Symptoms:

1. High CPU utilization on one or more cores by a user space. 
2. The Ipsengine process consumes nearly 100% CPU.
3. In the command get system performance status, the user field shows abnormally high values.
4. Repeated IPS engine crashes with 'segmentation fault (signal 11)'. To verify, execute 'diag debug crashlog read' and upload it to the TAC case for confirmation.

Example output showing the condition:

FortiGate # get system performance status
CPU states: 12% user 0% system 0% nice 88% idle 0% iowait 0% irq 0% softirq
CPU0 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU1 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU2 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU3 states: 100% user 0% system 0% nice 0% idle 0% iowait 0% irq 0% softirq <<< 100% high CPU
CPU4 states: 1% user 0% system 0% nice 99% idle 0% iowait 0% irq 0% softirq
CPU5 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU6 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq
CPU7 states: 0% user 0% system 0% nice 100% idle 0% iowait 0% irq 0% softirq

This indicates that the CPU core is fully consumed by a user process such as ipsengine.

Resolution:

The fix will be included in v7.6.5, and has already been addressed in IPS engine builds v7.4.9:0586 and v7.6.3:1151/1154. Tracked with Bug ID 1140846.

Workaround:

Configure an automation stitch to restart the IPS engine every two hours. This should only be applied as a temporary workaround while waiting for a bug fix that will come.  For reference, check the Technical Tip: Restart WAD or IPS when conserve mode hits (Automation Stitch).

For additional information or workaround assistance, contact Fortinet TAC support.