Hi,
My Fortigate unit is acting as proxy server for clients with some SSL, AV and other policies. It has gone to conserve mode with just a few sessions (under 100). CPU usage is 100%, nTurbo and SPU usages are 0% and memory is about 80%
Two questions:
Is this happening because of using proxy policies? (I guess SPU and nTurbo cannot help when all policies are via proxy). Any way to alleviate this pain to some extent :) ?
What happens exactly in conserve mode? Is it possible to find out which rules, packets are policies are bypassed or ignored in conserve mode?
Regards,
Hi,
You're correct once you're using policy in proxy mode offload is not allowed.
I think you'll find useful info in this article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580
Depending on the features you're running it could have consequences.
You can try to spot the problematic daemon with the commands detailed in the article.
Please also, have a look at the most recent release notes for your version where some known issue about memory could be detailed.
Hi
It seems Bug ID 823247 is related to my problem (WAD user_info process leaks memory.) and there is no workaround unless going to 7.2.x .. probably
My question about conserve mode is still there. I assume in conserve mode, some security measurements and settings are bypassed in order to make the resources available. Am I right? If yes, how can I find that for instance, which settings are bypassed or changed when a conserve mode is triggered Firewall with FortiOS 7.0.6 working in proxy mode (or flow based or ...) ? Documents are not clear about this as I'm checking
Regards,
Proxy-based policies can be put into conserve mode to reduce the load on the proxy server. In this mode, the proxy will not forward any traffic that is not explicitly allowed by the policy. This can be used to reduce the load on the proxy server when it is under heavy load.mamc
Thanks John, but firstly, I couldn't find how we can put some policies into conserve mode. Secondly, I assume that anyway and in any mode, firewall will not forward the traffic which is not allowed by the policies. I have some proxy policies and rules, traffic comes in, is checked with those policies and if not allowed it will not be passed and would be dropped and denied, so would you please give me some more explanation about your statement?
Regards,
and BTW, please note that I'm not talking about policies in proxy mode. The whole firewall rules and clients access to Internet via firewall is based on explicit proxy (web proxy on port 8080 or so)
And another issue: even if the memory goes down (under 60 or 70) the firewall still shows to be in conserve mode and not turning it off.
Hi,
Conserve mode is a protection state before fortigate becomes unresponsive.
There's 3 thresholds in conserve mode:
- extreme -> at which fortigate starts dropping new sessions
- red -> at which fortigate enters conserve mode
- green -> exits conserve mode
Most likely it will impact the AV engine behavior while using proxy mode.
It's well described here
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/681934/conserve-mode
Hi,
The problem is that after the memory comes down under even 50, auto trigger action and exiting from conserve mode does not happen and a restart is needed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.