Description
This article describes how to optimize memory consumption on low and middle-end models of FortiGate (smaller than 100D/E/F).
Every enabled feature on the FortiGate will consume some RAM memory. This may be critical, as the firewall may not have enough processing power for typical firewall tasks.
Scope
FortiGate smaller than 100D/E/F.
Solution
- Disable features that are not required (for example, DHCP, Reporting, Logging, etc).
- Use only truly necessary UTM features (like AV, WF, IPS, APPCTL, DNSF, and SSL-DI).
- Do not use UTM scanning for trusted traffic (like Server <-> Storage).
- Fine-tune IPS signatures applied (for example, disable Linux/Mac signatures if only Windows is used).
- Tweak the IPS engine and profiles when necessary:
config ips settings
config ips sensor
- Tweak the antivirus engine and profiles when necessary:
config antivirus profile
config antivirus settings
Adjust IPS process count:
config ips global
set engine-count 1
set cp-accel-mode none
unset exclude-signatures <- If the OT database is not needed.
end
- Schedule an update outside of business operating hours:
config system autoupdate schedule
set frequency daily
set time 03:00
end
- Disable dashboard widgets with dynamic content for ALL local users. The reason for doing this is that when the user logs in on the GUI, they will see the historical data in the widget (activity in the last 24 hours, etc). This means the widgets are always working in the background for all local users and consuming CPU/MEM resources.
- Disable on-device logging/reporting. Instead, log externally to FortiManager, FortiAnalyzer, FortiCloud, and Syslog.
FortiGates can store logs in different locations (memory, disk, external logging servers like FortiAnalyzer, or Syslog). When logging to memory is enabled, logs are temporarily stored in the device's RAM (volatile memory), which is useful for short-term logging. This could help in scenarios where conserving memory is important.
config log memory setting
set status disable
end
- Disable forward traffic logging: By disabling this setting, the FortiGate will no longer store logs related to forward traffic on its disk. This could be done to conserve disk space, reduce logging overhead, or if another logging method (for example, logging to FortiAnalyzer or Syslog) is being used for this traffic.
config log disk filter
set forward-traffic disable
end
- Reduce the maximum number of records in the DNS cache: Configuring the DNS cache limit to 300 restricts the maximum number of DNS records that can be stored in the cache to 300 entries.
Reducing the cache size is beneficial in environments where memory or performance optimization is a priority, as it ensures the DNS cache remains efficiently managed, preventing excessive resource consumption.
config system dns
set dns-cache-limit 300 <--- The default value is 5000.
end
- Disable the submission of Security Rating results to FortiGuard and scheduled runs of Security Rating:
config system global
set security-rating-result-submission disable
set security-rating-run-on-schedule disable
end
- Reduce internet-service-database: By configuring the setting to 'on-demand', the FortiGate will load the Internet Service Database (ISDB) only when required, instead of keeping it continuously loaded in memory. This approach optimizes system resource usage, particularly in environments where the ISDB is not frequently utilized.
config sys global
set internet-service-database on-demand
end
See the following article for more information on the above setting: Technical Tip: Internet-service-database: On-demand.
Advanced steps to optimize MEM utilization:
In addition to the steps above, it is possible to further optimize MEM consumption:
Note:
Caution should be taken when using the following steps as they affect the overall behavior of the system. They will, therefore, require preliminary analysis, preferably by the TAC engineers.
- Change the max file size for inspection:
config firewall profile-protocol-options
set oversize limit
- Reduce the FortiGuard TTL cache:
config system fortiguard
set webfilter cache-ttl 600 <--- The default value is 3600.
set antispam cache-ttl 600 <--- The default value is 1800.
end
- Reduce DNS cache size:
config system dns
set dns cache-ttl 600 <--- The default value is 1800.
end
- Reduce TCP session timeouts:
config system global
tcp halfopen-timer <- (And others.)
end
- Reduce global session TTL:
config system global
system session-ttl
- Reduce Firewall policy TTL & Service/port TTL (config firewall policy, config firewall address).
- Reduce logging to only important events (config log setting).
- Reduce worker count:
config system global
set miglogd-children 1
set sslvpn-max-worker-count 1
set wad-worker-count 1
set scanunit-count 2 <- scanunit-count value must be in the range of 2-4 or = 0.
end
Refer to the following article for more information: Technical Tip: Reduce memory usage by reducing the number of spawned daemons.
- Reduce session-TTL to improve session recycling efficiency:
config system session-ttl
set default 600
config port
edit 1
set protocol 17
set timeout 120
next
end
end
10. Adjust the IPS setting that affects memory consumption.
config ips global
set socket-size [integer, 0-512] <-----IPS socket buffer size. The maximum and default values depend on available memory. A lower value reduces memory usage.
set database [regular|extended] <----- Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.
end
diagnose test application ipsmonitor 99 <----- After changing the engine, database, and socket size, restart the IPSEngine.
Note 1:
If the steps above do not produce satisfactory results, consider using a higher-capacity FortiGate.
Note 2:
If memory optimization changes are made via CLI, they will need to be made individually on both primary and secondary units in a High-Availability cluster configuration.
Related articles:
Technical Tip: Free up memory to avoid conserve mode
Technical Note: Priority of session-ttl settings in FortiGate
