Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎08-08-2005 12:00 AM Edited on ‎12-29-2025 06:49 AM By Community Manager

Article Id 194380

Troubleshooting Tip: 'The system has entered conserve mode' FortiGate log message explanation

Description This article explains what the following log message means: 'The system has entered conserve mode.'
Scope
  • All FortiGate units.
  • FortiOS.
Solution

The FortiGate antivirus system operates in one of two modes, depending on the unit's available memory. If the free memory is greater than 30% of the total memory, then the system is in non-conserve mode. If the free memory drops to less than 20% of the total memory, then the system enters conserve mode. When the free memory once again reaches 30% or greater of the total memory, the system returns to non-conserve mode.

Antivirus functionality and performance are impacted when the unit enters conserve mode. For more information, see the Fortinet Knowledge Base article “Antivirus fail open and optimization”.

A FortiGate unit that continuously and frequently enters conserve mode may be underscaled for the type of network flows that are being scanned by it. The following actions can be taken to alleviate the problem:

 

  • Disable logging to memory (Log & Report -> Log Config -> Log Setting).
  • Disable certain protocols (HTTP, FTP, SMTP, POP, IMAP) from being antivirus scanned (Firewall>Protection Profile).
  • Reduce the 'Oversize Threshold Configuration' memory settings for each respective protocol (Anti-Virus>Config>Config).
  • Disable the DHCP server if it is not necessary (System -> DHCP -> Service and System -> DHCP -> Server).
  • Disable DNS Forwarding if it is not necessary (System -> Network -> DNS).
  • Disable all IPS Signatures and Anomaly detections if IPS is not being used. This can be done in a single operation by issuing the CLI command 'diagnose debug application ipsmonitor 98'.  If IPS is being used, disable all Signatures/Anomalies that are not relevant or required in the network environment (under IPS -> Signature and IPS -> Anomaly).
  • Replace the FortiGate unit with a model that has more memory. See the Knowledge Base article 'Maximum oversize threshold' for memory sizes per FortiGate model.
  • Change the default session TTL:

     

 

config system session-ttl

    set default 300

end

 

  • Change the FortiGuard TTL:

     

 

config system fortiguard
    set webfilter-cache-ttl 500

    set antispam-cache-ttl 500

end

 

  • Change DNS cache:

     

 

config system dns

    set dns-cache-limit 300

end

 

  • Disable DNS forwarding:

     

 

config system dns

    unset fwdintf

end

 

  • If more than one DHCP server is configured, memory usage will increase.

 

Note: The FortiGate unit must be rebooted after disabling the various features and services in order to free up memory.

 

Related articles:
Labels:
111286
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.