Hi,
Anyone out there using FortiOS v7.4.4,build2662 on the FortiGate-60F? How is your RAM usage?
I've installed v7.4.4,build2662 a couple of weeks ago, and the device was entering conserve mode every few days or so. Usual RAM utilization was around 75%, right after boot, so no wonder it was pushing it into conserve mode.
I've since downgraded to 7.2 (now usual RAM usage i 60-65%) but with this version we're having other issues which I would love to resolve (long connection times, need to refresh a web page a few times to open it etc...).
Here is the info I got during the last conserve mode:
firewall01 get system status
Version: FortiGate-60F v7.4.4,build2662,240514 (GA.F)
First GA patch build date: 230509
Security Level: 2
Firmware Signature: certified
Virus-DB: 92.05717(2024-07-10 07:26)
Extended DB: 92.05717(2024-07-10 07:25)
AV AI/ML Model: 2.17065(2024-07-10 07:45)
IPS-DB: 28.00824(2024-07-10 00:15)
IPS-ETDB: 0.00000(2001-01-01 00:00)
APP-DB: 28.00823(2024-07-08 23:57)
FMWP-DB: 24.00070(2024-07-05 17:45)
IPS Malicious URL Database: 5.00107(2024-07-10 08:52)
IoT-Detect: 28.00824(2024-07-09 17:07)
OT-Detect-DB: 28.00824(2024-07-09 17:07)
OT-Patch-DB: 28.00824(2024-07-09 17:11)
OT-Threat-DB: 28.00823(2024-07-08 23:57)
IPS-Engine: 7.00539(2024-05-09 00:27)
Serial-Number: FGT60F*********
BIOS version: 05000030
System Part-Number: P24286-07
Log hard disk: Not available
Hostname: firewall01
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Branch point: 2662
Release Version Information: GA
System time: Wed Jul 10 18:32:42 2024
Last reboot reason: warm reboot
firewall01 diag sys top
[H[JRun Time: 0 days, 22 hours and 34 minutes
12U, 0N, 0S, 85I, 3WA, 0HI, 0SI, 0ST; 1917T, 301F
ipshelper 186 R < 99.9 9.0 6
quard 208 S 2.9 0.8 4
snmpd 197 S 0.4 0.6 0
node 169 S 0.0 4.1 6
ipsengine 346 S < 0.0 3.3 5
ipsengine 347 D < 0.0 3.3 7
ipsengine 348 S < 0.0 3.1 6
wad 298 S 0.0 2.6 2
forticron 174 S 0.0 2.3 2
wad 300 S 0.0 2.1 6
cmdbsvr 132 S 0.0 2.1 0
miglogd 183 S 0.0 2.0 0
cw_acd 221 S 0.0 1.8 1
forticron 3677 S 0.0 1.6 2
wad 190 S 0.0 1.5 5
forticron 3678 R 0.0 1.5 3
forticron 3676 S 0.0 1.5 4
sslvpnd 187 S 0.0 1.4 3
csfd 228 S 0.0 1.3 5
scanunitd 3645 S < 0.0 1.2 2
[H[JRun Time: 0 days, 22 hours and 34 minutes
2U, 0N, 1S, 73I, 24WA, 0HI, 0SI, 0ST; 1917T, 304F
ipshelper 186 D < 11.7 7.0 1
iked 192 S 2.9 0.9 4
ipsengine 348 S < 1.9 3.7 6
ipsengine 346 S < 1.3 3.8 5
ipsengine 347 S < 1.3 3.8 7
miglogd 306 S 0.3 1.3 0
urlfilter 290 S < 0.3 0.8 1
radvd 213 S 0.3 0.6 2
forticron 3678 R 0.1 1.5 3
sslvpnd 235 S 0.1 1.1 3
sslvpnd 236 S 0.1 1.1 1
authd 176 S 0.1 0.7 1
syslogd 194 S 0.1 0.7 1
dnsproxy 215 S 0.1 0.5 1
acd 200 S 0.1 0.4 7
merged_daemons 172 S 0.1 0.4 2
