Conserve Mode, FGT-60F & FortiOS 7.4

NotMine · ‎07-18-2024

Hi,

Anyone out there using FortiOS v7.4.4,build2662 on the FortiGate-60F? How is your RAM usage?

I've installed v7.4.4,build2662 a couple of weeks ago, and the device was entering conserve mode every few days or so. Usual RAM utilization was around 75%, right after boot, so no wonder it was pushing it into conserve mode.

I've since downgraded to 7.2 (now usual RAM usage i 60-65%) but with this version we're having other issues which I would love to resolve (long connection times, need to refresh a web page a few times to open it etc...).

Here is the info I got during the last conserve mode:

firewall01 get system status

Version: FortiGate-60F v7.4.4,build2662,240514 (GA.F)

First GA patch build date: 230509

Security Level: 2

Firmware Signature: certified

Virus-DB: 92.05717(2024-07-10 07:26)

Extended DB: 92.05717(2024-07-10 07:25)

AV AI/ML Model: 2.17065(2024-07-10 07:45)

IPS-DB: 28.00824(2024-07-10 00:15)

IPS-ETDB: 0.00000(2001-01-01 00:00)

APP-DB: 28.00823(2024-07-08 23:57)

FMWP-DB: 24.00070(2024-07-05 17:45)

IPS Malicious URL Database: 5.00107(2024-07-10 08:52)

IoT-Detect: 28.00824(2024-07-09 17:07)

OT-Detect-DB: 28.00824(2024-07-09 17:07)

OT-Patch-DB: 28.00824(2024-07-09 17:11)

OT-Threat-DB: 28.00823(2024-07-08 23:57)

IPS-Engine: 7.00539(2024-05-09 00:27)

