FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andy_G
Staff
Staff
Article Id 194380
Article
DescriptionAn explanation of the log message "The system has entered conserve mode."
Components
  • All FortiGate units
  • FortiOS
Steps or Commands

The FortiGate antivirus system operates in one of two modes, depending on the unit's available memory. If the free memory is greater than 30% of the total memory then the system is in non-conserve mode. If the free memory drops to less than 20% of the total memory, then the system enters conserve mode. When the free memory once again reaches 30% or greater of the total memory, the system returns to non-conserve mode.

Antivirus functionality and performance is impacted when the unit enters conserve mode. For more information, see the Fortinet Knowledge Base article "Antivirus failopen and optimization".

A FortiGate unit that continuously and frequently enters conserve mode may be under scaled for the type of network flows that are being scanned by it. You can do the following to alleviate the problem:

  • disable logging to memory (Log&Report > Log Config > Log Setting).
  • disable certain protocols (HTTP, FTP, SMTP, POP, IMAP) from being antivirus scanned (Firewall>Protection Profile).
  • reduce the 'Oversize Threshold Configuration' memory settings for each respective protocol (Anti-Virus>Config>Config).
  • disable the DHCP server if it is not necessary (System > DHCP > Service and System > DHCP > Server).
  • disable DNS Forwarding if it is not necessary (System > Network > DNS).
  • disable all IPS Signatures and Anomaly detections, if IPS is not being used.  This can be done in a single operation by issuing the CLI command (FortiOS 3.0 MR5 and earlier) : diag ips global all status disable .  If IPS is being used, disable all Signatures/Anomalies that are not relevant or required in your network environment (IPS > Signature and IPS > Anomaly).
  • replace the Fortigate unit with a model that has more memory. See the Fortinet Knowledge Base article "Maximum oversize threshold" for memory sizes per Fortigate model.
  • change the default session TTL:

        config system session-ttl
            set default 300
        end

  • change the fortiguard TTL:

        config system fortiguard
            set webfilter-cache-ttl 500
            set antispam-cache-ttl 500
        end

  • change DNS cache:

        config system dns
            set dns-cache-limit 300
        end

  • disable DNS forwarding:

        config system dns
            unset fwdintf
        end

  • if you have more than one DHCP server, it will increase the memory usage

Note: You will have to reboot the FortiGate unit after having disabled the various features and services, in order to free up the memory.


Related Articles

Technical Note : Changing the TCP session TTL (time to live) on a FortiGate

FortiGuard updates fail on download (FortiGate)

Technical Note : Antivirus failopen and optimization ( conserve mode and proxy connection pools scen...

Technical Note: Maximum oversize threshold

FortiGate log message "FortiGate has reached connection limit for <n> seconds"

Contributors