Hey All,
Just got a 60f and putting it through the paces. I am noticing high mem around 60% and if np does anything basically goes to conserve mode and need to reboot. Scoured cookbook and other googles and cant seem to find a good NPU best practice.
Wondering if anyone else has played with this at all. Using at home, about 10 policies, 2 of which do actual filtering.
Just wondering thoughts.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For FOS v6.4, just request IPS package v6.0.30 or later from TAC.
This is a new feature tracked by mantis 0613814: Reduce IPS memory consumption.
It is still being backported to FOS v6.2/6.0 later on as one of major features (not available yet currently, more testing likely pending).
Hopefully it would make it to the next IPS official public release for FOS v6.2/v6.0 (can't ascertain this).
@simonarch whats your mem % at with that? I have noticed the app filtering is really killing me.
Which, i have to say, one of the main reasons i got his is for the filtering capabilities, and the upgraded hardware/throughput on these. Such a shame seemingly that one policy can push this thing over the edge.
With proxy mode enabled on the main general internet policy with a maximum of 20Mbps throughput as that's the limit of the connection i'm at a steady 73%, in flow mode it's about 71%
It appears to be an issue with the 40F 60F and 100F given they share the same ASIC, try 6.0.8
I've had one ticket open for over a month now with bug confirmed but there is no guarantee of when it will be fixed, understand this is an architecture issue?
Hello,
Question is what is your expectation - what the percentage of memory usage should be?
FortiOS buffers and caches some data that are cleared when RAM is needed for something more
important. 60-70% right after device's start does not mean any issue at all.
Best Regards,
Alivo
livo
Hello Robert P. I was referring to OP's original query. Alivo
livo
I have the same problem. However with 6.2.3 memory usage dropped to 58% compared to 6.2.2 with 76% usage.
Support gave me some settings for IPS, to reduce the use of memory. In my case it is the IPS that is sucking the memory.
global ips config set cp-accel-mode basic regular set database end
And disable the log for memory:
config log memory setting set status disable end
I am also VERY disappointed in the performance of the FGT-60F. Replaced a FGT-80D v5.6.11(build3955) running IPS/App.Control and WCF/AV/DLP (proxy-mode) with a FGT-60F v6.0.10 and we are seeing basically the exact same throughput (80Mbps/20Mbps) as the FGT-80D with much higher memory utilization (65 - 72% compared to 54 - 60% with the 80D). A large majority of the memory utilization are the IPS engine daemon(s). This device does not have any ingress policies, just a small office with all outbound traffic.
Tried stopping/restarting the engines via ipsmonitor to no avail.
Bypassed all UTM inspection (except for botnet and IPS on the internal/external interface-policies) and still saw very little improvement in throughput, if any at all.
Next step is to switch the entire device to flow-mode just to see what types of throughput it is capable of albeit losing some WCF/AV/DLP functionality.
This is very frustrating as this customer would have upgraded to a larger device like a 100 or 200E had Fortinet not published such unrealistic throughput specs on the 60F datasheet, it looked like a clear winner compared to the datasheet for the 80D:
80D - 210Mbps NGFW // 190 Mbps Threat Protection 60F - 1Gbps NGFW // 700 Mbps Threat Protection
What is the bandwidth of the connection? I'm getting my full bandwidth 600/150 on my 60F with everything turned on(mostly default settings). Running 6.2.3 in flow mode, it's not doing a whole lot... managing 2 switches and 2 APs and it's sitting at 60% memory. In my experience the F models don't run as well on the 6.0.x firmware - which is unfortunate as 6.0.x is more stable in general.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1669 | |
1082 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.