Troubleshooting high CPU usage
Connection-related problems may occur when FortiGate's CPU resources are over extended. This occurs when you deploy too many FortiOS features at the same time.
Examples of CPU intensive features:
- VPN high-level encryption
- Intensive scanning of all traffic
- Logging all traffic and packets
- Dashboard widgets that frequently perform data updates
See Execute a CLI script based on CPU and memory thresholds for information on customizing the CPU use threshold.
Determining the current level of CPU usage
You can view CPU usage levels in the GUI or CLI. For precise usage values for both overall usage and specific processes, use the CLI.
To view CPU usage in the GUI:
Go to Dashboard > Status. Real-time CPU usage information is located in the CPU widget.
To view CPU usage in the CLI:
diagnose sys top
Sample output:
Run Time: 86 days, 0 hours and 10 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 3040T, 2437F
bcm.user 93 S < 3.1 0.4
httpsd 18922 S 1.5 0.5
httpsd 19150 S 0.3 0.5
newcli 20195 R 0.1 0.1
cmdbsvr 115 S 0.0 0.8
pyfcgid 20107 S 0.0 0.6
forticron 146 S 0.0 0.5
httpsd 139 S 0.0 0.5
cw_acd 166 S 0.0 0.5
miglogd 136 S 0.0 0.5
pyfcgid 20110 S 0.0 0.4
pyfcgid 20111 S 0.0 0.4
pyfcgid 20109 S 0.0 0.4
httpsd 20192 S 0.0 0.4
miglogd 174 S 0.0 0.4
miglogd 175 S 0.0 0.4
fgfmd 165 S 0.0 0.3
newcli 20191 S 0.0 0.3
initXXXXXXXXXXX 1 S 0.0 0.3
httpsd 184 s 0.0 0.3
The following table explains the codes in the second line of the output:
Code |
Description |
---|---|
|
Percentage of user space applications that are currently using the CPU |
|
Percentage of time that the CPU spent on low priority processes since the last shutdown |
|
Percentage of system processes (or kernel processes) that are using the CPU |
|
Percentage of idle CPU resources |
|
Percentage of time that the CPU spent waiting on IO peripherals since the last shutdown |
|
Percentage of time that the CPU spent handling hardware interrupt routines since the last shutdown |
|
Percentage of time that the CPU spent handling software interrupt routines since the last shutdown |
|
steal time Percentage of time a virtual CPU waits for the physical CPU when the hypervisor is servicing another virtual processor |
|
Total FortiOS system memory in MB |
|
Free memory in MB |
Each additional line of the command output displays information specific to processes running on the FortiGate unit. For example, the sixth line of the output is: newcli 20195 R 0.1 0.1
The following table describes the data in the sixth line of the output:
Item |
Description |
---|---|
|
The process name. Other process names can include |
|
The process ID, which can be any number. |
|
Current state of the process. The process state can be:
|
|
The percentage of CPU capacity that the process is using. CPU usage can range from 0.0 for a process that is sleeping to higher values for a process that's taking a lot of CPU time. |
|
The amount of memory that the process is using. Memory usage can range from 0.1 to 5.5 and higher. |
You can use the following single-key commands when running diagnose sys top
:
-
q
to quit and return to the normal CLI prompt. -
p
to sort the processes by the amount of CPU that the processes are using. -
m
to sort the processes by the amount of memory that the processes are using.
The output only displays the top processes that are running. For example, if 20 processes are listed, they are the top 20 processes currently running, sorted by either CPU or memory usage. You can configure the number of processes displayed, using the following CLI command:
diagnose sys top <integer_seconds> <integer_maximum_lines>
Where:
-
<integer_seconds>
is the delay in seconds (default is 5) -
<integer_maximum_lines>
is the maximum number of lines (or processes) to list (default is 20)
Determining which features are using the most CPU resources
You can use the CLI to view the top few processes that are currently running and using the most CPU resources.
To view processes using the most CPU resources:
get system performance top
The entries at the top are using the most CPU resources. The second column from the right shows CPU usage by percentage. Note which processes are using the most resources and try to reduce their CPU load.
Processes you will see include:
-
ipsengine
: the IPS engine that scans traffic for intrusions -
scanunitd
: antivirus scanner -
httpsd
: secure HTTP -
iked
: internet key exchange (IKE) in use with IPsec VPN tunnels -
newcli
: active whenever you're accessing the CLI -
sshd
: there are active secure socket connections -
cmdbsrv
: the command database server application
Go to the features that are at the top of the list and look for evidence of CPU overuse. Generally, the monitor for a feature is a good place to start.
Checking for unnecessary CPU “wasters”
These are some best practices that will reduce your CPU usage, even if the FortiGate is not experiencing high CPU usage. Note that if the following information instructs you to turn off a feature that you require, disregard that part of the instructions.
- Use hardware acceleration wherever possible to offload tasks from the CPU. Offloading tasks, such as encryption, frees up the CPU for other tasks.
- Avoid the use of GUI widgets that require computing cycles, such as the Top Sessions widget. These widgets constantly pol the system for information, which uses CPU and other resources.
- Schedule antivirus, IPS, and firmware updates during off-peak hours. These updates do not usually consume CPU resources but they can disrupt normal operation.
- Check the log levels and which events are being logged. This is the severity of the messages that are recorded. Consider going up one level to reduce the amount of logging. Also, if there are events you do not need to monitor, remove them from the list.
- Log to FortiCloud instead of logging to memory or disk. Logging to memory quickly uses up resources and logging to local disk impacts overall performance and reduces the lifetime of the unit.
Fortinet recommends logging to FortiCloud to avoid using too much CPU.
- If the disk is almost full, transfer the logs or data off the disk to free up space. When a disk is almost full it consumes a lot of resources to find free space and organize the files.
- If packet logging is enabled on the FortiGate, consider disabling it. When packet logging is enabled, it records every packet that comes through that policy.
- Halt all sniffers and traces.
- Ensure the FortiGate isn't scanning traffic twice. Traffic does not need to be rescanned if it enters the FortiGate on one interface, goes out another, and then comes back in again. Doing so is a waste of resources. However, ensure that traffic truly is being scanned once.
-
Reduce the session timers to close unused sessions faster. Enter the following CLI commands, which reduce the default values. Note that, by default, the system adds 10 seconds to
tcp-timewait
.config system global
set tcp-halfclose-timer 30
set tcp-halfopen-timer 30
set tcp-timewait-timer 0
set udp-idle-timer 60
end
- Go to System > Feature Visibility, and enable only features that you need.
SNMP monitoring
When CPU usage is under control, use SNMP to monitor CPU usage. Alternatively, use logging to record CPU and memory usage every 5 minutes.
Once the system is back to normal, you should set up a warning system that sends alerts when CPU resources are used excessively. A common method to do this is using SNMP. SNMP monitors many values in FortiOS and allows you to set high water marks that generate events. You run an application on your computer to watch for and record these events.
To enable SNMP:
- Go to System > SNMP.
- Configure an SNMP community.
See SNMP.
You can use the System Resources widget to record CPU usage if SNMP is too complicated. However, the widget only records problems as they happen and will not send you alerts for problems. |