node 169 S 0.0 4.1 6
wad 298 S 0.0 2.6 2
forticron 174 S 0.0 2.3 2
wad 300 S 0.0 2.1 2
[H[JRun Time: 0 days, 22 hours and 34 minutes
10U, 0N, 0S, 87I, 3WA, 0HI, 0SI, 0ST; 1917T, 316F
ipshelper 186 R < 83.1 7.4 1
forticron 174 S 0.7 2.3 3
ipsengine 346 S < 0.5 3.9 5
ipsengine 347 S < 0.5 3.8 7
ipsengine 348 S < 0.1 3.8 6
cw_acd 221 S 0.1 1.8 0
sslvpnd 238 S 0.1 1.1 7
node 169 S 0.0 4.1 6
wad 298 S 0.0 2.6 2
wad 300 S 0.0 2.1 0
cmdbsvr 132 S 0.0 2.1 0
miglogd 183 S 0.0 2.1 5
forticron 3677 S 0.0 1.6 2
wad 190 S 0.0 1.5 6
forticron 3678 R 0.0 1.5 3
forticron 3676 S 0.0 1.5 4
sslvpnd 187 S 0.0 1.4 5
miglogd 306 S 0.0 1.3 2
csfd 228 S 0.0 1.3 5
scanunitd 3645 S < 0.0 1.2 2
[H[JRun Time: 0 days, 22 hours and 34 minutes
11U, 0N, 0S, 86I, 3WA, 0HI, 0SI, 0ST; 1917T, 330F
ipshelper 186 R < 94.8 7.4 2
ipsengine 348 D < 1.1 3.9 6
cw_acd 221 S 0.1 1.8 3
forticron 3678 R 0.1 1.5 3
sslvpnd 235 S 0.1 1.1 4
snmpd 197 S 0.1 0.6 3
node 169 S 0.0 4.1 7
ipsengine 346 S < 0.0 3.9 5
ipsengine 347 S < 0.0 3.8 7
wad 298 S 0.0 2.6 5
forticron 174 S 0.0 2.3 3
wad 300 S 0.0 2.1 5
miglogd 183 S 0.0 2.1 0
cmdbsvr 132 S 0.0 2.1 0
forticron 3677 S 0.0 1.6 2
wad 190 S 0.0 1.5 6
forticron 3676 S 0.0 1.5 4
sslvpnd 187 S 0.0 1.4 5
miglogd 306 S 0.0 1.3 3
csfd 228 S 0.0 1.3 6
NSE 7
All oppinions/statements written here are my own.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
On request of Fortinet support, I added a stitch to run debugging when in Conserve Mode. First result was "auto-script cannot run because of high memory usage (96%)" :p
Second one did deliver a complete debug report. Uploaded to the case.
Did not configure the memory tweaking Support suggested, because of the "low end Fortigate". I find this hs. This same FortiGate with same config run perfect on 7.0 and 7.2 without any memory problem. I still think it will be solved after a bug is fixed, probably in the IPS engine. Like I told, would not be the first time.
I also still wondering, why memory is still a problem in modern day equipment. What is the production cost of 2 Gb of memory? Maybe a dollar or 2. So why not put in 4 or 8 Gb, will make the FortiGate max $10,- more expensive.
All great points @EME. Regarding the RAM - totally agree with you! 4GB should be bare minimum! If it is any consolation, I did implement the memory tweaks - they did not help. :)
However, it looks like I've found an acceptable 'workaround' for our environment: since we can all agree that FortiGuard updates trigger the Conserve Mode, I've scheduled daily update for 6AM. I've also created an automation stitch to restart the FortiGate each morning at 5:40AM, just to lower RAM usage 5-10% prior to the update.
