Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
alebay
Staff
Staff

Created on ‎05-24-2018 02:15 AM

Article Id 193433

Troubleshooting Tip: Detecting and troubleshooting FortiManager high CPU usage condition triggered by oversized FortiGuard databases

Description
This article describes how to troubleshoot a high CPU usage condition caused by FortiGuard Web Filtering, Antispam, Antivirus, and/or IPS databases not being automatically deleted on the FortiManager file system.
Solution
The issue occurs when FortiManager is installed in a VM environment and the FortiManager dedicated disk size is assigned manually or by a configuration script at the time the VM is instantiated.

Sometimes the dedicated disk size assigned to the FortiManager VM is below the limit defined in the FortiManager specification, 80 Go minimum of Local Built-in storage.

If the dedicated disk size is configured too low, this prevents the FortiManager deleting old AV/IPS and/or URL/SPAM filter database files when those files start taking too much space on disk.

Normally the FortiManager Update Manager process regularly checks the disk quota against the total usage of directory for AV/IPS and/or URL/SPAM filter database in order to avoid running in high disk space situation.

When disk-quota default value is 50 Go, FortiManager will start deleting files when the amount of disk space taken up by those files reaches the threshold.

FortiManager with 80 Go of dedicated disk space, will start deleting files when they start taking up more than 62.5% of the overall disk space, i.e. 50 Go, thus always leaving 30 Go of disk space available for other tasks.

Setting a dedicated disk size under, equal, or just above 50 Go triggers the 50 Go threshold limit, this will never be reached and consequently the FortiGuard related files are never deleted, causing the disk usage to increase slowly up to 100%.

Identifying such type of issue can be done by using the ‘diagnose system print df’ command which gives an overview of the file system disk space usage. A very high percentage of usage in ‘/var’ and ‘/drive0’, partitions is good indicator:

FMG-VM64-KVM # diag sys print df
Filesystem 1K-blocks Used Available Use% Mounted on
none 1340996 0 1340996 0% /dev/shm
none 65536 188 65348 0% /tmp
/dev/vda1 516040 97188 418852 19% /data
/dev/mdvg/mdlv 41280832 39333696 1947136 95% /var
/dev/mdvg/mdlv 41280832 39333696 1947136 95% /drive0
/dev/mdvg/mdlv 41280832 39333696 1947136 95% /Storage
/dev/loop0 9911 1121 8278 12% /var/dm/tcl-root

The solution is to expand the allocated disk storage to a value compliant with the FortiManager VM specification (see related articles below)


Labels:
2079
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.