Created on 10-02-2013 08:39 AM Edited on 04-05-2024 01:57 AM By Anthony_E
Description
Scope
Generally encountered on FortiGates with significant traffic and UTM scanning. Affects FortiGate A-series more than subsequent models.
The root cause of this issue is high traffic throughput combined with excessive UTM scanning.
Solution
Potential Solutions |
Benefit |
Commands |
Disable IPS engines |
Stops a variety of UTM scanning from taking place including application control, IPS and any flow-based UTM features (default for all is proxy-based). This will free up CPU cycles. Significant benefit. |
To stop the IPS engines: diag test app ipsmonitor 98 To enable: diag test app ipsmonitor 99 Should be performed during a maintenance window. Ideally under supervision of Fortinet Tech Support. Note this setting is not retained after a reboot. Also, if using an HA cluster, it should be ran on both units to ensure it is disabled on both. |
Reduce or remove UTM scanning |
Will free up more CPU cycles for core packet processing. Significant benefit, depending on how much UTM was in place before, and how much has been removed or tuned back. |
Performed manually by adjusint or removing UTM from policies. |
Check and increase proxyworker count |
Minimal benefit. Should balance UTM demand across cores. Increase value to match the number of CPU cores. |
conf sys global set proxy-worker-count <value> - should be the number of CPU cores. end |
Reduce throughput |
Minimal to significant benefit. |
|
Configure high availability with active-active |
Minimal to significant benefit, depending on how much UTM is configured. The more UTM, the larger a positive impact this will make. If traffic can be segmented, it is more efficient to segment the traffic to separate units. |
|
Upgrade hardware |
Significant benefit, will resolve issue if unit is sized appropriately for current and future traffic. |
Manual Balancing of IRQ's:
In some extreme cases the IRQ's may need to be balanced manually if you notice a lot of the requests relying on a particular CPU. In the above "diag hard sysinfo interrupts" output we see port1 and port3 are both taxing CPU3 extensively. Further we can confirm high CPU use on CPU3 with "get sys perf stat". We can manually balance these interrupts by placing port1's load on CPU0 and port3's load on CPU2. NOTE: A maintenance window is recommended as this is a significant change to how traffic is managed on the FortiGate. Also note that these changes are lost on reboot and will need to be re-input after a reboot. These commands are intended to help relieve IRQ load as an interim solution to procuring properly sized equipment.
Fortigate3810A_a # diag hard sysinfo interrupts
CPU0 CPU1 CPU2 CPU3
...
24: 257 1586202 120512 82936562 IO-APIC-level port1
26: 226 1866211 124607 73492419 IO-APIC-level port3
The far left column is the IRQ ID. To balance 24 (port1) to CPU0:
diag sys cpuset interrupt 24 1 <----- 1 is used because the CPU count starts at one, CPU0 is 1, CPU3 is 4.
And finally to balance port3 to CPU2:
diag sys cpuset interrupt 26 3
If significant traffic is flowing through the unit, it is possible to notice a gradual shift of IRQ values after a few minutes by running 'diag hard sys interrupts' again. Also, CPU use on the overtaxed CPU cores should be lowered, confirm using 'get sys perf stat'.
In some cases, the only option available is a hardware upgrade, which should fully resolve the issue, if sized appropriately.
Note:
On newer platforms, Rx_Over_Errors counts the number of packets whose size exceeds 1518 bytes. It is not related to packet drops.
If further guidance is needed, contact the Fortinet Sales Representative or Fortinet Technical Support.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.