Fortinet white logo
Fortinet white logo

Cookbook

Conserve mode

Conserve mode

Each FortiGate model has a specific amount of memory that is shared by all operations. If most or all of that memory is in use, system operations can be affected in unexpected ways. To control how FortiOS functions when the available memory is very low, FortiOS enters conserve mode. This causes functions, such as antivirus scanning, to change how they operate to reduce the functionality and conserve memory without compromising security.

Three memory thresholds can be configured:

config system global
    set memory-use-threshold-extreme <integer>
    set memory-use-threshold-green <integer>
    set memory-use-threshold-red <integer>
end

memory-use-threshold-extreme <integer>

The threshold at which memory usage is considered extreme and new sessions are dropped, in percent of total RAM (70 - 97, default = 95).

memory-use-threshold-green <integer>

The threshold at which memory usage forces the FortiGate to leave conserve mode, in percent of total RAM (70 - 97, default = 82).

memory-use-threshold-red <integer>

The threshold at which memory usage forces the FortiGate to enter conserve mode, in percent of total RAM (70 - 97, default = 88).

Proxy inspection in conserve mode

The FortiGate's proxy-based inspection behavior while in conserve mode is configured with the antivirus failopen command.

config system global
    set av-failopen {pass | off | one-shot}
end

pass

This is the default settings.

Bypass the antivirus proxy and allow traffic to continue to its destination. Because traffic bypasses the proxy, security profiles that require the antivirus proxy are also bypassed. Security profiles that do not use the antivirus proxy continue to function normally.

Use this setting when access is more important than security while the issue is resolved.

off

Force the FortiGate to stop all traffic that uses the antivirus proxy. New sessions are blocked, but active sessions continue to be processed normally unless they request more memory and are then terminated.

If a security policy is configured to use antivirus scanning, then the traffic that it permits is blocked while in conserve mode. So, a policy with only IPS scanning enabled will continue normally, but a policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the antivirus proxy.

Use this setting when security is more important than access while the issue is resolved.

one-shot

Continue to bypass the antivirus proxy after the FortiGate is out of conserve mode, until the failopen setting is changed or the FortiGate is restarted.

Flow inspection in conserve mode

The FortiGate's flow-based inspection behavior while in conserve mode is configured with the IPS failopen command.

config ips global
    set fail-open {enable | disable}
end
  • When disabled (default), the IPS engine drops all new sessions that require flow-based inspection.

  • When enabled, the IPS engine does not perform any scans and allows new packets.

Diagnostics

When in conserve mode, FortiOS generates conserve mode log messages and SNMP traps, and a conserve mode banner is shown in the GUI.

To view current information about memory conservation status:
# diagnose hardware sysinfo conserve
memory conserve mode:                        on
total RAM:                                          997 MB
memory used:                                        735 MB   73% of total RAM
memory freeable:                                    173 MB   17% of total RAM
memory used + freeable threshold extreme:           947 MB   95% of total RAM
memory used threshold red:                          877 MB   88% of total RAM
memory used threshold green:                        817 MB   82% of total RAM
To view logs:
  1. Go to Log & Report > System Events in the GUI.

  2. If historical FortiView is enabled, select the Logs tab.

  3. If the GUI is unresponsive due to high memory usage, making the logs inaccessible, they can be viewed in the CLI:

    # execute log filter category 1
    # execute log display
    1: date=2022-11-02 time=16:58:37 eventtime=1667433517502192693 tz="-0700" logid="0100022011" type="event" subtype="system" level="critical" vd="root" logdesc="Memory conserve mode entered" service="kernel" conserve="on" total=997 MB used=707 MB red="877 MB" green="698 MB" msg="Kernel enters memory conserve mode
To view the crash log in the CLI:
# diagnose debug crashlog read
1: 2022-10-27 14:22:36 service=kernel conserve=on total="997 MB" used="720 MB" red="877 MB" 
2: 2022-10-27 14:22:36 green="817 MB" msg="Kernel enters memory conserve mode"

Conserve mode

Conserve mode

Each FortiGate model has a specific amount of memory that is shared by all operations. If most or all of that memory is in use, system operations can be affected in unexpected ways. To control how FortiOS functions when the available memory is very low, FortiOS enters conserve mode. This causes functions, such as antivirus scanning, to change how they operate to reduce the functionality and conserve memory without compromising security.

