Linux core offers support for a large number of file systems. User interface provided is the same no matter the type of file system back. Generally different file names and directories are simple to be used efficiently in command line such as  bin/, var/, usr/, lib. Mac Os uses more clear names
such as /library/, /Applications/, /Users/. Most of Linux distributions offers compatible interface with Filesystem Hierarchy Standard 3. FHS defines the main directories names and the content of it in a Linux distribution such as :

___________________________________________________________________________

Directory                                                     Description

___________________________________________________________________________

/ bin /                           binary commands associated with significant executable

————————————————————————————————————————

/ dev /                          dev / null , dev / hda , dev / random  devices

————————————————————————————————————————-

/ etc /                           configurations files

————————————————————————————————————————-

/home/                         home users directories

————————————————————————————————————————-

/ lib /                            libraries

————————————————————————————————————————–

/ mnt /                          temporary system files

————————————————————————————————————————–

/ proc /                         file system procfs

—————————————————————————————————————

/ root /                          users home ( root )

—————————————————————————————————————

/ sbin /                         executable commands that requires privileged user rights

—————————————————————————————————————-

/ usr /                           secondary hierarchy : contains binaries and libraries

—————————————————————————————————————-

/ var /                           variable files (logs, queues, temporary)

—————————————————————————————————————–

/ var / log /                    log files for various applications

—————————————————————————————————————–

Basic commands for interaction with file system are : pwd , is , cd , touch , rm, mkdir , rmdir, cp , mv, link , unlink.

User management

Refers to deleting  or adding new users , displays some general information respectively changing informations about the user. In Unix system user information are retained in the /etc/passwd file.

Each line in this file contains user name , his ID , home , the shell and other information. For safety reasons the hash associated with password file is not found in /etc/passwd/ but in /etc/shadow that may not be accessed by most users. To find information about a user of the system can use the commands ID or finger . Privileged user in a Unix system is the user root with the uid 0 and the home in /root.

Root user (uid 0 user) has rights in the system and may run any command. Changing a user is performed with the command su followed by the password for that user. If user is root then the initial password is not required. Ubuntu system disables root user and recommends using sudo command. This command along with /etc/sudoers/  allows running privileged commands by an unprivileged user.

Changing a user password is performed with the command passwd . Privileged user can change any user password while an unprivileged user can change only his password.

In Debian – based system , adding or deleting a user is done through scripts adduser and deluser.

Advantage and disadvantage of using adduser command is the interactivity. Automation of tasks involves non-interactive commands. You can use the commands useradd , userdel and usermod.

Rights on file systems

Unix systems use a simplified model of association rights on an entry in the filesystem. Every file is owned by a user and a group. There are three categories of users :

- user who owns the file ( user )

- group that owns the file ( group )

- other users  ( others )

Abbreviated three categories are called ugo . Each of the three categories has three possible rights:

- read

- write

- execute

Abbreviated three categories are called rwx . The three rights of each of the above functions have different meanings when they are used over files or directories. Changing rights on a file is accomplished with the command chmod . Command takes effect only if it is run by the user that owns the file. Changing owner and group that owns file is accomplished with the command chown .

This command ( chown ) can be run only by privileged user.

It seems that ine.com is offering the CCNA:Voice track videos free of charge!

Thas is great new for everybody, and i always wanted to take a look at their videos, as they are pretty good.

Here is the link to the free CCNA videos: link

Have fun!

Linux administration activities are similar to any Unix system.
The important components are hardware device administration, files system, users administration, programs packs administration, services administration, system security ensuring and automation tasks.

Most of system administrator interactions with Linux operating system will be done through the command line interface (shell) and text configuration files.

The components of a GNU / Linux / Distributions

An GNU/Linux operating system consists of core (kernel), Linux and applications running over it.
One of the most significant application is the command interpreter (the shell). On most of Linux distributions the shell is Bash.
The shell acts as an intermediary between user and core. The shell transforms users command in to process which is using the core to complete a task.

