By default, FortiOS will spawn as many IPS , WAD, AV and SSL-VPN processes as CPU cores available on a device. Since each process is consuming memory, and a memory size on an entry level firewall ( Fortigate 30-90e models , also F models ) is very limited, these processes can consume enough available memory to force Fortigate firewall in conserve mode due to a high memory usage.
We have observed this happening on firewalls running 6.4, 7.0 and 7.2 firmware.
The only workaround we were able to find is to limit amount of processes spawned by IPS , WAD and SSL-VPN engines
In a CLI prompt, run following commands
config system global set miglogd-children 1 set sslvpn-max-worker-count 2 set wad-worker-count 2 set scanunit-count 2 end config ips global set engine-count 2 end
This will force FortiOS to lower number of processes for scan engines and you should see firewall going to a normal mode is a few minutes.
Please note that in HA cluster, you will need to run these commands on both primary and secondary device, since these settings are not replicated between cluster members.
This article is based on information from this Fortinet’s Knoweledge article .