Fortigate High CPU ipsengine - Pat Handy Dot COM

Products

Fortigate 60D, Fortigate VM00

Description

This article explains how to resolve the issue of High CPU utilization by the ipsengine process without restarting the Fortigate.

I have also listed some recomended settings to help improve CPU on a physcal device or VM.

Solution

Use the following CLI commands to diagnose CPU performance issues

Use Get System Performance Status to out print current CPU, Memory, Network statistics

get system performance status

CPU states: 7% user 2% system 0% nice 91% idle
CPU0 states: 7% user 2% system 0% nice 91% idle
Memory: 1882952k total, 501368k used (26.6%), 1366512k free (72.6%), 15072k freeable (0.8%)
Average network usage: 171 / 342 kbps in 1 minute, 744 / 702 kbps in 10 minutes, 548 / 490 kbps in 30 minutes
Average sessions: 234 sessions in 1 minute, 243 sessions in 10 minutes, 252 sessions in 30 minutes
Average session setup rate: 1 sessions per second in last 1 minute, 1 sessions per second in last 10 minutes, 0 sessions per second in last 30 minutes
Average NPU sessions: 35 sessions in last 1 minute, 31 sessions in last 10 minutes, 26 sessions in last 30 minutes
Virus caught: 0 total in 1 minute
IPS attacks blocked: 0 total in 1 minute
Uptime: 7 days, 18 hours, 44 minute

Use Diagnose System Top to view top process at that instance

diag sys top

Use Get System Performance Top to refresh this command till Ctrl-C is entered

Get Sys perf top

If ipsengine is using a high amount of CPU, but there are no IPV4 policies enabled, it is OK to shut the process down using the diag test ipsmonitor 98.

If you are using IPV4 policies then run diag test ipsmonitor 99 to Restart all IPS engines and monitor

IPS Engine Test Usage:

97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor

Use diagnose test application ipsmonitor to view all settings

diag test application ipsmonitor

Use diag test application ipsmonitor 98 to stop all IPS engines

diag test app ipsmonitor 98

Use diag test application ipsmonitor 99 to restart all IPS engines

diag test app ipsmonitor 99

Also, tweaking the below values (these are not default, they are recommended values):

config system global
set tcp-halfclose-timer 30
set tcp-halfopen-timer 30
set tcp-timewait-timer 0
set udp-idle-timer 60
end

config system global

set tcp-halfclose-timer 30

set tcp-halfopen-timer 30

set tcp-timewait-timer 0

set udp-idle-timer 60

end

Above techniques will help to optimize the performance of a device.