Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff

Created on ‎11-23-2023 06:37 AM Edited on ‎11-23-2023 09:08 AM By Moderator

Article Id 285711

Technical Tip: Script for reducing memory usage in small FortiGate Units experiencing conserve mode

Description

This article provides and explains a full script for reducing memory usage in small FortiGate units that are experiencing conserve mode.

This is intended for smaller FortiGate units (ranging from FGT30X to FGT100X) that are suffering from insufficient memory and resources.
These devices often run multiple features simultaneously, which can be memory-intensive.

Fluctuations in network traffic or spikes in sessions may push these firewalls into 'conserve mode', where they might lock up and block new sessions as a protective measure.
The remediation provided here includes optimization steps to free up resources, with a primary focus on memory.

Using the recommended FortiOS for the FortiGate model in use is also highly recommended. Click here to find the best version of FortiOS to use for a given model.
Scope FortiGate. FortiOS 7.x.
Solution

Suggested actions:

  • It is recommended to perform these steps during a maintenance window.
  • After implementation, a reboot is mandatory.
  • After implementation, monitor the FortiGate. If the problems persist, consider upgrading to a FortiGate with larger capacity or, for more details, open a ticket with TAC.

Configuration steps:

 

Global System Configuration:


config system global

set memory-use-threshold-extreme 97
set memory-use-threshold-green 90
set memory-use-threshold-red 95
set tcp-halfclose-timer 30
set tcp-timewait-timer 0
set udp-idle-timer 60
set miglogd-children 1
set sslvpn-max-worker-count 2
set wad-worker-count 2
set scanunit-count 2

end

 

IPS Configuration:

 

config ips global

set engine-count 2
set socket-size 32

end

 

Session TTL Configuration:


config system session-ttl

set default 300

config port

edit 0

set protocol 17
set timeout 10
set end-port 53
set start-port 53

next

end

end

 

DNS Configuration:


config system dns

set dns-cache-limit 600

end

 

FortiGuard Configuration:

 

config system fortiguard

set webfilter-cache-ttl 600
set antispam-cache-ttl 600

end

 

Automation Action Configuration:


config system automation-action

edit "RestartWAD"

set action-type cli-script
set minimum-interval 5
set script "diag test app wad 99"
set accprofile "super_admin"

next

end

 

Automation Trigger Configuration:

 

config system automation-trigger

edit "Enters Conserve Mode"

set event-type low-memory

next

end

 

Automation Stitch Configuration:


config system automation-stitch

edit "Restart WAD during Conserve Mode"

set trigger "Enters Conserve Mode"

config actions

edit 1

set action "RestartWAD"
set required enable

next

end

next

end

 

Auto-Script Configuration:

 

config system auto-script

edit restart_IPSengine

set interval 43200
set repeat 356
set start auto
set script 'diagnose test application ipsmonitor 99'

next

end

 

In conclusion, these steps can make smaller FortiGate devices handle memory better.
It is important to change these settings to fit a given network's specific needs.
For more details, check out the following articles:

 

Reducing memory usage in FortiGate:
1147
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.