Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vsharma
Staff
Staff

Created on ‎08-06-2025 09:42 AM Edited on ‎08-18-2025 07:27 AM By Moderator

Article Id 405035

Troubleshooting Tip: Understanding high CPU usage on FortiGate VM with DPDK enabled

Description

This article explains the reason behind high CPU utilization on FortiGate Virtual Machines (VMs) when DPDK (Data Plane Development Kit) is enabled.
Scope

FortiOS with DPDK support.
Solution

On a FortiGate VM with DPDK, all ipsengine processes show ~99% CPU usage and overall CPU usage appears extremely high even during low traffic conditions.

 

When DPDK is enabled, FortiGate switches from an interrupt-driven model to a poll mode driver (PMD) model for packet processing. In this mode CPU cores are assigned to continuously poll network interfaces for packets. This is expected behavior by design and is optimized for low-latency and high-throughput environments.

Because of this:

 

  1. ipsengine appears to consume nearly 100% CPU.
  2. Commands like 'get system performance status' and 'diagnose sys top' do not accurately reflect the load, since they are not DPDK-aware.

 

erbium-kvm70 # get system performance status
CPU states: 89% user 10% system 0% nice 1% idle 0% iowait 0% irq 0% softirq
CPU0 states: 87% user 12% system 0% nice 1% idle 0% iowait 0% irq 0% softirq
CPU1 states: 90% user 9% system 0% nice 1% idle 0% iowait 0% irq 0% softirq
CPU2 states: 90% user 9% system 0% nice 1% idle 0% iowait 0% irq 0% softirq
CPU3 states: 89% user 11% system 0% nice 0% idle 0% iowait 0% irq 0% softirq

 

90U, 0N, 9S, 1I, 0WA, 0HI, 0SI, 0ST; 9012T, 4380F
ipsengine 264 R < 99.8 2.3
ipsengine 263 R < 99.8 2.3
ipsengine 262 R < 99.8 2.3
ipsengine 261 R < 99.6 2.3

 

In DPDK-enabled mode, FortiGate uses busy polling, which keeps cores active.

 

Application (ipsengine)
      ↓

 (Polls for Packets)
      ↓
     NIC

 

DPDK does not reduce IPS workload, but it removes kernel overhead. As a result, the IPS engine might get hit with more granular traffic and can gets busier than expected. This is why its CPU usage can go high after DPDK is enabled. This is not an unexpected behavior, as stated in Enhancing FortiGate-VM performance with DPDK and vNP offloading - KVM documentation guide.

 

Use 'diagnose dpdk performance show' in DPDK-enabled VMs. This provides actual DPDK engine-level CPU usage statistics, which are much more accurate for FortiGate VMs using DPDK.

 

erbium-kvm70 # diagnose dpdk performance show
----------------------------------------
CPU usages
----------------------------------------
                            Average Engine 0 Engine 1 Engine 2 Engine 3
2025:08:06 00:43:37  rx:       0.0      0.1     0.0       0.0     0.0
2025:08:06 00:43:37  vnp:      0.0      0.0     0.0       0.0     0.1
2025:08:06 00:43:37  ips:      0.0      0.0     0.0       0.0     0.0
2025:08:06 00:43:37  tx:       0.0      0.0     0.0       0.0     0.0
2025:08:06 00:43:37  idle:     99.9     99.9    100.0     100.0   99.9


-----------------------------------------
207
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.