<

Fortigate Conserve Mode – How to stop it and what it means

The Fortigate Firewall has more diagnostic tools, but you will mostly be faced with the following problems:

1. Conserve Mode

This problem happens when the memory shared mode goes over 80%.
To exit this conserve mode you have to wait (or kill some  of the processes) until the memory goes under 70%.

2. Antivirus FailOpen

This is a safeguard feature that determines the behavior of the Fortigate AntiVirus System, when it becomes overloaded with high traffic.

To mitigate this you have more type of options:

#set av-failopen { off | on-shot | pass | idledrop}

Below we will describe what all of them do:

a. Off – if the FG enters conserve mode, the Fortigate will stop accepting new AV sessions, but will continue to process currently active sessions

b. One-shot – if the FG enters conserve mode, all new connections will bypass the AV system, but currently sessions will continue to be processed. This is the same as the “pass” option, but it will NOT turn off once the condition causing the av-failopen has stopped

c. Idle-drop – will drop connection based on the clients that has the most opened connection

d. pass – this is the default option

Please keep in mind that with one-shot and pass option, NO content filtering of the traffic is done. The data stream could contain malicious content.

Below are some commands to troubleshoot when the system enters conserve mode:

Check if the system is in Conserve Mode:

# diag hardware sysinfo shm
SHM counter: 67
SHM allocated: 1556480
SHM total: 101220352
conservemode: 0 <–This should be one, if the system is in conserve mode
shm last entered: n/a
system last entered: n/a
SHM FS total: 106827776
SHM FS free: 105205760
SHM FS avail: 105205760
SHM FS alloc: 1622016

Check if there are errors on the interfaces:

#diag hardware deviceinfo nic <interface>

Show if you have any errors on the Internal interface:

#diag hardware deviceinfo nic internal
Description ip175c-vdev
Part_Number N/A
Driver_Name ip175c
Driver_Version 1.01
System_Device_Name internal
Current_HWaddr 00:09:0f:54:b7:2e
Permanent_HWaddr 00:09:0f:54:b7:2e
Link up
Speed 100
Duplex full
State up (0x00001303)
MTU_Size 1500
Rx_Packets 63254215
Tx_Packets 58173946
Rx_Bytes 3057592732
Tx_Bytes 481440010
Rx_Errors 0
Tx_Errors 0
Rx_Dropped 0
Tx_Dropped 0
Multicast 0
Collisions 0
Rx_Length_Errors 0
Rx_Over_Errors 0
Rx_CRC_Errors 0
Rx_Frame_Errors 0
Rx_FIFO_Errors 0
Rx_Missed_Errors 0
Tx_Aborted_Errors 0
Tx_Carrier_Errors 0
Tx_FIFO_Errors 0
Tx_Heartbeat_Errors 0
Tx_Window_Errors 0

Restart any application:

#diag test application <application> <options>

 To restart the IPS engine us the following commands:

#diag test application ipsengine 99

The 99 at the end, tells the Fortigate to restart the process.

Waiting for comments if you have any other suggestions.

You can skip to the end and leave a response. Pinging is currently not allowed.

7 Responses to “Fortigate Conserve Mode – How to stop it and what it means”

  1. Rajendra says:

    What is exact meaning of Conserve Mode?

  2. admin says:

    Well it basically means that the Fortigate cannot scan the traffic for Virus/Exploits etc (due to a high cpu or memory usage). You also cannot perform any modifications.

  3. Shinu says:

    One of my firewall is in conserve mode and showing memory utilization is 90%.

    How can I resolve this….?

    Please help.

  4. fitful says:

    Hello Daniel,
    My firewall is in conservemode: 2 – What exactly means 2?
    Thanks

  5. Latanya says:

    I quite like looking through an article that will make men and women think.
    Also, many thanks for allowing for me to comment!

    Feel free to surf to my blog … website (Latanya)

  6. Alex says:

    I’m trying to figure out why I keep getting the following two events:
    “IPS session scan, enter fail open mode”
    “IPS session scan resumed, exit fail open mode”

    This issue happens throughout the day and I’m not sure what is causing this.

  7. LADISLAS says:

    Hi ,The only issue for returning in standart mode is to reboot .
    It’s for a virtuel fortigate VM00 v5.4.3,build1111

Leave a Reply