Fortigate Conserve Mode – How to stop it and what it means

 

 

The Fortigate Firewall has more diagnostic tools, but you will mostly be faced with the following problems:

1. Conserve Mode

This problem happens when the memory shared mode goes over 80%.
To exit this conserve mode you have to wait (or kill some  of the processes) until the memory goes under 70%.

2. Antivirus FailOpen

This is a safeguard feature that determines the behavior of the Fortigate AntiVirus System, when it becomes overloaded with high traffic.

To mitigate this you have more type of options:

#set av-failopen { off | on-shot | pass | idledrop}

Below we will describe what all of them do:

a. Off – if the FG enters conserve mode, the Fortigate will stop accepting new AV sessions, but will continue to process currently active sessions

 

b. One-shot – if the FG enters conserve mode, all new connections will bypass the AV system, but currently sessions will continue to be processed. This is the same as the “pass” option, but it will NOT turn off once the condition causing the av-failopen has stopped

c. Idle-drop – will drop connection based on the clients that has the most opened connection

d. pass – this is the default option

Please keep in mind that with one-shot and pass option, NO content filtering of the traffic is done. The data stream could contain malicious content.

Below are some commands to troubleshoot when the system enters conserve mode:

Check if the system is in Conserve Mode:

# diag hardware sysinfo shm
SHM counter: 67
SHM allocated: 1556480
SHM total: 101220352
conservemode: 0 <–This should be one, if the system is in conserve mode
shm last entered: n/a
system last entered: n/a
SHM FS total: 106827776
SHM FS free: 105205760
SHM FS avail: 105205760
SHM FS alloc: 1622016

Check if there are errors on the interfaces:

#diag hardware deviceinfo nic <interface>

Show if you have any errors on the Internal interface:

#diag hardware deviceinfo nic internal
Description ip175c-vdev
Part_Number N/A
Driver_Name ip175c
Driver_Version 1.01
System_Device_Name internal
Current_HWaddr 00:09:0f:54:b7:2e
Permanent_HWaddr 00:09:0f:54:b7:2e
Link up
Speed 100
Duplex full
State up (0x00001303)
MTU_Size 1500
Rx_Packets 63254215
Tx_Packets 58173946
Rx_Bytes 3057592732
Tx_Bytes 481440010
Rx_Errors 0
Tx_Errors 0
Rx_Dropped 0
Tx_Dropped 0
Multicast 0
Collisions 0
Rx_Length_Errors 0
Rx_Over_Errors 0
Rx_CRC_Errors 0
Rx_Frame_Errors 0
Rx_FIFO_Errors 0
Rx_Missed_Errors 0
Tx_Aborted_Errors 0
Tx_Carrier_Errors 0
Tx_FIFO_Errors 0
Tx_Heartbeat_Errors 0
Tx_Window_Errors 0

Restart any application:

#diag test application <application> <options>

 To restart the IPS engine us the following commands:

#diag test application ipsengine 99

The 99 at the end, tells the Fortigate to restart the process.

Waiting for comments if you have any other suggestions.