Fortigate Conserve Mode – Investigations

A Fortigate can enter in Conserve Mode when the remaining free physical memory (RAM) is nearly exhausted. The memory threshold that triggers the conserve mode varies by model but it is around 20-30 % of free memory. For example, I have a 61E with a threshold at 70%. To check if your device is in the conserve mode, you can use this command:

Most content inspection that the Fortigate performs requires that the files, e-mail URL and so on be temporary buffered and examined as a whole. This buffer used the RAM and the opperating system itself needs memory to works correctly. The main objective of the Conserve Mode is to prevent all the component features of the Fortigate from trying to use more memory then it has. The Fortigate will exit this mode only when the available physical memory is under the threshold. 

The main question is : How to reduce the amount of used memory ? The answer is : that depend because we can modify a lot of configuration to reduce memory usage. First, if your Fortigate enters often in Conserve Mode, you must check which service uses a lot of memory. 

In this example we can see that ipsmonitor has 6 worker thread and it consume 22% of RAM. Regarding the global configuration, it is possible to perform some tuning. Below some examples:

Of course all these settings must be configured carefully and tested. Some other commands can be useful in this situation

To know the possible values for <test-level> simply enter the command without the <test-level> value. Below an example with the application <ipsmonitor>

After that, if your firewall still entered in Conserve Mode to often, replace it with higher model 🙂

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on RedditShare on StumbleUponShare on TumblrPin on PinterestFlattr the authorDigg thisBuffer this pagePrint this page

Leave a Reply

Your email address will not be published. Required fields are marked *