Seeing a high CPU because of softirq may be a sign of a potential network loop, especially in a FortiGate which has Transparent mode OR a switch-interface.

For example, this is the output from the command 'get system mpstat'.

1. In this case, it is recommended to check the outputs of these commands to identify the bridging information:

diagnose netlink brctl list

2. Perform further checks with each of the bridges by inputting the following command several times in a specific interval (such as 5 times every 5 seconds):

diagnose netlink brctl name host [name]

This will make it possible to check if any MAC address appears in different interfaces. In such cases, it is recommended to review the network design. By right, a MAC address should appear and stick to only 1 interface.

For example: MAC addresses 24:5e:be:12:da:88 being on both the interfaces b and dmz will indicate a network loop. 

3. From v7.6.0, there is a new feature where FortiOS logs MAC address flapping events to aid in quickly identifying this behavior. (Feature ID = 974975.)

Related documents:

FortiOS 7.6.0 release notes - new features.

Logging MAC address flapping events 

Troubleshooting Tip: Check SoftIrq increments (recommended when experiencing high CPU usage)

Technical Tip: Software switch causing high CPU softirq usage and network downtime

Checking the bridging information in transparent mode