Hi,
we use this HA FG81 cluster in one office with 30-40 people (no VPN, normal usage, % 2000 sessions, etc.). We experienced now that with every new 7.4.X update we increase memory usage so that now we have like 75% memory usage.
We did already some changes with some CLI commands but only disabling IPS would affect the memory and now we are at 68% with no IPS in all polices.
We kind of can live with that, but can we expect now with every update more memory usage?
Thanks,
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Do you know which process is running with high memory usage?
diagnose sys top-mem -> wll give the process with high memory usage. Please run multiple time if the same process is utilizing more memory
diagnose debug crashlog read -> Check if any process is crashing.
Hi Suraj,
before we had like x ipsengine:
# diagnose sys top-mem
node (152): 66118kB
ipsengine (388): 23203kB
ipsengine (391): 21656kB
ipsengine (389): 21631kB
ipsengine (390): 21313kB
Top-5 memory used: 153921kB
I dont know if it takes some time but we dont have ips activated in any rule anymore.
Question is more what we can expect from the next updates, if we have to do something now every time we update the FGs.
Thanks!
Can you restart ipsengine using "diagnose test application ipsmonitor 99" and check if memory usage comes down?
if you are not enabling ips and still the memory usage is going up, I would recommend opening a ticket to get this investigated. In the meantime we may configre an automated restart of the process as suggested in follwing article https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-restart-WAD-or-IPS-engine-using-aut...
Try to optimize your IPS engine by following this KB link: https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-memory-optimization-steps/ta-p/197486
You may also upgrade your IPS engine to the latest version.
Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-manually-upgrade-the-IPS-Engine/ta-...
Regards,
Jef
Hi Jef,
yesterday we talke in a tech meeting about this issue and we have like many more similiar cases, always with 7.4.4 and always more problems when there is a HA cluster.
So it might be a bug and I dont know if this is considered in 7.4.5 and does anybody know when 7.4.5 is comming out? Should be this or next week, or?
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.