The following are some configuration adjustments to reduce and optimize memory usage when low-end models with UTM have high memory usage.

Increase memory-use-threshold:

config system global
    set memory-use-threshold-extreme 97
    set memory-use-threshold-green 90
    set memory-use-threshold-red 94
end

Or schedule an update at off-peak time. For example:

config system autoupdate schedule
    set frequency daily
    set time 03:00
end

Or reduce worker count. The following configuration should be implemented during a maintenance window and carefully monitored during production hours for any performance impact.

Each daemon is bound to a single CPU core. Since the number of daemons/processes is reduced, depending on the volume of traffic or number of requests handled by a single daemon, this can lead to high CPU usage on that core, potentially resulting in dropped connections. It is recommended to monitor network usage, CPU load, and memory consumption, and adjust the configuration accordingly.

For example, if the device is handling around 100-200 Mbps of traffic (as shown in the output of 'get system performance status' under average network usage), allocating more than one WAD worker or IPS engine may be necessary. This should be done while ensuring efficient memory utilization so that the device does not enter conserve mode.

config system global

    set miglogd-children 1

    set sslvpn-max-worker-count 1

    set wad-worker-count 1

    set scanunit-count 2

end

The IPS process count can be configured:

config ips global
    set engine-count 1
    set cp-accel-mode none
    set exclude-signatures none
end

config log memory setting
    set status disable
end

config log disk filter <----- This command only applies to models with onboard logging disks.
    set forward-traffic disable
end

Reduce session-TTL to improve session recycling efficiency:

config system session-ttl
    set default 600
        config port
            edit 1
                set protocol 17
                set timeout 120
            next
        end
end

Reduce dns-cache:

config system dns
    set dns-cache-limit 300
end

Disabled the security rating submission:

config system global
    set security-rating-result-submission disable
    set security-rating-run-on-schedule disable
end

Reduce internet-service-database:

config sys global

    set internet-service-database on-demand

end

exe update-ffdb-on-demand

Note 1:

Consider that these low-end models have only 2GB of RAM. It is therefore very likely that this device will enter conserve mode quickly if there are many sessions in progress for FortiGate.

Note 2:

On v7.6.3, further optimizations were done, which remove or rework certain features on devices with 2GB or less of memory.

For further details, consult Optimizations for physical FortiGate devices with 2 GB RAM 7.6.3.

Related articles:

Technical Tip: Low-end FortiGate models with RAM ≤ 2GB entering conserve mode due to increased ISDB ...

Technical Tip: Free up memory to avoid conserve mode