Other basic applications are the editor(vim, emacs), compilers, libraries. Generally graphic applications are missing from a server system realizing interaction almost exclusively via command line.

Unlike other operating systems kernel and application development is performed differently.
The aggregation of these components is made by a GNU/Linux distribution. There are hundreds of Linux distributions, among the most popular we mention Ubuntu Fedora/RedHat, SuSE, Debian, Gento, Slackware etc.

Some of the distributions are similar such as Debian-based :
Debian, Ubuntu, MEPIS, Damn Small Linux, Xandros, Linspire. These distributions use software packages provided by Debian and APT system.

Temporary  Network configuration

Linux provides two utilities to configure network interfaces. This configuration is lost after reboot.

The first of these is called ifconfig. Present on all Unix platforms, this tool enables the IP address, a network mask and broadcast address.
The ifconfig command can be used both to inspect the current network configuration, the operating parameters: MTU, number of packs sent, number of packs received.

For each physical network interface can be defined more logical interfaces known as subinterface.
Logically, each subinterface of a router is a distinct interface. For this reason, two subinterfaces can not have the same IP subnetwork.

All network parameters restarts when the interface stops, interface that can be made for a specific interface or network service restart. This results leads to resetting all network interfaces.
Temporary network configurations will be lost if the interface deactivated. In a subinterface case, deactivation is equivalent to removing.Starting from kernel version 2.2, came a package of utilities for handling network configuration known as iproute.

Examples:

# ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:2D:32:5E:3B:3C
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:977839669 errors:0 dropped:1990 overruns:0 frame:0
TX packets:1116825094 errors:8 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1594112309 (1.5 GiB) TX bytes:1535889321 (1.8 GiB)
Interrupt:185 Base address:0xdc00

Display Details of All interfaces Including Disabled Interfaces

# ifconfig -a

Shutdown an Interface

# ifconfig eth0 down

Enable an Interface

# ifconfig eth0 up

Assign 192.168.1.1 as the IP address for the interface eth0.

# ifconfig eth0 192.168.1.1

Change Subnet mask of the interface eth0.

# ifconfig eth0 netmask 255.255.255.0

Change Broadcast address of the interface eth0.

# ifconfig eth0 broadcast 192.168.1.255

Assign ip-address, netmask and broadcast at the same time to interface eht0.

# ifconfig eth0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255

Now the second version (iproute2) is a strong alternative allowing very sophisticated settings. To configure the network parameters is used ip addr utility which is part of the package iproute .

To configure an interface is necessary to specify the IP address, the network area code and the broadcast address.

To define configurations for subinterfaces label option is used. For compatibility reasons, it is recommended that names to start with the interface name labels. So, for eth0 label shall be valid: eth00, eth0.0, eth 0: 0, eth 0.

Since ifconfig sees the labels as a virtual interface, it can run only with the interface: number type. To enable or disable an interface or deleting logical configurations associated with a subinterface is used other utility of the iproute2 : ip link package .

Ip link tool can be useful to change the data link level parameters (MAC, MTU, etc) and to display these parameters.
Besides handling functions defining routing table and tunnels, iproute2 provides support for traffic policy.

Permanent configuration

To set up a permanent network parameters is used /etc/ network/interfaces
This file is specific to Debian (its location in other distributions may be different) and contains information necessary to configure network interfaces.

Programs using this file shall be ifup and ifdown and shall be run from /etc/init.d/networking, script responsible for the network configuration in the boot of the operating system. To define static parameters of network administrator can specify IP address, subnet mask, default gateway address, name server addresses, or some of these parameters. Can also be specified other actions to be performed when the interface is started, that stopped.

Thanks.

It can use the following Methods:

I. Fortigate FSAE/FSSO

This feature provides a transparent authentication for the users.

In the older version you can fin it named as FortinetFSAE, but in the new versions it appears are Fortinet FSSO.