NSE 7
All oppinions/statements written here are my own.
to be honest we are speaking about "enterprise solutions" even the entry level fortigates have an enterprise price tag. So in this segment I'm not discussing about rebooting it every day to prevent a conserve mode. This can be done in consumer hw with a consumer price tag but not in a business environment. Forti should check their firmwares and fix those flaws. I had a 61F for x years on the older trains of firmwares working with all features enabled without any conserve mode during the whole life of it. So it's possible and we are speaking still about the same feature set of AV/IDS/WEB and so on nothing really new and fancy. And it was even possible to do ssl-vpn on top without any issues :-).
I agree 100%! There is definitely something wrong with these new releases. Either it is a bug which they are not willing to acknowledge and deal with, or it is "planned obsolescence". Considering the "low end devices" narrative, and removal of the features, I'm inclined to think it is the latter.
NSE 7
All oppinions/statements written here are my own.
Me too. They lowered prices of old 40F/60F, then made this model not working with new OSs.
Instead of simply declare that 40F/60F are "cheap and old" devices.
Hi @NotMine
I did the same thing to update FortiGuard updates at 2 a.m. as a workaround. For my home network, this is temporarily fine. For a corporate network, it's a choice between continuity and security. You could miss an important update. And yes, the window of opertunity is small, but not 0.
And so, it begins :(
Feedback from support:
Please note that based on the output provided, i can see that the firewall entered the conserve mode due to low memory issue caused by the IPS engine (AV failed to open).
Please refer to the following document that explains the cause behind this behavior and the remedy that you can implement to prevent this issue:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-socket-size-and-fail-open-mode/ta-p/19...
Also, i would recommend to follow the document below since you're using a small series if the firewall that has a 2GB of RAM.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Steps-to-optimize-the-Memory-consumption/t...
They keep throwing it at “only 2Gb” of memory.
Again, they push me to tweak the memory and now they also want me to configure my FortiGate in “fail-open”.
These “solutions” are driving me crazy.
Like @swissroot said, this is no way to handle customers that use Enterprise equipment. I should not be forced to degrade my security, to be able to maintain continuity,
Even this small unit at my home does maybe seem to them as a small customer, but they make the mistake that I work at a company that owns and manages more than 60 FortiGate’s in all sizes, with also FortiSwitches, FortiAP’s, FortiWeb, FortiManager and FortiAnalyser.
When is this sent from support to engineering, so they can say, O wait, we have a bug, here is the update and it works fine again?
I got nowhere on a support call this morning. They want logs to try to correlate the issue with other identical reports that they've received (at least support finally admitted there were other reports.) The problem is the logs they want quit being logged when the unit hits the extreme memory threshold. I've run a script to collect the logs when the issue happens and they simply don't get recorded. It's a Catch 22...they want the logs to correlate the issue before sending it to engineering, but the logs don't exist because of the issue.
The sad thing is others with 100/200F units also seem to be experiencing high memory utilization, but those units have enough to basically handle the leaks and keep running. The 2GB units just don't have that luxury. The bug(s) isn't just limited to the 2GB models, they're just the only ones crashing due to it.
We're already planning to downgrade to 7.2.10 this weekend. We can't even schedule Fortiguard updates outside business hours now without the update crashing the Fortigate. We're just going to wing it this week without current Fortiguard definitions, which is NOT a position any business should need to be in.
This is being handled terribly. We're probably going to end up skipping 7.4 entirely. Boss just scheduled a meeting to discuss options to jump ship when our current licenses expire in a little over a year...
I will open another ticket (previous one being closed with RMA), not because I expect any real resolution, but to "pump up the numbers" and hopefully increase awareness and pressure inside the organization.
NSE 7
All oppinions/statements written here are my own.
I just told Support that I do not find the “solution” acceptable and that he should escalate it internally. I also pointed out that as a company we have 50 40F and 61F in the field and that it is unacceptable that these will soon have to be replaced, because at some point we will be forced to 7.4.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1093 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.