Serial-Number: FGT60F*********

BIOS version: 05000030

System Part-Number: P24286-07

Log hard disk: Not available

Hostname: firewall01

Private Encryption: Disable

Operation Mode: NAT

Current virtual domain: root

Max number of virtual domains: 10

Virtual domains status: 1 in NAT mode, 0 in TP mode

Virtual domain configuration: disable

FIPS-CC mode: disable

Current HA mode: standalone

Branch point: 2662

Release Version Information: GA

System time: Wed Jul 10 18:32:42 2024

Last reboot reason: warm reboot

firewall01 diag sys top

[H[JRun Time: 0 days, 22 hours and 34 minutes

12U, 0N, 0S, 85I, 3WA, 0HI, 0SI, 0ST; 1917T, 301F

ipshelper 186 R < 99.9 9.0 6

quard 208 S 2.9 0.8 4

snmpd 197 S 0.4 0.6 0

node 169 S 0.0 4.1 6

ipsengine 346 S < 0.0 3.3 5

ipsengine 347 D < 0.0 3.3 7

ipsengine 348 S < 0.0 3.1 6

wad 298 S 0.0 2.6 2

forticron 174 S 0.0 2.3 2

wad 300 S 0.0 2.1 6

cmdbsvr 132 S 0.0 2.1 0

miglogd 183 S 0.0 2.0 0

cw_acd 221 S 0.0 1.8 1

forticron 3677 S 0.0 1.6 2

wad 190 S 0.0 1.5 5

forticron 3678 R 0.0 1.5 3

forticron 3676 S 0.0 1.5 4

sslvpnd 187 S 0.0 1.4 3

csfd 228 S 0.0 1.3 5

scanunitd 3645 S < 0.0 1.2 2

[H[JRun Time: 0 days, 22 hours and 34 minutes

2U, 0N, 1S, 73I, 24WA, 0HI, 0SI, 0ST; 1917T, 304F

ipshelper 186 D < 11.7 7.0 1

iked 192 S 2.9 0.9 4

ipsengine 348 S < 1.9 3.7 6

ipsengine 346 S < 1.3 3.8 5

ipsengine 347 S < 1.3 3.8 7

miglogd 306 S 0.3 1.3 0

urlfilter 290 S < 0.3 0.8 1

radvd 213 S 0.3 0.6 2

forticron 3678 R 0.1 1.5 3

sslvpnd 235 S 0.1 1.1 3

sslvpnd 236 S 0.1 1.1 1

authd 176 S 0.1 0.7 1

syslogd 194 S 0.1 0.7 1

dnsproxy 215 S 0.1 0.5 1

acd 200 S 0.1 0.4 7

merged_daemons 172 S 0.1 0.4 2

node 169 S 0.0 4.1 6

wad 298 S 0.0 2.6 2

forticron 174 S 0.0 2.3 2

wad 300 S 0.0 2.1 2

[H[JRun Time: 0 days, 22 hours and 34 minutes

10U, 0N, 0S, 87I, 3WA, 0HI, 0SI, 0ST; 1917T, 316F

ipshelper 186 R < 83.1 7.4 1

forticron 174 S 0.7 2.3 3

ipsengine 346 S < 0.5 3.9 5

ipsengine 347 S < 0.5 3.8 7

ipsengine 348 S < 0.1 3.8 6

cw_acd 221 S 0.1 1.8 0

sslvpnd 238 S 0.1 1.1 7

node 169 S 0.0 4.1 6

wad 298 S 0.0 2.6 2

wad 300 S 0.0 2.1 0

cmdbsvr 132 S 0.0 2.1 0

miglogd 183 S 0.0 2.1 5

forticron 3677 S 0.0 1.6 2

wad 190 S 0.0 1.5 6

forticron 3678 R 0.0 1.5 3

forticron 3676 S 0.0 1.5 4

sslvpnd 187 S 0.0 1.4 5

miglogd 306 S 0.0 1.3 2

csfd 228 S 0.0 1.3 5

scanunitd 3645 S < 0.0 1.2 2

[H[JRun Time: 0 days, 22 hours and 34 minutes

11U, 0N, 0S, 86I, 3WA, 0HI, 0SI, 0ST; 1917T, 330F

ipshelper 186 R < 94.8 7.4 2

ipsengine 348 D < 1.1 3.9 6

cw_acd 221 S 0.1 1.8 3

forticron 3678 R 0.1 1.5 3

sslvpnd 235 S 0.1 1.1 4

snmpd 197 S 0.1 0.6 3

node 169 S 0.0 4.1 7

ipsengine 346 S < 0.0 3.9 5

ipsengine 347 S < 0.0 3.8 7

wad 298 S 0.0 2.6 5

forticron 174 S 0.0 2.3 3

wad 300 S 0.0 2.1 5

miglogd 183 S 0.0 2.1 0

cmdbsvr 132 S 0.0 2.1 0

forticron 3677 S 0.0 1.6 2

wad 190 S 0.0 1.5 6

forticron 3676 S 0.0 1.5 4

sslvpnd 187 S 0.0 1.4 5

miglogd 306 S 0.0 1.3 3

csfd 228 S 0.0 1.3 6

NSE 7

All oppinions/statements written here are my own.

dbhavsar · ‎07-18-2024

Good day @NotMine ,

- There could be several processes that causes the device to enter the conserve mode, but since the FortiGate is rebooted there should be nothing much in the logs as well. But you can create this automation stitch: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-do-initial-troubleshooting-of... that triggers when the device enters the conserve mode. Or you can open up the TAC case to further investigate based on the logs collected from above stitch.

DNB

NotMine · ‎07-18-2024

Hello, thank You for answering. Well, there is the crashlog with several 'conserve mode' messages in it, and we are also saving the logs on the FortiAnalyzer.

My guess/fear is that FOS 7.4 is simply 'too much' for these entry level devices, that is why I asked if anyone else is using it.

NSE 7

All oppinions/statements written here are my own.

TheMan · ‎10-03-2025

Any updates?

Toshi_Esumi · ‎10-03-2025

@TheMan This thread is about 1 year old and it's about 7.4.4. One year after, now 7.4.9 is released. There must be many bug fixes through last 5 maintence releases. If you still have the same conserve mode/memory leak issues with the latest 7.4.9, you should start a new post like "FGxx conserve mode with 7.4.9".

Toshi

nomeursy · ‎10-06-2025

@TheMan

The update: it has not been solved, nor will it ever be on FortiGate’s with low memory!

I have tried to get an official statement, but Fortinet is not providing one. If you submit a ticket instead, support will give you all kinds of tips on how to get the most out of your FTG without going to conserve mode.

It is now clear to me that Fortinet has left the statement that there is one OS for all the equipment. Yes, there is, but not everything is working anymore. We also found that after upgrading to 7.4.8, on the 71G SSL_VPN is already depreciated. Surprised us because this was announced on 7.6 low mem FortiGate. Also, in 7.4.8 they decided to kill the SSL_VPN Portal on low mem FortiGate’s. And the alternative for SSL_VPN being IPsec_VPN, is not supported on the FortiClient for Linux ☹

Really disappointed in Fortinet right now. We get all “new” features we do not use, and loos features we do use. All because they decide (years ago and now still) to save 10 dollars on memory. Now we must buy much more expensive and overqualified FortiGate’s for locations with 2-4 users and a small bandwidth internet connection, just to avoid these troubles.