The Fortigate FSAE/FSSO is composed of the following 2 softwares:

1. Domain Controller Agent

This software monitors the user login. This software is deployed on the Domain Controllers of the users domain. You can find it in C:\Windows\System32\dcagent.dll

2. Collector Agent

This is the ‘master’of the application. This software sends the info gather from the Domain Controller Agent to the Fortigate Firewall.
It performs the following tasks:
a. Looksup the group in the domain/user information
Uses DNS lookup then if that is not present it check the users local cache then the WINS server, user Hosts file etc.
To monitor when a users logg off, the FSAE/FSSO needs read only access on TCP port 139 or 445 on the clients registry.

b. Resolves the Workstation name to an IP address
This detects when a users logs off of one PC. It controls if the users is logged on every 5 minutes.
It uses the Dead Entry Removal for workstations that cannot be looked up. It is controlled by the “dead entry timeout”", with a default of 8 hours. So if a PC cannot be be checked if an user logged of it uses this default, to log it off automatically.

c. Sends the IP address/group to the Fortigate
 
 
 

II. Fortigate NTLM-based Authentication

This method basically removes the need to install FSAE collector agent on every DC. It prompts the user for credentials and then it checks with the Domain Controller if everything is working fine.

FSAE/FSSO General Hints

1. Must be configured on each Domain Controller that has a collector agent installed:
a. Windows Active Directory user groups
b. Collector agent settings, including the Domain Controller to be monitored
c. Collector agent ignore user list
d. Collector Agent Fortigate Group filter for each Fortigate unit

2. Configuring FSAE/FSSO on the Fortinet Firewall:
a. Specify a domain admin user(with the credentials that do not expire) to the Windows Active Directory Server
b. Specify the Active Directory Servers that contain the FSAE/FSSO collector agent
c. Add the Active Directory user groups to new or existing Fortigate user groups
d. Create Firewall policy for Active Directory server groups

3. IP Address Lookup
The Collector agent will perform IP address lookup to detect any IP address hanges of a workstation while the user is still logged into the domain.
The IP address change verify interval value has a default value of 60 seconds.

4.Configure Alternate User IP address Tracking

In environment where user IP address change frequently, FSAE can be modified to respond more quicklye by modifing the registry.

5. Workstation Lookup
This allows the Fortigate to detect a user logoff from a workstation.
Default – 5 minutes
Disabled – 8 Hours

If you have any comments or questions please do not hesitate to ask.

Have a great day,
Daniel

IPS is a way to stop malicious users to attack your Server/PCs by using exploits or any other kind of attacks.

The IPS from the Fortigate uses the following 2 to help you prevent attacks:

1. Protocol Decoders – are used to define abnormal traffic

2. Signatures – it uses already defined signatures to catch malicious traffic.

IPS Sensor

This is used to group signatures into sensor for ease of use and it is also made of 2 parts: filters and overrides.

DOS Sensor

This DOS Sensor examines the internet traffic from top to bottom. It uses 4 anomalies for the protocols TCP, UDP and ICMP:
1. Flooding
2. Scanning
3. Source Session Limit
4. Destination Session Limit

The Fortigate is also capable of SYN Proxy. This is used to block SYN attacks.

If IPS fails (gets corrupted) it will go to the fail-open by default. This can be change in the CLI only.  For more info about the fail-open mode you can check the article about Fortigate conserve mode.

General Hints about Fortinet Firewall IPS

1. The IPS predefined signatures and the IPS engine are upgraded through the FortiGuard Distribuition Network

2. The pre-defined signatures are periodically updated by the Fortiguard Service, with signatures added to counter new thread. This also works if the filters are already defined, for example if a filter includes all the signatures for the Windows operating system, the filter will automatically incorporate new Windows signatures as they are added.

3. Overrides are checked before the filters and also the overrides can add a custom signatures.

4. IPS can be configured to ignore sessions after a set of traffic has passed through the firewall; by default is 204800bytes (this can be modified through the CLI).

