The Fortigate Firewall has more diagnostic tools, but you will mostly be faced with the following problem:
Conserve Mode
This problem happens when the memory shared mode goes over 80%.
From our experience, this is mostly caused by the IPSmonitor/IPSengine deamon on the Fortigate appliances.
Don’t worry, there is an easy fix.
To get out of the conserve mode you have to wait (or kill some of the processes) until the memory goes under 70%.
Below are some commands to troubleshoot when the system enters conserve mode:
1. Check if the system is in Conserve Mode:
# diag hardware sysinfo shm
SHM counter: 67
SHM allocated: 1556480
SHM total: 101220352
conservemode: 1 <–This should be “1”, if the system is in conserve mode
shm last entered: n/a
system last entered: n/a
SHM FS total: 106827776
SHM FS free: 105205760
SHM FS avail: 105205760
SHM FS alloc: 1622016
2. Check who is using the memory
#diag sys top 1 10
AND then press “m” to sort by memory!
Run Time: 21 days, 20 hours and 52 minutes
1U, 0N, 0S, 99I, 0WA, 0HI, 0SI, 0ST; 1917T, 625F
node 199 S 1.6 3.8 3
cmdbsvr 145 S 0.0 2.3 0
forticron 187 S 0.0 2.0 2
ipshelper 194 S < 0.0 2.0 1
cw_acd 229 S 0.0 1.5 6
sslvpnd 201 S 0.0 1.4 0
miglogd 197 S 0.0 1.3 2
httpsd 18718 S 0.0 1.3 7
forticldd 188 S 0.0 1.2 2
miglogd 264 S 0.0 1.2 0
3. Restart the process consuming most of the memory
#diag test application <application> <options>
To restart the IPS engine use the following commands:
#diag test application ipsengine 99
The 99 at the end, tells the Fortigate to restart the process.
4. If restarting does not work, kill the process
#diag sys kill 11
5. If none of them work, restart the firewall
Conclusion
If you are getting “conserve mode” often you need a full review of your firewall. It might be that you are using all the resources of the firewall or your firewall rules needs to be optimized. If you need any help you can always contact us.