FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192323



This article describes how to optimize memory consumption on low and middle-end models of FortiGate (smaller than 100D/E/F).
Every enabled feature on the FortiGate will consume some RAM memory. This may be critical, as the firewall may not have enough processing power for typical firewall tasks




FortiGate appliances smaller than 100D/E/F.



  1. Disable features that are not required (e.g. DHCP, Reporting, Logging, etc).
  2. Use only truly necessary UTM features (like AV, WF, IPS, APPCTL, DNSF, and SSL-DI).
  3. Don’t use UTM scanning for trusted traffic (like Server <-> Storage).
  4. Fine-tune IPS signatures applied (for example, disable Linux/Mac signatures if only Windows is used).
  5. Tweak the IPS engine and profiles when necessary:

config ips settings
config ips sensor


  1. Tweak the AV engine and profiles when necessary:

conf antivirus profile
conf antivirus settings


Adjust ips process count:


config ips global

set engine-count 1
set cp-accel-mode none
set exclude-signatures none



  1. Schedule an update outside of business operating hours:

config system autoupdate schedule
     set frequency daily
     set time 03:00

  1. Disable dashboard widgets with dynamic content for ALL local users. The reason for doing this is that when the user logs in on the GUI, they will see the historical data in the widget (activity in the last 24 hours, etc). This means the widgets are always working in the background for all local users and consuming CPU/MEM resources.
  2. Disable on-device logging/reporting. Instead, log externally to FortiManager, FortiAnalyzer, FortiCloud, Syslog.

config log memory setting

set status disable


Advanced steps to optimize MEM utilization:

In addition to the steps above, it is possible to further optimize MEM consumption:

Attention: Caution should be taken when using the following steps as they affect the overall behavior of the system. They will, therefore, require preliminary analysis, preferably by the TAC engineers.


  1. Change the max file size for inspection:

conf firewall profile-protocol-options
    set oversize limit

  1. Reduce the FortiGuard TTL cache:

config system fortiguard
    set webfilter cache-ttl

    set antispam cache-ttl


  1. Reduce DNS cache size:

set dns cache-ttl


  1. Reduce TCP session timeouts:

config system global
    tcp halfopen-timer   
<- (And others.)


  1. Reduce global session TTL:

config system global
    system session-ttl


  1. Reduce Firewall policy TTL & Service/port TTL (config firewall policy, config firewall address).

  2. Reduce logging to the only important events (config log setting).

  3. Reduce worker count:

config system global
    set miglogd-children 1
    set sslvpn-max-worker-count 1
    set wad-worker-count 1
    set scanunit-count 1


9. Reduce session-TTL to improve session recycling efficiency:

config system session-ttl

set default 600

config port

edit 1

set protocol 17
set timeout 120





Note: If the steps above do not produce satisfactory results, consider using a higher capacity FortiGate device.