Hope this has been informative for you, and if you have any questions please let me know.

WCCP architecture

1. Routers (responsible for redirecting to the WCCP Server)

2. Web Cache – cluster of server

3. Service Groups – this is used to identify sensitive traffic and encapsulates methods between endpoints in the config.

WCCP  can be configured from CLI only. The following steps needs to be performed:

1. Configure the service group

2. Enable WCCP on the Fortigate interface

3. Enable WCCP on the firewall policy

You can configure a FortiGate unit to operate as a WCCP router or client.
• A FortiGate unit operating as a WCCP router can intercept HTTP and HTTPS sessions and forward them to a web
caching engine that caches web pages and returns cached content to the web browser.

• A FortiGate unit operating as a WCCP client can accept and forward WCCP sessions and use firewall policies to
apply NAT, UTM, and other FortiGate security features to them. A FortiGate unit operates as a WCCP client only in
NAT/Route mode (and not in Transparent mode)

Configuring WCCP on Fortinet:

Enter the following command to configure a FortiGate unit to operate as a WCCP client:
config system settings
set wccp-cache-engine enable
end

To configure WCCP in client mode use the following commands:

config system wccp
edit <service-id>
set cache-id <cache_engine_ip4>
set group-address <multicast_ipv4>
set router-list <server_ipv4mask>
set authentication {disable | enable}
set service-type {auto | dynamic | standard}
set assignment-weight <weight_int>
set assignment-bucket-format {cisco-implementation | wccp-v2}
set password <password_str>
next
end

Configure WCCP in server mode:

config system wccp
edit <service-id>
set router-id <interface_ipv4>
set group-address <multicast_ipv4>
set server-list <router1_ipv4> [<router2_ipv4> ... <router4_ipv4>]
set authentication {disable | enable}
set forward-method {GRE | L2 | any}
set return-method {GRE | L2 | any}
set assignment-method {HASH | MASK | any}
set password <password_str>
next
end

Below is a description of all of the Variables

<service-id>

Valid ID range is from 0 to 255. 0 for HTTP.

Default is 1

 <pre> router-id <interface_ipv4> </pre> 

An IP address known to all cache engines. This IP address identifies a
FortiGate interface IP address to the cache engines. If all cache
engines connect to the same FortiGate interface, then
<interface_ipv4> can be 0.0.0.0, and the FortiGate unit uses the
IP address of that interface as the router-id.
If the cache engines can connect to different FortiGate interfaces, you
must set router-id to a single IP address, and this IP address must
be added to the configuration of the cache engines that connect to that
interface.

Default is 0.0.0.0

cache-id <cache_engine_ip4>

The IP address of the cache engine if its IP address is not the same as
the IP address of a FortiGate interface. If the IP address of the cache
engine is the same as the IP address of the FortiGate interface on
which you have enabled WCCP, the cache-id should be 0.0.0.0.
Default: 0.0.0.0

group-address <multicast_ipv4>

The IP multicast address used by the cache routers. 0.0.0.0 means
the FortiGate unit ignores multicast WCCP traffic. Otherwise, groupaddress
must be from 224.0.0.0 to 239.255.255.255.
Default: 0.0.0.0

server-list <router1_ipv4>[<router2_ipv4> ...<router4_ipv4>]

The IP address and net mask of up to four WCCP routers.
Default is: 0.0.0.0  0.0.0.0

router-list <server_ipv4mask>

IP addresses of one or more WCCP routers that can communicate with
a FortiGate unit operating as a WCCP cache engine. Separate multiple
addresses with a space.

service-type {auto | dynamic | standard}

Set the WCCP service type used by the cache server.

