While the FortiGate firewall offers numerous diagnostic tools, one challenge you’re likely to encounter is Conserve Mode.
Conserve Mode activates when shared memory utilization exceeds 80%. In our extensive experience, this issue typically stems from the IPSmonitor/IPSengine daemon consuming excessive resources on FortiGate appliances. Fortunately, there’s a straightforward solution.
To exit Conserve Mode, you must wait until memory utilization drops below 70%, or selectively terminate resource-intensive processes to expedite the recovery.
Use the following commands to effectively troubleshoot when your system enters Conserve Mode.
1. Check if the system is in Conserve Mode:
# diag hardware sysinfo shm
SHM counter: 67
SHM allocated: 1556480
SHM total: 101220352
conservemode: 1 <–This should be “1”, if the system is in conserve mode
shm last entered: n/a
system last entered: n/a
SHM FS total: 106827776
SHM FS free: 105205760
SHM FS avail: 105205760
SHM FS alloc: 1622016
2. Check who is using the memory
#diag sys top 1 10
AND then press “m” to sort by memory.
Run Time: 21 days, 20 hours and 52 minutes
1U, 0N, 0S, 99I, 0WA, 0HI, 0SI, 0ST; 1917T, 625F
node 199 S 1.6 3.8 3
cmdbsvr 145 S 0.0 2.3 0
forticron 187 S 0.0 2.0 2
ipshelper 194 S < 0.0 2.0 1
cw_acd 229 S 0.0 1.5 6
sslvpnd 201 S 0.0 1.4 0
miglogd 197 S 0.0 1.3 2
httpsd 18718 S 0.0 1.3 7
forticldd 188 S 0.0 1.2 2
miglogd 264 S 0.0 1.2 0
3. Restart the process consuming most of the memory
#diag test application <application> <options>
To restart the IPS engine use the following commands:
#diag test application ipsengine 99
The 99 at the end tells the Fortigate to restart the process.
4. If restarting does not work, kill the process
#diag sys kill 11
5. If none of them work, restart the firewall
Conclusion
Frequent occurrences of “conserve mode” indicate your firewall requires a comprehensive evaluation. This pattern typically suggests either resource exhaustion of your FortiGate device or the need for firewall rule optimization. If you encounter persistent performance issues or require expert assistance with your configuration, you can always contact us.