[en] Performance debugging on FortiGate firewalls

  у розділі Технічні теми 

While FortiGate routers from FortiNet company are quite reliable, some bugs or strange behaviour can drive you crazy sometimes.

From time to time we are facing an issue when unit is under high CPU usage and/or lack of memory (RAM).

Usually it's being caused by Intrusion Prevention Systems (IPS) or sFlow process. Of cource, every issue must be investigated, but for really quick-and-dirty solution IPS might be restarted by the following command:

diagnose test application ipsmonitor 99

or even disabled by:

diagnose test application ipsmonitor 98

Recently our FortiGate unit send us "SOS" notification with the message

Kernel enters memory conserve mode

Ughhh, sounds serious. The reason was lack of RAM. 4 GB is not enough for modern firewall board?

# diagnose sys top
Run Time:  14 days, 18 hours and 4 minutes
7U, 0N, 7S, 74I, 0WA, 0HI, 12SI, 0ST; 3954T, 1990F
          sflowd     8461      S       80.1     10.8

sflowd process, the resources eater with 80.1% of CPU, can be calm down as easy as that:

diagnose sys kill 11 8461

where 11 is SIGSEGV signal (restart) to process 8461 from the top command above.

Another perfomance diagnostic commands for FortiOS are:

get system performance status
diagnose sys top 2 50
diagnose hardware sysinfo memory
diagnose hardware sysinfo shm
diagnose firewall statistic show
diagnose sys session stat