Default: auto

forward-method {GRE| L2 | any}

Specifies how the FortiGate unit forwards traffic to cache servers. If
forward-method is any the cache server determines the forward
method.
Default: GRE

return-method {GRE| L2 | any}

Specifies how a cache server declines a redirected packet and returns
it to the FortiGate unit. If return-method is any the cache server
determines the return method.
Default: GRE

assignment-method {HASH | MASK | any}

Specifies which assignment method the FortiGate unit prefers. If
assignment-method is any the cache server determines the
assignment method.
Default: HASH

assignment-weight <weight_int>

Set the assignment weight for the WCCP cache engine. The range is 0
to 255.
Default: 0

assignment-bucketformat {ciscoimplementation | wccp-v2}

Set the assignment bucket format for the WCCP cache engine.

Default: ciscoimplementation

password <password_str>

The authentication password. Maximum length is 8 characters. No default.

The following are the things that can affect the Network and Application Performance

1. Bandwidth

2. Latency

3. Throughput

4. Congestion

5. Packet Loss

The Fortinet Firewall is capable of dealing with all of them by using WAN Optimization Technique:

1. Protocol Optimization

2. Byte Caching

3. Web Caching

4. Transparent proxy

1. Protocol Optimization

It’s an application technique to improve performance of HTTP, CIFS, FTP, MAPI and TCP protocol traffic.

I guess you know all of them except CIFS. This is a common internet file system protocol – provides file access, recoring, change notification etc

2. Byte Caching

The Fortigate Firewall can break large unts of application data into small chunks of data, labeling each with a hash, and  stores the chunks and has in a dictionary file. It assigns token to it and the it sends the dictionary to the other Fortigates.

If  chunks and hash are recognized it sends the token (the dictionary must be the same on both of the sides).

3. Web Caching

This technique is also known as HTTP proxying. It stores the HTLM pages, images and more on the local HDD.

There are 3 modes of Web caching:

a. Non-transparent forward proxy caching

b. Transparent forward proxy caching – if you use this, please keep in mind that the Fortigate must be placed near the network gateways

c. Transparent reverse proxy caching – this is a method to reduce the load on a busy web server by using a web cache server between the server and the Internet.

4. Transparent proxy

The users are not ware of the Fortigate. The clients communicate to the server the same way as without the WAN optimization;  the WAN optimization is compatible with Identify-Based firewall policies also

Keep in mind that all the firewall policies are applied before the WAN optimization policies/rules are applied. So if you block the traffic, it will not get optimized of course

There 2 types of WAN optimization rules:

1. Active-Passive Mode

2. Peer-to-peer Mode

1. Active Passive Mode

The Fortigat Firewall on both ends of the WAN optimization tunnel operate in a kind of client server configuration. The sessions are originated on the client Fortigate and are terminated on the passive Fortigate firewall.

The remote peer uses auto-detection through TCP option as a discovery mechanism to locate any peers on the path to the server.

2. Peer-to-Peer Mode

In this mode, both peers have peer lists that includes names and IP addresses of the Fortigate devices. Both Fortinet firewalls should have matching rules.

General HINTS about Fortigate Firewall WAN Optimization 

1. Keep in mind that Peer-to-Peer WAN optimization tunnels use port 7810. So if you have another firewall in front, do not forget to OPEN that port.

2. Only one protocol can be selected in a WAN optimization rule. So you have one rule for each protocol. Example: Rule 1 for HTTP traffic.

3. Firewall traffic shaping (Quality of Service)  is compatible only with client/server(active-passive) transparent mode. For rest of the modes, the optimization techniques are ignored.

4. Of the firewall policy includes a thread management profile, the packet is processed by the profile and not by WAN optimization. To apply WAN optimization to traffic that is accepted by a firewall policy containing a thread management profile, multiple firewall units or multiple Fortigate VDOM must be used; to do this you must apply the the thread management profile in the first FG unit or VDOM and apply WAN optimization in the second Fortigate unit or VDOM.

5. SSL is also capable of being optimized by using the Web Caching optimization techniques. The Fortinet firewall caches HTTPs web pages.

