Fortinet black logo

Handbook

Conserve mode

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:681934
Download PDF

Conserve mode

Each FortiGate model has a limited amount of memory to be shared by all operations. If all of that memory is in use, system operations can be affected in unexpected ways. To be able to control how FortiOS acts when the amount of available memory is very low, FortiOS enters conserve mode. Conserve mode causes FortiOS functions, such as antivirus scanning, to change how they operate to reduce functionality and conserve memory without compromising security.

The FortiOS kernel enters conserve mode when memory use reaches the red threshold (default 88% memory use). When the red threshold is reached, FortiOS functions that react to conserve mode, such as the antivirus transparent proxy, apply conserve mode based on configured conserve mode settings. As well, FortiOS generates conserve mode log messages and SNMP traps and a conserve mode banner appears on the GUI.

If memory use reaches the extreme threshold (95% memory used), new sessions are dropped and red threshold conserve mode actions continue.

Red or extreme threshold conserve mode actions continue until the memory use reduces to the green threshold (default 82% memory used). At the green threshold, FortiOS returns to normal operation.

You can use the following commands to set the three conserve mode memory thresholds:

config system global

set memory-use-threshold-extreme <memory-use>

set memory-use-threshold-red <memory-use>

set memory-use-threshold-green <memory-use>

end

Antivirus conserve mode effects

You can use the following command to configure how antivirus processing acts when conserve mode is reached:

config system global

set av-failopen {pass | off | one-shot}

end

What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen configured. There are four options:

off

The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.

For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.

Use the off setting when security is more important than a loss of access while the problem is rectified.

pass (default)

The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.

Use the pass setting when access is more important than security while the problem is rectified.

Pass is the default setting.

one-shot

The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen setting is changed or the unit is restarted.

Conserve mode

Each FortiGate model has a limited amount of memory to be shared by all operations. If all of that memory is in use, system operations can be affected in unexpected ways. To be able to control how FortiOS acts when the amount of available memory is very low, FortiOS enters conserve mode. Conserve mode causes FortiOS functions, such as antivirus scanning, to change how they operate to reduce functionality and conserve memory without compromising security.

The FortiOS kernel enters conserve mode when memory use reaches the red threshold (default 88% memory use). When the red threshold is reached, FortiOS functions that react to conserve mode, such as the antivirus transparent proxy, apply conserve mode based on configured conserve mode settings. As well, FortiOS generates conserve mode log messages and SNMP traps and a conserve mode banner appears on the GUI.

If memory use reaches the extreme threshold (95% memory used), new sessions are dropped and red threshold conserve mode actions continue.

Red or extreme threshold conserve mode actions continue until the memory use reduces to the green threshold (default 82% memory used). At the green threshold, FortiOS returns to normal operation.

You can use the following commands to set the three conserve mode memory thresholds:

config system global

set memory-use-threshold-extreme <memory-use>

set memory-use-threshold-red <memory-use>

set memory-use-threshold-green <memory-use>

end

Antivirus conserve mode effects

You can use the following command to configure how antivirus processing acts when conserve mode is reached:

config system global

set av-failopen {pass | off | one-shot}

end

What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen configured. There are four options:

off

The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.

For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.

Use the off setting when security is more important than a loss of access while the problem is rectified.

pass (default)

The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.

Use the pass setting when access is more important than security while the problem is rectified.

Pass is the default setting.

one-shot

The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen setting is changed or the unit is restarted.