Almost all security profiles are handle in shared memory. Any time this memory is exhausted or nearly exhausted the unit will go into conserver mode and deactivate certain scan profiles.
You can easy check if your unit is in conserve mode by the following diagnostic command;
diagnostic hardware sysinfo shm | grep conser
You can also review logs , if this event happens it will be recorded as a "critical" event .
Okay to avoid this, we need to understand the following;
- Combinations of AV-profile scanning with proxy/flow mode can cause havoc conserve-mode
- excess traffic and utm-function can cause kernel conserve mode
- it best to be aware of running multiple scan mode flow or proxy
- Limit what fwpolicies have AV-profiles
- Upgrade the unit if it's under-size and if repetitive conserve-mode events happens
So to ensure you don't enter conserver mode you need to reduce logging-to-memory.
Various fortigate-models uses a certain % of the shared-memory or physical-memory thresholds to determine when it goes into conserve-mode . The FTNT support-team can provide you these values upon request.
It's best to optimized the firewall just for the UTM features that you required and disable all other utm and profiles from the firewall-policies.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=