6. Fortigate is also capable of WCCP – Web Cache Communication Protocol. You can check this article about Fortigate WCCP.

If you have any questions please let me know.

The firewall is probably the best known security appliance. By definition firewall is a system or a group of systems which implements access policy between two or more networks.

Firewalls can be classified into four main classes:

1. Dedicated firewalls 

2. Routers integrated firewalls

3. Servers integrated firewalls 

4. Personal firewalls 

1. Dedicated firewalls are hosts that runs an operating system designed for packet filtering and addresses translation. We can exemplify PIX systems or Checkpoint. These systems are capable of sustaining a large number of connections but routing facilities are extremely limited. For a simple network , firewall can be used as a router. For more complex networks is necessary a router.

2. Firewalls integrated into routers are used to remove the previous insufficiency. This class can not sustain the same number of connections, but it does better in more complex topologies, where you need the facilities of a router. Many products provide routers integrated firewall facilities, from firewall modules for high-end routers, to extremely compact dedicated for use in SOHO networks.

3. Server firewalls are implemented as additional software over an operating system (Linux , UNIX , NT , Win2k ). As an example we mention Netfilter , Microsoft ISA Server, Novel Border Manager. These examples are comparable as features and performance with firewalls built into medium routers.

4. Personal firewalls are installed on personal computers. They are designed to prevent attacks on the computer that runs only. It is important to remember that these types of firewalls are not optimized for the entire networks of computers. The main mechanisms that ensure the protection of network firewalls are packet filtering and address translation.

Packet filtering

Packet Filtering is the process by which only particular packs are routed from one network to another based on some rules. Packet filtering operates in a traditional way with information from levels OSI 3 and 4.

Filtering rules are formed from a part which identifies the package and a part which specifies how to treat that specific package. On the identification part, can be specified source address , destination address , network source address and destination network adress , protocol (TCP, UDP , ICMP) , source or destination port (only for TCP or UDP), type of message (for ICMP), input or output interface and even level 2 addresses.

Identification of package can be done with any written information in the packet header, at level OSI 3 or 4 or even 2 , depends on implementation. The handling part of the package specifies what can be done with a package selected by a rule.

For filtration there is usually three handling options : ignore accept or reject. Accept means that the package is allowed to pass. On ignore option the package is not allowed and no notice is sent to source. Finaly,on reject option the package is not allowed but sends a notification to the source.

IPtables utility

Iptables is the tool with which you can set policies and rules for packet filtering and address translation for Linux . This is part of Netfilter which implements in Linux package filtering and addresses translation.

On IPTables a rule has two parts :

- a part which identifies the packages

- a part that shows how to treat the packages (the target)

Processing of rules is done sequential starting with the first one. If for a package that traverses the system the rule is valid the action is executed associated to the target otherwise proceed to the next rule. If have exhausted all the rules from the user-defined chain or if the target is return continue analyzing the rules of the previous chain. If have exhausted all the rules from a predefined chain , execute the implicitly associated action of the chain. The package can be identified from source address , destination address , package type , port (TCP , UDP ) or the type message (ICMP), if there’s a fragment from the package, if there is a package that initiates an action(TCP).

Chains are rules sets which can determinate what action must be taken on a package.For each of the tables set there default chains (input , output , forward , prerounting, postrouting) provides a distributed structure of rules. Predefined chains does not only features a table. Tables share one or many chains. For example , chain “output” belongs to “filter” and also ” nat” , same as “input” belongs to “filter” and also “mangle”. When a package arrives to a station which implements this kind of policy decisions must be taken on it being performed each chain analysis mentioned above.

Hope this helped you understand better the concept of the firewall.

Routing Protocols

Fortigate is capable of many routing Protocols:

1. Static Routes (not really a routing protocol )

2. BGP

3. RIP

4. OSPF

The Fortigate Firewall has also a Routing table 1that displays all the learned routes and also a FIB table. You might know about FIB from the Cisco CEF.