The tweaks:

General Optimizations.

config system autoupdate schedule
set frequency daily
set time 02:00 <------ Try to use the Memory, CPU and Bandwidth graphs to determine the optimum time at the lowest load for running updates.
end

config system dns
set dns-cache-limit 300 (dns-cache-limit Enter an integer value from <0> to <4294967295> (default = <5000>).)
end

config system fortiguard
set webfilter-cache-ttl 600 (webfilter-cache-ttl Enter an integer value from <300> to <86400> (default = <3600>).)
set antispam-cache-ttl 600 (antispam-cache-ttl Enter an integer value from <300> to <86400> (default = <1800>).)
end

config ips global
-> set engine-count 2 (engine-count Enter an integer value from <0> to <255> (default = <0>).)
-> set socket-size 32 (socket-size Enter an integer value from <0> to <128> (default = <64>).)
-> set exclude-signatures none (set cp-accel-mode <none> or <ot> (default <ot>).)

(Below config change (cp-accel-mode none) done on 2025-07-25)
One workaround you can try is to disable cp-accel-mode. During a FortiGuard update, the iphelper process can consume as much as 20% of available system memory so we can disable this feature using:
-> set cp-accel-mode none (default advanced)
none CPx acceleration/offloading disabled.
basic Offload basic pattern matching to CPx processors.
advanced Offload more types of pattern matching resulting in higher throughput than basic mode. Requires two CP8s or one CP9.

-> set database regular
end
-> diag test application ipsmonitor 99

config system global
set memory-use-threshold-extreme 97 (Default: set memory-use-threshold-extreme 95)
set memory-use-threshold-green 90 (Default: set memory-use-threshold-green 82)
set memory-use-threshold-red 94 (Default: set memory-use-threshold-red 88)
-> set security-rating-run-on-schedule disable (Default enable)
-> (Option not available) set security-rating-result-submission disable
-> set miglogd-children 2
-> set wad-worker-count 2
-> set scanunit-count 2
end
-> fnsysctl killall miglogd
-> diagnose test application wad 99
-> fnsysctl killall scannuit

2. ISDB optimizations.

Set the ISDB to 'on-demand'. In this way, the firewall will download only the ISDB entries that will be used in policies and other configurations

config sys global
set internet-service-database on-demand (The default value is standard.)
end

After making this change, the following warning will appear:

Warning: Changing Internet Service database update mode will lead to the removal of all downloaded Internet Service files.

Do you want to continue? (y/n) y

Once this is confirmed, an additional message will appear:

Please run command "execute update-ffdb-on-demand" to manually initiate a download or wait for the automatic schedule update for on-demand Internet Service database. Additionally, please ensure to perform this action when enabling, changing, or creating new internet services in a firewall policy.

NOTE: If you submit 3 Support tickets, you get 3 slightly different answers on the tweaks.

NOTE: I did not apply all settings, but only those that I thought would have the least impact on security and usability.

duster · ‎08-25-2024

Good afternoon, I have three FortiGate-60f and the same thing is happening to me with version 7.4.4 and 7.6.

NotMine · ‎09-03-2024

OK, so, considering that Fortinet is removing a lot of "proxy" features from entry-level FortiGate devices in versions 7.4.4 and 7.6 - "as part of improvements to enhance performance and optimize memory usage on FortiGate models with 2 GB RAM or less", I assume they are very much aware of this problem. They just refuse to acknowledge it here, or anywhere else apparently.

Since we were experiencing "slow Internet" with version 7.2 on FGT-60F, I had to upgrade to 7.4.4. Now our "Internet" is very good, until the device enters the conserve mode and bugs out. Last night I had to drive to the office and manually restart it in order to get it back online. So I'll open a ticket and stay on it until they provide a viable solution for this problem.

NSE 7

All oppinions/statements written here are my own.

dbhavsar · ‎09-03-2024

Hello @NotMine ,

Can you check this one: https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-optimize-memory-usage-specifi... this addresses the low-end device issue and you can set those settings on your device and monitor it if it enters the conserve mode again or not.

DNB

amuda · ‎09-03-2024

Hi @NotMine

Try this: https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-memory-optimization-steps/ta-p/197486

Amerul
APAC TAC

Conserve Mode, FGT-60F & FortiOS 7.4

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website