The wad process has a memory leak on FortiOS 7.0.8 and 7.0.9 in the object ssl.fts.str.fstr_buffer_bytes.

The issue occurs when processing SSL/TLS traffic.

High memory usage in this buffer is not necessarily linked to a memory leak. In these scenarios, refer to the article Technical Tip: High WAD memory due to ssl.fts.str.fstr_buffer_bytes buffer usage

To confirm the device is matching this issue run show the memory usage of the user space processes:

diagnose sys top-mem 99
wad (17503): 1238519kB <----- 1209,49 MB.
wad (17502): 623328kB
wad (17504): 605840kB
...

Here the WAD process with the process ID (PID) 17503 allocated about 1200 MB.

Verify these wad processes are of type worker with commands:

diagnose debug reset
diagnose debug enable
diagnose test app wad 1000
...
Process [6]: type=worker(2) index=4 pid=17502 state=running
Process [7]: type=worker(2) index=5 pid=17503 state=running
Process [8]: type=worker(2) index=6 pid=17504 state=running
...
diagnose debug disable

Confirm the wad workers leaks memory in object ssl.fts.str.fstr_buffer_bytes:

diagnose wad stats worker | grep fstr_buffer
ssl.fts.str.fstr_buffer now 297596 max 382415 total 451041111
ssl.fts.str.fstr_buffer_bytes 3290818496 <----- 3138,37 MB.

Repeat the steps from above periodically to observe if memory increases i.e. after 30 minutes.

Workaround:

As a quick workaround, the wad processes can be restarted with the command:

diag test app wad 99

This can be automated via the 'config system auto-script' feature.

Solution:

The solution is to upgrade to FortiOS versions 7.0.10, 7.2.4, or above.