Routing Features: 

FIB 

The FIB contains all local and non-local routes that are known to the Device. It is populated by the routing table and in the High-Availability mode FIB is replicated among the clusters, but only the Master builds up the FIB, based on the routing table.

Reverse Path Forwarding (RPF)

This is used for anti-spoofing protection. You can find more about Reverse Path Forwarding here.

Bidirectional Forwarding Detection (BFD)

This is used to deal with dynamic routing protocols problems, of not having a fine granularity for detecting device failures on the network and re-routing around those failures. This works like the “hellos” of the OSPF routing protocol, but it actually connects to the router.

Default Administrative Distances for Fortigate:

1. The Fortigate Firewall assigns an AD of “20″ to EBGP routes.

2. Static Routes have an AD of  “10″

3. Connected Routes have an AD of “0″

4. When you configure the BGP protocol a default route-map is created to make the AS non-tranzit (cool feature)

If you have any questions please ask.

1. Conserve Mode

This problem happens when the memory shared mode goes over 80%.
To exit this conserve mode you have to wait (or kill some  of the processes) until the memory goes under 70%.

2. Antivirus FailOpen

This is a safeguard feature that determines the behavior of the Fortigate AntiVirus System, when it becomes overloaded with high traffic.

To mitigate this you have more type of options:

#set av-failopen { off | on-shot | pass | idledrop}

Below we will describe what all of them do:

a. Off – if the FG enters conserve mode, the Fortigate will stop accepting new AV sessions, but will continue to process currently active sessions

b. One-shot – if the FG enters conserve mode, all new connections will bypass the AV system, but currently sessions will continue to be processed. This is the same as the “pass” option, but it will NOT turn off once the condition causing the av-failopen has stopped

c. Idle-drop – will drop connection based on the clients that has the most opened connection

d. pass – this is the default option

Please keep in mind that with one-shot and pass option, NO content filtering of the traffic is done. The data stream could contain malicious content.

Below are some commands to troubleshoot when the system enters conserve mode:

Check if the system is in Conserve Mode:

Fortigate # diag hardware sysinfo shm
SHM counter: 67
SHM allocated: 1556480
SHM total: 101220352
conservemode: 0 <--This should be one, if the system is in conserve mode
shm last entered: n/a
system last entered: n/a
SHM FS total: 106827776
SHM FS free: 105205760
SHM FS avail: 105205760
SHM FS alloc: 1622016

Check if there are errors on the interfaces:

#diag hardware deviceinfo nic <interface>

Show if you have any errors on the Internal interface:

Fortigate# diag hardware deviceinfo nic internal
Description ip175c-vdev
Part_Number N/A
Driver_Name ip175c
Driver_Version 1.01
System_Device_Name internal
Current_HWaddr 00:09:0f:54:b7:2e
Permanent_HWaddr 00:09:0f:54:b7:2e
Link up
Speed 100
Duplex full
State up (0x00001303)
MTU_Size 1500
Rx_Packets 63254215
Tx_Packets 58173946
Rx_Bytes 3057592732
Tx_Bytes 481440010
Rx_Errors 0
Tx_Errors 0
Rx_Dropped 0
Tx_Dropped 0
Multicast 0
Collisions 0
Rx_Length_Errors 0
Rx_Over_Errors 0
Rx_CRC_Errors 0
Rx_Frame_Errors 0
Rx_FIFO_Errors 0
Rx_Missed_Errors 0
Tx_Aborted_Errors 0
Tx_Carrier_Errors 0
Tx_FIFO_Errors 0
Tx_Heartbeat_Errors 0
Tx_Window_Errors 0

Restart any application:

#diag test application <application> <options>

 To restart the IPS engine us the following commands:

#diag test application ipsengine 99

The 99 at the end, tells the Fortigate to restart the process.

Waiting for comments if you have any other suggestions.