High CPU usage is unfortunately quite common if you load a large volume of external domain feeds onto a FortiGate—especially if it’s a smaller or mid-range model with limited resources. When you enable multiple (and often quite large) domain feeds, the firewall must continuously parse, store, and match against those domains in real time. This can drive the CPU (and sometimes memory) very high, leading to lockups or a non-responsive GUI.

Below are a few considerations and possible workarounds to help avoid hitting 100% CPU and losing access:

1. Feed Size and Frequency

1. Consolidate or Reduce Feeds 
- Each of the URLs you’re using can include tens or even hundreds of thousands of domains. When you add them all together, the total might be quite large.
- If possible, consolidate or use only one or two key threat feeds, or use “mini-onlydomains” if you only need domains rather than full wildcard entries.

2. Check Update Frequency
- Large feeds that update frequently can spike CPU usage every time the FortiGate refreshes them.
- Consider increasing the refresh interval (if that’s an option in your version) so the feed isn’t updated too often.

3. Use an External Aggregator
- Instead of loading multiple large feeds directly into the firewall, you could aggregate and de-duplicate them on an external system (e.g., a simple Linux server or threat intelligence platform). Then serve that single “merged” feed to the FortiGate.
- This way, the device only needs to download and parse one feed rather than many.

2. FortiGate Hardware Capacity

1. Check the Model’s Limitations
- Smaller or older FortiGate models can struggle with large domain-based external connectors.
- If the device frequently hits high CPU from normal traffic, then adding multiple large threat feeds may be beyond its capacity.

2. Firmware / Software Version 
- Some FortiOS versions handle external feeds more efficiently than others. If you’re not on a recent FortiOS build, check the release notes or contact Fortinet support to confirm if there are optimizations available.

3. Adjusting the Policy Usage of Feeds

1. Use Feeds Selectively 
- If you’re applying these domain lists to every outbound policy, the firewall has to compare every DNS or HTTP request against a huge list, which is CPU-intensive.
- Consider applying threat feeds only to specific critical segments or policies, rather than an entire network.

2. Domain Filter vs. Web Filter
If you’re using these external feeds purely for domain blocking, sometimes the built-in Web Filtering with FortiGuard categories can offload that overhead.
Alternatively, consider a local DNS server that references large blocklists, so the FortiGate only handles IP-based enforcement.

4. Recovering From High CPU and GUI Inaccessibility

1. CLI Access 
- If the GUI locks up at 99-100% CPU, you can often still SSH into the FortiGate or connect via console/serial. From there, you can disable or remove the offending external connector(s).

2. Removing Feeds via CLI
- For example:
bash
config system external-resource
edit <feed_name>
set status disable
next
end

You can also delete them entirely if needed.

3. Emergency Measures 
- In some extreme cases, a reboot is required if the firewall is so overloaded that even CLI is non-responsive.

5. Best Practices Summary

Start Small:
Test one feed at a time to see how it impacts CPU usage.
Use Minimal or Aggregated Lists:
Large lists with duplicates can balloon the resource load.

Monitor Logging and Usage:
Use `diag sys top`, `diag debug en`, `diag debug flow`, etc. in the CLI to see which processes spike CPU usage.
Scale Hardware if Needed:
If your environment genuinely needs multiple large threat feeds, you may need a higher-spec firewall.

Conclusion

Yes, it’s “expected” in the sense that large domain feeds can drastically raise CPU usage—especially on smaller FortiGates—because every domain lookup must be cross-referenced. The best strategy is to reduce feed size, consolidate lists, or limit usage to the most critical rules. You might also consider an external aggregator to handle these blocklists before they reach the firewall.

If the device becomes unresponsive, use SSH or console to disable/remove the feeds. Then reintroduce them gradually (or in a reduced/merged form) while monitoring CPU load.

Hope this clarifies how to avoid future overloads and keep your FortiGate manageable! If you have further details (like the FortiGate model or logs), feel free to share for more specific recommendations.