Description

This article describes how to optimize memory consumption on low and middle-end models of FortiGate (smaller than 100D/E/F).
Every enabled feature on the FortiGate will consume some RAM memory. This may be critical, as the firewall may not have enough processing power for typical firewall tasks.

Scope

FortiGate appliances smaller than 100D/E/F.

Solution

1. Disable features that are not required (e.g. DHCP, Reporting, Logging, etc).
2. Use only truly necessary UTM features (like AV, WF, IPS, APPCTL, DNSF, and SSL-DI).
3. Do not use UTM scanning for trusted traffic (like Server <-> Storage).
4. Fine-tune IPS signatures applied (for example, disable Linux/Mac signatures if only Windows is used).
5. Tweak the IPS engine and profiles when necessary:
   
   

config ips settings
config ips sensor

6. Tweak the antivirus engine and profiles when necessary:
   
   

conf antivirus profile
conf antivirus settings

Adjust IPS process count:

config ips global
    set engine-count 1

    set cp-accel-mode none
    set exclude-signatures none

end

7. Schedule an update outside of business operating hours:
   
   

config system autoupdate schedule
    set frequency daily
    set time 03:00
end

8. Disable dashboard widgets with dynamic content for ALL local users. The reason for doing this is that when the user logs in on the GUI, they will see the historical data in the widget (activity in the last 24 hours, etc). This means the widgets are always working in the background for all local users and consuming CPU/MEM resources.
9. Disable on-device logging/reporting. Instead, log externally to FortiManager, FortiAnalyzer, FortiCloud, and Syslog.
   FortiGates can store logs in different locations (memory, disk, external logging servers like FortiAnalyzer, or syslog). When logging to memory is enabled, logs are temporarily stored in the device's RAM (volatile memory), which is useful for short-term logging. This could help in scenarios where conserving memory is important.

config log memory setting

    set status disable

end

10. Disable forward traffic logging: By disabling this setting, the FortiGate will no longer store logs related to forward traffic on its disk. This could be done to conserve disk space, reduce logging overhead, or if another logging method (e.g., logging to FortiAnalyzer or syslog) is being used for this traffic.

config log disk filter
    set forward-traffic disable

end

11. Reduce the maximum number of records in the DNS cache: Configuring the DNS cache limit to 300 restricts the maximum number of DNS records that can be stored in the cache to 300 entries.

    Reducing the cache size is beneficial in environments where memory or performance optimization is a priority, as it ensures the DNS cache remains efficiently managed, preventing excessive resource consumption.

    
    config system DNS
        set dns-cache-limit 300 <---The default value is 5000.
    end
    
    
12. Disable the submission of Security Rating results to FortiGuard and scheduled runs of Security Rating:
              
    config system global
        set security-rating-result-submission disable
        set security-rating-run-on-schedule disable
    end
    
    
13. Reduce internet-service-database: By configuring the setting to 'on-demand', the FortiGate will load the Internet Service Database (ISDB) only when required, instead of keeping it continuously loaded in memory. This approach optimizes system resource usage, particularly in environments where the ISDB is not frequently utilized.
    
    config sys global
        set internet-service-database on-demand
    end

See the following article for more information on the above setting: 

Technical Tip: Internet-service-database: On-demand

Advanced steps to optimize MEM utilization:

In addition to the steps above, it is possible to further optimize MEM consumption:

Attention:

Caution should be taken when using the following steps as they affect the overall behavior of the system. They will, therefore, require preliminary analysis, preferably by the TAC engineers.

1. Change the max file size for inspection:
   
   

conf firewall profile-protocol-options
    set oversize limit

2. Reduce the FortiGuard TTL cache:
   
   

config system fortiguard
    set webfilter cache-ttl 600     <--- The default value is 3600.
    set antispam cache-ttl 600      <--- The default value is 1800.

end

3. Reduce DNS cache size:
   
   

config system dns

    set dns cache-ttl 600           <--- The default value is 1800.

end

4. Reduce TCP session timeouts:
   
   

config system global
    tcp halfopen-timer    <- (And others.)

end

5. Reduce global session TTL:
   
   

config system global
    system session-ttl

6. Reduce Firewall policy TTL & Service/port TTL (config firewall policy, config firewall address).
   
7. Reduce logging to the only important events (config log setting).
   
8. Reduce worker count:
   
   config system global
       set miglogd-children 1
       set sslvpn-max-worker-count 1
       set wad-worker-count 1
       set scanunit-count 2   <- scanunit-count value must be in the range of 2-4 or = 0.
   end
   

9. Reduce session-TTL to improve session recycling efficiency:

config system session-ttl

    set default 600
        config port

            edit 1

                set protocol 17
                set timeout 120

            next

        end

end

  10. Adjust the IPS setting that affects memory consumption.

config ips global     

    set socket-size [integer, 0-512]  <-----IPS socket buffer size. The max and default values depend on available memory. A lower value reduces memory usage.

    set database     [regular|extended] <----- Regular protects against the latest common and in-the-wild attacks. Extended includes protection from legacy attacks.

end

Note:

If the steps above do not produce satisfactory results, consider using a higher-capacity FortiGate.

Related articles:

Technical Tip: Free up memory to avoid conserve mode
Technical Note: Priority of session-ttl settings in FortiGate