What is conserve mode on FortiGates?
Sounds interesting, right? Let's explore.
Conserve mode on FortiGate firewalls is a safety mechanism that takes effect when local memory consumption becomes critically high. Availability is an equally important facet of security. So the idea here is to avoid potential device-level crashes and maintain stability by reducing functionality (and freeing up memory).
Like any compute resource, firewalls have a finite amount of memory. The FortiOS system is constantly monitoring to see how close the system is getting to reaching various consumption stages. Once a threshold is reached, certain actions take place. Here's a breakdown of the various usage levels:
- Red Threshold (default 88% memory consumption) - As soon as memory consumption reaches 88%, the FortiGate enters conserve mode. The specific actions that take place depend on what what admins have specified (e.g. bypassing AV proxy inspections, IPS engine failing open, etc).
- Extreme Threshold (default 95% memory consumption) - If memory reaches 95% memory consumption, the Fortigate goes one step further: It starts dropping sessions.
- Green Threshold (default 82% memory consumption) - This is a threshold marker that FortiGate uses to consider leaving conserve mode. The thought process here is that memory consumption can fluctuate a little and we don't want to constantly flap between states. If a FortiGate is in conserve mode, this allows for a sizeable gap in observed memory consumption (82% vs 88%) before the firewall considers the memory issue all resolved.
All of these states are configurable via the CLI:
config system global
set memory-use-threshold-extreme <integer>
set memory-use-threshold-green <integer>
set memory-use-threshold-red <integer>
endThe integer would be the threshold percentage value (between 70 and 97).
For more information, check out these resources:
cgustave
