Troubleshooting high CPU usage

Connection-related problems may occur when FortiGate's CPU resources are over extended. This occurs when you deploy too many FortiOS features at the same time.

Examples of CPU intensive features:
  • VPN high-level encryption
  • Intensive scanning of all traffic
  • Logging all traffic and packets
  • Dashboard widgets that frequently perform data updates

For information on customizing the CPU use threshold, see Execute a CLI script based on CPU and memory thresholds.

Determining the current level of CPU usage

You can view CPU usage levels in the GUI or CLI. For precise usage values for both overall usage and specific processes, use the CLI.

To view CPU usage in the GUI:

Go to Dashboard > Status. Real-time CPU usage information is located in the CPU widget.

To view CPU usage in the CLI:
  • Show top processes information:

    diagnose sys top

  • Show top threads information:

    diagnose sys top-all

Sample output:

Run Time: 86 days, 0 hours and 10 minutes

0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 3040T, 2437F

bcm.user 93 S < 3.1 0.4

httpsd 18922 S 1.5 0.5

httpsd 19150 S 0.3 0.5

newcli 20195 R 0.1 0.1

cmdbsvr 115 S 0.0 0.8

pyfcgid 20107 S 0.0 0.6

forticron 146 S 0.0 0.5

httpsd 139 S 0.0 0.5

cw_acd 166 S 0.0 0.5

miglogd 136 S 0.0 0.5

pyfcgid 20110 S 0.0 0.4

pyfcgid 20111 S 0.0 0.4

pyfcgid 20109 S 0.0 0.4

httpsd 20192 S 0.0 0.4

miglogd 174 S 0.0 0.4

miglogd 175 S 0.0 0.4

fgfmd 165 S 0.0 0.3

newcli 20191 S 0.0 0.3

initXXXXXXXXXXX 1 S 0.0 0.3

httpsd 184 s 0.0 0.3

The following table explains the codes in the second line of the output:

Code

Description

U

Percentage of user space applications that are currently using the CPU

N

Percentage of time that the CPU spent on low priority processes since the last shutdown

S

Percentage of system processes (or kernel processes) that are using the CPU

I

Percentage of idle CPU resources

WA

Percentage of time that the CPU spent waiting on IO peripherals since the last shutdown

HI

Percentage of time that the CPU spent handling hardware interrupt routines since the last shutdown

SI

Percentage of time that the CPU spent handling software interrupt routines since the last shutdown

ST

Steal time: Percentage of time a virtual CPU waits for the physical CPU when the hypervisor is servicing another virtual processor

T

Total FortiOS system memory in MB

F

Free memory in MB

Each additional line of the command output displays information specific to processes or threads that are running on the FortiGate unit. For example, the sixth line of the output is: newcli 20195 R 0.1 0.1

The following table describes the data in the sixth line of the output:

Item

Description

newcli

The process (or thread) name.

Duplicate process or thread names indicate that separate instances of that process or thread are running.

20195

The process or thread ID, which can be any number.

R

Current state of the process or thread. The process or thread state can be:
  • R - running
  • S - sleep
  • Z - zombie
  • D- disk sleep

0.1

The percentage of CPU capacity that the process or thread is using.

CPU usage can range from 0.0 for a process or thread that is sleeping to higher values for a process or thread that's taking a lot of CPU time.

0.1

The amount of memory that the process or thread is using.

Memory usage can range from 0.1 to 5.5 and higher.

You can use the following single-key commands when running diagnose sys top or diagnose sys top-all:

  • q to quit and return to the normal CLI prompt.
  • p to sort the processes by the amount of CPU that the processes are using.
  • m to sort the processes by the amount of memory that the processes are using.

The output only displays the top processes or threads that are running. For example, if 20 are listed, they are the top 20 currently running, sorted by either CPU or memory usage. You can configure the number of processes or threads displayed, using the following CLI commands:

diagnose sys top <integer_seconds> <integer_maximum_lines>

diagnose sys top-all <integer_seconds> <integer_maximum_lines>

Where:

  • <integer_seconds> is the delay in seconds (default is 5)
  • <integer_maximum_lines> is the maximum number of lines (or processes) to list (default is 20)

Determining which features are using the most CPU resources

You can use the CLI to view the top few processes that are currently running and using the most CPU resources.