We have a Fortigate-1500D running on 5.6.8 which is averaging CPU usage around 50%, some days ago there was a huge peak in the CPU usage which went up to 90%.

I took some screenshots from the device's web interface shortly after issue was reported and it seems like there was a drop in the number of sessions the same time the CPU was going up to the sky.

Processing the logs in Splunk showed that at the CPU peak time there was a huge number of logged traffic events with "action=accept"

All the accepted traffic was from different sources but all to the same destination ( A remote proxy server )

Naturally i would think that this is caused by newly created sessions but as i said, on the device it showed a drop in the number of active sessions...

My question ultimately is : Was the CPU usage caused by an issue with the remote proxy server causing all those sessions (around 26k sessions) to terminate abruptly and therefore the device was busy logging all sessions that dropped (log on session close)?

OR

Was it caused really by new sessions? it contradicts with only one thing which is the device showing a drop in session count not the other way around.

I am strongly inclined to believe this was caused by excessive logging due to abrupt sessions termination... Is that likely? How do i confirm that?

The screenshot shows Splunk and the utilzation as reported by the device.

Thanks in advance :)