Technical Tip: Script for reducing memory usage in small FortiGates experiencing conserve mode

wcruvinel · ‎11-23-2023

Description

This article provides and explains a full script for reducing memory usage in small FortiGate units that are experiencing conserve mode.

This is intended for entry-level FortiGate units and FortiWiFi 40F, 60E, 60F, 80E, and 90E series of devices and their variants, and FortiGate-Rugged 60F (2 GB versions only) that are suffering from insufficient memory and resources.
These devices often run multiple features simultaneously, which can be memory-intensive.

Fluctuations in network traffic or spikes in sessions may push these firewalls into 'conserve mode', where they might lock up and block new sessions as a protective measure.

The remediation provided here includes optimization steps to free up resources, with a primary focus on memory.

Using the recommended FortiOS for the FortiGate model in use is also highly recommended. Visit this link to find the best version of FortiOS to use for a given model.

It is important to keep in mind the maximum capacity of entry-level FortiGate devices and be aware of their limitations.

Below are some key points to explain the restrictions affecting entry-level FortiGate devices (with less than 2GB of RAM) starting from FortiOS version 7.4.4.

Scope

FortiGate. FortiOS 7.x.

Solution

Suggested actions:

It is recommended to perform these steps during a maintenance window.
After implementation, a reboot is mandatory.
After implementation, monitor the FortiGate. If the problems persist, consider upgrading to a FortiGate with a larger capacity or, for more details, open a ticket with TAC.

Configuration steps:

Global System Configuration:

config system global

set memory-use-threshold-extreme 97
set memory-use-threshold-green 90
set memory-use-threshold-red 95
set tcp-halfclose-timer 30
set tcp-timewait-timer 0
set udp-idle-timer 60
set miglogd-children 1
set sslvpn-max-worker-count 2
set wad-worker-count 2
set scanunit-count 2

end

IPS Configuration:

config ips global

set np-accel-mode none

set engine-count 2
set socket-size 32

set exclude-signatures none

end

Session TTL Configuration:

config system session-ttl

set default 300

config port

edit 0

set protocol 17
set timeout 10
set end-port 53
set start-port 53

end

DNS Configuration:

config system dns

set dns-cache-limit 600

end

FortiGuard Configuration:

config system fortiguard

set webfilter-cache-ttl 600
set antispam-cache-ttl 600

end

Automation Action Configuration:

config system automation-action

edit "RestartWAD"

set action-type cli-script
set minimum-interval 5
set script "diag test app wad 99"
set accprofile "super_admin"

Automation Trigger Configuration:

config system automation-trigger

edit "Enters Conserve Mode"

set event-type low-memory

Automation Stitch Configuration:

config system automation-stitch

edit "Restart WAD during Conserve Mode"

set trigger "Enters Conserve Mode"

config actions

edit 1

set action "RestartWAD"
set required enable

Auto-Script Configuration:

config system auto-script

edit restart_IPSengine

set interval 43200
set repeat 356
set start auto
set script 'diagnose test application ipsmonitor 99'

Log optimization:

config log memory setting
set status disable
end

config log disk filter
set forward-traffic disable
end

Disabled the security rating submission:

config system global
set security-rating-result-submission disable
set security-rating-run-on-schedule disable
end

Reduce internet-service-database:

config sys global
set internet-service-database on-demand
end

exe update-ffdb-on-demand < to manually trigger an update of the FortiGuard Web Filtering Database (FFDB) on demand.

In conclusion, these steps can make smaller FortiGate devices handle memory better. It is important to change these settings to fit a given network's specific needs.

Related articles: