWAD"

        set action-type cli-script
        set minimum-interval 5
        set script "diag test app wad 99"
        set accprofile "super_admin"

    next

end

 

Automation Trigger Configuration:

 

config system automation-trigger

    edit "Enters Conserve Mode"

        set event-type low-memory

    next

end

 

Automation Stitch Configuration:


config system automation-stitch

    edit "Restart WAD during Conserve Mode"

        set trigger "Enters Conserve Mode"

            config actions

                edit 1

                    set action "RestartWAD"
                    set required enable

                next

            end

    next

end

 

Auto-Script Configuration:

 

config system auto-script

    edit restart_IPSengine

        set interval 43200
        set repeat 356
        set start auto
        set script 'diagnose test application ipsmonitor 99'

    next

end

 

Log optimization:

 

config log memory setting
    set status disable
end
   

config log disk filter
    set forward-traffic disable
end

 

Disabled the security rating submission:


config system global
    set security-rating-result-submission disable
    set security-rating-run-on-schedule disable
end

 

Reduce internet-service-database:


config sys global
    set internet-service-database on-demand
end

 

exe update-ffdb-on-demand <----- To manually trigger an update of the FortiGuard Web Filtering Database (FFDB) on demand.

 

In conclusion, these steps can make smaller FortiGate devices handle memory better. It is important to change these settings to fit a given network's specific needs.

 

Related articles:
10219
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.