Hi,
we have a few 80C running now on FortiOS 5.2.x. On many of them we are running into out-of-memory situations (conserve mode, AV connection limit) with rather small configuration and typical about 10 users / PCs.
Although upgrading the hardware maybe considered later, for now we cannot upgrade all the units better hardware.
So just after a reboot the memory usage is like this:
CPU [||||||||||| ] 28.0% Mem [||||||||||||||||||||||||||||| ] 73.0% 365M/499M Processes: 20 (running=1 sleeping=82) PID RSS CPU% ^MEM% FDS TIME+ NAME * 249 54M 0.8 10.9 27 00:36.95 ipsmonitor [x3] 53 42M 0.0 8.5 13 00:15.20 pyfcgid [x4] 84 34M 21.5 6.9 15 03:54.83 sshd [x4] 52 28M 0.0 5.8 19 00:47.26 httpsd [x5] 32 20M 0.0 4.1 13 00:15.95 cmdbsvr 50 16M 0.0 3.3 28 00:01.57 miglogd 61 16M 0.0 3.2 19 00:08.20 ipshelper 67 14M 0.0 2.9 838 00:34.20 proxyd [x6] 64 14M 0.0 2.8 40 00:15.61 authd 94 12M 0.0 2.4 16 00:00.50 fgfmd 95 11M 0.0 2.4 25 00:00.48 cw_acd 70 11M 0.0 2.3 28 00:08.98 scanunitd [x3] 37 10M 0.8 2.1 89 00:13.21 zebos_launcher [x12] 82 9M 0.0 1.9 20 00:01.86 urlfilter 91 9M 0.0 1.8 29 00:01.27 dnsproxy 71 9M 0.0 1.8 11 00:00.45 updated 63 8M 0.0 1.8 14 00:00.38 forticldd 62 8M 0.0 1.8 19 00:00.20 forticron 69 8M 0.0 1.7 41 00:00.61 wad [x2] 59 8M 0.0 1.7 13 00:00.10 fnbamd
In none of the policies IPS is used, AV is currently set to inspect "nothing". Is there any way to reduce the memory used by the "ipsmonitor" process? I already tried setting the algorithm to "low", but it has no effect on the mem usage:
(global) # show ips global config ips global set algorithm low set default-app-cat-mask 18446744073474670591 end
Regards
Markus
We're running v5.2.3 on a 80C rev. 2 with 1 GB RAM, with IPS and AV, at 67% mem usage. So, I'd conclude you either upgrade the hardware or downgrade to v5.0.
Last February we conducted our own assessment on the 80CMs (rev1) under 5.0, 5.2 and (even following Fortinet's optimizing guide) were not happy with the memory footprint. The 80CM with a factory config under the three firmwares, the memory usage looks like this:
4.3 MR3 patch 18 23% 5.0 patch 10 39% 5.2.2 42%
With our base (template) config on 5.0. the memory usage went up to 62-66%. There was not that much a difference in tweaking the settings, except for changing the cache size for virus scanning compressed files/archives; standard default cache size is 10 MB -- changing this value to say 2 MB would give the 80CM about 8-10 MB more memory.
Based on the above, we have decided to keep our 80CMs on 4.3. MR3 firmware and look towards replacing them with 92D hardware.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
HI
I just upgraded to 5.2.3 on FGT 80C and facing this problem.
No matter how much I optimize the settings, the memory usage won't go below 70%. It even goes up to 80% at times.
The client was facing issues with slow internet speeds, files not downloading, attachments not downloading etc.
I just upgraded thinking upgraded firmware optimizes the memory etc on devices and for the better GUI experience. Is that line of thinking just wrong?
So should I flash the device to go back to FortiOS 4.0 MR P18?
I've never downgraded a firmware before.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.