- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Conserve mode in Proxy based policies
Hi,
My Fortigate unit is acting as proxy server for clients with some SSL, AV and other policies. It has gone to conserve mode with just a few sessions (under 100). CPU usage is 100%, nTurbo and SPU usages are 0% and memory is about 80%
Two questions:
Is this happening because of using proxy policies? (I guess SPU and nTurbo cannot help when all policies are via proxy). Any way to alleviate this pain to some extent :) ?
What happens exactly in conserve mode? Is it possible to find out which rules, packets are policies are bypassed or ignored in conserve mode?
Regards,
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You're correct once you're using policy in proxy mode offload is not allowed.
I think you'll find useful info in this article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-conserve-mode-is-triggered/ta-p/198580
Depending on the features you're running it could have consequences.
You can try to spot the problematic daemon with the commands detailed in the article.
Please also, have a look at the most recent release notes for your version where some known issue about memory could be detailed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
It seems Bug ID 823247 is related to my problem (WAD user_info process leaks memory.) and there is no workaround unless going to 7.2.x .. probably
My question about conserve mode is still there. I assume in conserve mode, some security measurements and settings are bypassed in order to make the resources available. Am I right? If yes, how can I find that for instance, which settings are bypassed or changed when a conserve mode is triggered Firewall with FortiOS 7.0.6 working in proxy mode (or flow based or ...) ? Documents are not clear about this as I'm checking
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Proxy-based policies can be put into conserve mode to reduce the load on the proxy server. In this mode, the proxy will not forward any traffic that is not explicitly allowed by the policy. This can be used to reduce the load on the proxy server when it is under heavy load.mamc
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks John, but firstly, I couldn't find how we can put some policies into conserve mode. Secondly, I assume that anyway and in any mode, firewall will not forward the traffic which is not allowed by the policies. I have some proxy policies and rules, traffic comes in, is checked with those policies and if not allowed it will not be passed and would be dropped and denied, so would you please give me some more explanation about your statement?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and BTW, please note that I'm not talking about policies in proxy mode. The whole firewall rules and clients access to Internet via firewall is based on explicit proxy (web proxy on port 8080 or so)
And another issue: even if the memory goes down (under 60 or 70) the firewall still shows to be in conserve mode and not turning it off.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Conserve mode is a protection state before fortigate becomes unresponsive.
There's 3 thresholds in conserve mode:
- extreme -> at which fortigate starts dropping new sessions
- red -> at which fortigate enters conserve mode
- green -> exits conserve mode
Most likely it will impact the AV engine behavior while using proxy mode.
It's well described here
https://docs.fortinet.com/document/fortigate/6.0.0/handbook/681934/conserve-mode
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The problem is that after the memory comes down under even 50, auto trigger action and exiting from conserve mode does not happen and a restart is needed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
