Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Conserve mode in Proxy based policies

Hi,

My Fortigate unit is acting as proxy server for clients with some SSL, AV and other policies. It has gone to conserve mode with just a few sessions (under 100). CPU usage is 100%, nTurbo and SPU usages are 0% and memory is about 80%

 

Two questions:

 

Is this happening because of using proxy policies? (I guess SPU and nTurbo cannot help when all policies are via proxy). Any way to alleviate this pain to some extent :) ?

 

What happens exactly in conserve mode? Is it possible to find out which rules, packets are policies are bypassed or ignored in conserve mode?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
8 REPLIES 8
wdeloraine_FTNT

Hi,

You're correct once you're using policy in proxy mode offload is not allowed.

I think you'll find useful info in this article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

 

Depending on the features you're running it could have consequences.

 

You can try to spot the problematic daemon with the commands detailed in the article.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-do-initial-troubleshooting-of...

 

Please also, have a look at the most recent release notes for your version where some known issue about memory could be detailed.

WD
mhdganji

Hi

It seems Bug ID 823247 is related to my problem (WAD user_info process leaks memory.) and there is no workaround unless going to 7.2.x .. probably

 

My question about conserve mode is still there. I assume in conserve mode, some security measurements and settings are bypassed in order to make the resources available. Am I right? If yes, how can I find that for instance, which settings are bypassed or changed when a conserve mode is triggered Firewall with FortiOS 7.0.6 working in proxy mode (or flow based or ...) ? Documents are not clear about this as I'm checking

 

Regards,

 

 

 

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
johnjaffer
New Contributor

Proxy-based policies can be put into conserve mode to reduce the load on the proxy server. In this mode, the proxy will not forward any traffic that is not explicitly allowed by the policy. This can be used to reduce the load on the proxy server when it is under heavy load.mamc 

mhdganji

Thanks John, but firstly, I couldn't find how we can put some policies into conserve mode. Secondly, I assume that anyway and in any mode, firewall will not forward the traffic which is not allowed by the policies. I have some proxy policies and rules, traffic comes in, is checked with those policies and if not allowed it will not be passed and would be dropped and denied, so would you please give me some more explanation about your statement?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
mhdganji
Contributor II

and BTW, please note that I'm not talking about policies in proxy mode. The whole firewall rules and clients access to Internet via firewall is based on explicit proxy (web proxy on port 8080 or so)

And another issue: even if the memory goes down (under 60 or 70) the firewall still shows to be in conserve mode and not turning it off.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
wdeloraine_FTNT

Hi,

Conserve mode is a protection state before fortigate becomes unresponsive.

There's 3 thresholds in conserve mode:

- extreme -> at which fortigate starts dropping new sessions

- red -> at which fortigate enters conserve mode

- green -> exits conserve mode

Most likely it will impact the AV engine behavior while using proxy mode.

It's well described here

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/681934/conserve-mode

WD
mhdganji

Hi,

 

The problem is that after  the memory comes down under even 50, auto trigger action and exiting from conserve mode does not happen and a restart is needed.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
airekoth
New Contributor

Hey 

I totally agreed with you my Problem is solved. I am happy.

 

Have a nice day to all.

Labels
Top Kudoed Authors