Three memory thresholds can be configured:

config system global
    set memory-use-threshold-extreme <integer>
    set memory-use-threshold-green <integer>
    set memory-use-threshold-red <integer>
end

memory-use-threshold-extreme <integer>

The threshold at which memory usage is considered extreme and new sessions are dropped, in percent of total RAM (70 - 97, default = 95).

memory-use-threshold-green <integer>

The threshold at which memory usage forces the FortiGate to leave conserve mode, in percent of total RAM (70 - 97, default = 82).

memory-use-threshold-red <integer>

The threshold at which memory usage forces the FortiGate to enter conserve mode, in percent of total RAM (70 - 97, default = 88).

Proxy inspection in conserve mode

The FortiGate's proxy-based inspection behavior while in conserve mode is configured with the antivirus failopen command.

config system global
    set av-failopen {pass | off | one-shot}
end

pass

This is the default settings.

Bypass the antivirus proxy and allow traffic to continue to its destination. Because traffic bypasses the proxy, security profiles that require the antivirus proxy are also bypassed. Security profiles that do not use the antivirus proxy continue to function normally.

Use this setting when access is more important than security while the issue is resolved.

off

Force the FortiGate to stop all traffic that uses the antivirus proxy. New sessions are blocked, but active sessions continue to be processed normally unless they request more memory and are then terminated.

If a security policy is configured to use antivirus scanning, then the traffic that it permits is blocked while in conserve mode. So, a policy with only IPS scanning enabled will continue normally, but a policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the antivirus proxy.

Use this setting when security is more important than access while the issue is resolved.

one-shot

Continue to bypass the antivirus proxy after the FortiGate is out of conserve mode, until the failopen setting is changed or the FortiGate is restarted.

Flow inspection in conserve mode

The FortiGate's flow-based inspection behavior while in conserve mode is configured with the IPS failopen command.

config ips global
    set fail-open {enable | disable}
end
  • When disabled (default), the IPS engine drops all new sessions that require flow-based inspection.

  • When enabled, the IPS engine does not perform any scans and allows new packets.

Diagnostics

When in conserve mode, FortiOS generates conserve mode log messages and SNMP traps, and a conserve mode banner is shown in the GUI.

To view current information about memory conservation status:
# diagnose hardware sysinfo conserve
memory conserve mode:                        on
total RAM:                                          997 MB
memory used:                                        735 MB   73% of total RAM
memory freeable:                                    173 MB   17% of total RAM
memory used + freeable threshold extreme:           947 MB   95% of total RAM
memory used threshold red:                          877 MB   88% of total RAM
memory used threshold green:                        817 MB   82% of total RAM
To view logs:
  1. Go to Log & Report > System Events in the GUI.

  2. If historical FortiView is enabled, select the Logs tab.

  3. If the GUI is unresponsive due to high memory usage, making the logs inaccessible, they can be viewed in the CLI:

    # execute log filter category 1
    # execute log display
    1: date=2022-11-02 time=16:58:37 eventtime=1667433517502192693 tz="-0700" logid="0100022011" type="event" subtype="system" level="critical" vd="root" logdesc="Memory conserve mode entered" service="kernel" conserve="on" total=997 MB used=707 MB red="877 MB" green="698 MB" msg="Kernel enters memory conserve mode
To view the crash log in the CLI:
# diagnose debug crashlog read
1: 2022-10-27 14:22:36 service=kernel conserve=on total="997 MB" used="720 MB" red="877 MB" 
2: 2022-10-27 14:22:36 green="817 MB" msg="Kernel enters memory conserve mode"