FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bkarl
Staff
Staff
Article Id 304981
Description

This article describes how to optimize memory due to reduce the memory consumption for FGR-60F FortiGates in the second, third and fourth generation. This configuration only applies for specific FortiGate models.

Scope Low-end FortiGate models with less than 2 GB of RAM.
Solution

The following are some configuration adjustments to reduce and optimize memory usage when low-end models with UTM have high memory usage.

 

Increase memory-use-threshold:

 

config system global    set memory-use-threshold-extreme 97    set memory-use-threshold-green 90    set memory-use-threshold-red 94end

 

Or schedule an update at off-peak time. For example:

 

config system autoupdate schedule    set frequency daily    set time 03:00end

 

Or reduce worker count. The following configuration should be implemented during a maintenance window and carefully monitored during production hours for any performance impact.


Each daemon is bound to a single CPU core. Since the number of daemons/processes is reduced, depending on the volume of traffic or number of requests handled by a single daemon, this can lead to high CPU usage on that core, potentially resulting in dropped connections. It is recommended to monitor network usage, CPU load, and memory consumption, and adjust the configuration accordingly.

 

For example, if the device is handling around 100-200 Mbps of traffic (as shown in the output of 'get system performance status' under average network usage), allocating more than one WAD worker or IPS engine may be necessary. This should be done while ensuring efficient memory utilization so that the device does not enter conserve mode.

 

config system global

    set miglogd-children 1

    set sslvpn-max-worker-count 1

    set wad-worker-count 1

    set scanunit-count 2

end

 

The IPS process count can be configured:

 

config ips global    set engine-count 1    set cp-accel-mode none    set exclude-signatures noneendconfig log memory setting    set status disableendconfig log disk filter <----- This command only applies to models with onboard logging disks.    set forward-traffic disableend

 

Reduce session-TTL to improve session recycling efficiency:

config system session-ttl    set default 600        config port            edit 1                set protocol 17                set timeout 120            next        endend

 

Reduce dns-cache:

 

config system dns    set dns-cache-limit 300end

 

Disabled the security rating submission:

 

config system global    set security-rating-result-submission disable    set security-rating-run-on-schedule disableend

 

Reduce internet-service-database:

config sys global

    set internet-service-database on-demand

end

 

exe update-ffdb-on-demand

 

Note 1:

Consider that these low-end models have only 2GB of RAM. It is therefore very likely that this device will enter conserve mode quickly if there are many sessions in progress for FortiGate.

 

Note 2:

On v7.6.3, further optimizations were done, which remove or rework certain features on devices with 2GB or less of memory.

For further details, consult Optimizations for physical FortiGate devices with 2 GB RAM 7.6.3.


Related articles:

Technical Tip: Low-end FortiGate models with RAM ≤ 2GB entering conserve mode due to increased ISDB ...

Technical Tip: Free up memory to avoid conserve mode