Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mhdganji
Contributor II

Created on ‎08-04-2022 05:08 AM

Conserve mode in Proxy based policies

Hi,

My Fortigate unit is acting as proxy server for clients with some SSL, AV and other policies. It has gone to conserve mode with just a few sessions (under 100). CPU usage is 100%, nTurbo and SPU usages are 0% and memory is about 80%

 

Two questions:

 

Is this happening because of using proxy policies? (I guess SPU and nTurbo cannot help when all policies are via proxy). Any way to alleviate this pain to some extent :) ?

 

What happens exactly in conserve mode? Is it possible to find out which rules, packets are policies are bypassed or ignored in conserve mode?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
Labels:
4622
0 Kudos
8 REPLIES 8
wdeloraine_FTNT
Staff
Staff

Created on ‎08-05-2022 05:16 AM Edited on ‎08-05-2022 05:16 AM

Hi,

You're correct once you're using policy in proxy mode offload is not allowed.

I think you'll find useful info in this article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580

 

Depending on the features you're running it could have consequences.

 

You can try to spot the problematic daemon with the commands detailed in the article.

 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-How-to-do-initial-troubleshooting-of...

 

Please also, have a look at the most recent release notes for your version where some known issue about memory could be detailed.

WD
4604
mhdganji
Contributor II
In response to wdeloraine_FTNT

Created on ‎08-05-2022 02:25 PM

Hi

It seems Bug ID 823247 is related to my problem (WAD user_info process leaks memory.) and there is no workaround unless going to 7.2.x .. probably

 

My question about conserve mode is still there. I assume in conserve mode, some security measurements and settings are bypassed in order to make the resources available. Am I right? If yes, how can I find that for instance, which settings are bypassed or changed when a conserve mode is triggered Firewall with FortiOS 7.0.6 working in proxy mode (or flow based or ...) ? Documents are not clear about this as I'm checking

 

Regards,

 

 

 

 

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
4594
0 Kudos
johnjaffer
New Contributor

Created on ‎08-05-2022 05:44 AM

Proxy-based policies can be put into conserve mode to reduce the load on the proxy server. In this mode, the proxy will not forward any traffic that is not explicitly allowed by the policy. This can be used to reduce the load on the proxy server when it is under heavy load.mamc 

4603
0 Kudos
mhdganji
Contributor II
In response to johnjaffer

Created on ‎08-05-2022 02:31 PM

Thanks John, but firstly, I couldn't find how we can put some policies into conserve mode. Secondly, I assume that anyway and in any mode, firewall will not forward the traffic which is not allowed by the policies. I have some proxy policies and rules, traffic comes in, is checked with those policies and if not allowed it will not be passed and would be dropped and denied, so would you please give me some more explanation about your statement?

 

Regards,

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
4594
0 Kudos
mhdganji
Contributor II

Created on ‎08-07-2022 01:17 AM Edited on ‎08-07-2022 01:23 AM

and BTW, please note that I'm not talking about policies in proxy mode. The whole firewall rules and clients access to Internet via firewall is based on explicit proxy (web proxy on port 8080 or so)

And another issue: even if the memory goes down (under 60 or 70) the firewall still shows to be in conserve mode and not turning it off.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
4574
0 Kudos
wdeloraine_FTNT
Staff
Staff
In response to mhdganji

Created on ‎08-11-2022 04:36 AM

Hi,

Conserve mode is a protection state before fortigate becomes unresponsive.

There's 3 thresholds in conserve mode:

- extreme -> at which fortigate starts dropping new sessions

- red -> at which fortigate enters conserve mode

- green -> exits conserve mode

Most likely it will impact the AV engine behavior while using proxy mode.

It's well described here

https://docs.fortinet.com/document/fortigate/6.0.0/handbook/681934/conserve-mode

WD
4517
0 Kudos
mhdganji
Contributor II
In response to wdeloraine_FTNT

Created on ‎08-11-2022 11:48 PM

Hi,

 

The problem is that after  the memory comes down under even 50, auto trigger action and exiting from conserve mode does not happen and a restart is needed.

M. Ganji, Network & Security Expert.
M. Ganji, Network & Security Expert.
4507
0 Kudos
airekoth
New Contributor

Created on ‎08-07-2022 01:25 PM

Hey 

I totally agreed with you my Problem is solved. I am happy.

 

Have a nice day to all.

4552
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.