- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Process IPSEngine High Memory
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Process IPSEngine High Memory
I have fortigate 1101E version 7.2.4 after updating the IPSEngine signature database to 7.322, it started behaving strangely, momentarily an ipsengine process triggers the consumption of RAM memory causing fortigate to quickly go into conserve mode .
The event happens so quickly that it is not even possible to collect evidence.
Entering conserve mode, I have a network drop and fortigate is inaccessible both via mgmt and via console.
We only managed to stabilize again after the manual reboot.
At the moment we have created a auto-script as a temporary service continuity measure to automatically restart the IPSEngine process every 2 minutes.
config system auto-script
edit "restart_ips"
set interval 120
set repeat 0
set start auto
set script "fnsysctl killall ipsmonitor"
Labels:
- Labels:
-
FortiGate
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DaVeiga19,
You can check by adjusting the engine count and socket size.
config ips global
set engine-count 2 [integer, 0-255]
set socket-size 16 or 32 [integer, 0-512]
end
Refer link:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-memory-optimization-steps/ta-p/197486
If the issue persists I would suggest to open a TAC case and share these logs for further investigation.
# Issue Timestamp
# System event logs around this time.
# Run the below commands
get system performance status (run this command 5 times in interval of 1 minutes)
diag sys top 1 40(Run for 30 Sec and CTRL C to stop)
diag debug crashlog read ---check for any crash triggered
Also collect the tac report
# execute tac report
Regards,
Joshi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daveiga19,
Thank you for reaching on the Fortinet forum.
As suggested earlier by Joshi please collect all logs and would suggest opening a ticket with TAC for log analysis further if it matches with any known issues reported.
-As of now i couldn't see any known issues on release notes for ips memory
https://docs.fortinet.com/document/fortigate/7.2.4/fortios-release-notes/236526/known-issues
-Crashlogs and memory logs would help further identify issues.
get system performance status (run this command 5 times in intervals of 1 minute)
diag sys top 1 10(Run for 30 Sec and CTRL C to stop)
diag debug crashlog read | grep 2023---check for any crash triggered
-Can you please for the time being disable logging on firewall policy and use the below article steps to optimize memory
Technical Tip: IPS memory optimization steps - Fortinet Community
Best regards,
Manasa.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Joshi,
Hi Manasa,
Unfortunately I am not able to extract logs since when fortigate enters conserve mode nothing works, neither access via the mgmt interface nor via the console and after the manual reboot we lose all logs and fortigate returns to its normal state.
Ipsengine processes in the normal state of fortigate consume few resources, however, in just a few minutes, a process triggers RAM consumption and fortigate crashes.
In this sense, how can I act to collect the logs?
Best Regards,
Da Veiga
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Daveiga19,
Thank you for the reply.
You can configure script logs which would collect logs and send email alerts.
Regards,
Manasa.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi DaVeiga19,
You can configure the script to collect the logs as advice by mpeddalla.
As you have mentioned when the issue occurs the device is not responsive in such situation you can use com log feature to collect the log. Below is the Kb link for comlog. I hope it will be helpful.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-the-COMLog-feature/ta-p/195390
Regards,
Pratik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Manasa,
By configuring this automation stiches, if fortigate enters conserve mode will these event logs be available? Or will the event logs be sent by email as well?
Because my main problem is when it is in conserve mode, I lose all records after the manual reboot.
However, I will follow the suggested recommendations.
Best Regards
Da Veiga
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @DaVeiga19 ,
Yes, you are correct it should send you the log as an email but as the screen doesn't stay can also parallelly log suggestions by my @pjawalekar comlog
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-the-COMLog-feature/ta-p/195390
Regards,
Manasa
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever get this solved? I have the same issue run since upgrading to 7.2.5.
I have an email stitch setup to send sys top information and sometimes if the system can send the email out before it crashes I see it is the ipsengine eating up all available memory.
This happens really fast, as quick as a couple minutes from using its normal amount of memory to causing enough to go into conserve mode then eventually rebooting.
We ended up moving all of the SSL VPNs off of this system and setup another stitch to reboot the system so the standby can take over before it gets to conserve mode.
Right now we are at a crossroads because he have had nothing but bugs since 7.2.1 where every upgrade until 7.2.5 is making our system noticeably worse. At this point we are too apprehensive to update to 7.2.6 as it might cause even more problems.
Opening a TAC case doesn't do much because they ask for logs that are not logged when the system is crashing and you cannot force the error to happen as it is random.
Related Posts
Labels
-
FortiGate
6,535 -
FortiClient
1,304 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
Firewall policy
23 -
FortiConnect
23 -
FortiWAN
22 -
FortiConverter
21 -
VLAN
20 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.