Helpful ReplyHot!60F high mem

Page: 12 > Showing page 1 of 2
Author
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
2019/12/31 08:38:35 (permalink)
0

60F high mem

Hey All,
 
Just got a 60f and putting it through the paces.  I am noticing high mem around 60% and if np does anything basically goes to conserve mode and need to reboot.  Scoured cookbook and other googles and cant seem to find a good NPU best practice. 
 
Wondering if anyone else has played with this at all.  Using at home, about 10 policies, 2 of which do actual filtering.  
 
Just wondering thoughts.
#1
Toshi Esumi
Expert Member
  • Total Posts : 2177
  • Scores: 213
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: 60F high mem 2019/12/31 09:34:56 (permalink)
0
What process(es) seems to be taking up the memory most? "diag sys top 5 20" then "Shift-M".
Since it's a brand-new product with a new SOC4 chip, I would open a ticket with TAC right away.
#2
James_G
Gold Member
  • Total Posts : 235
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: 60F high mem 2019/12/31 15:37:11 (permalink)
0
Fortios version?
#3
James_G
Gold Member
  • Total Posts : 235
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: 60F high mem 2019/12/31 18:05:14 (permalink)
0
Ps interested how this plays out due to a comment I heard about soc4 not having a real NP, and was somehow software based / emulated. Could NP usage affect memory usage?????
#4
tanr
Platinum Member
  • Total Posts : 802
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: 60F high mem 2019/12/31 21:50:45 (permalink)
0
Are you on 6.2.2 and using proxy mode instead of flow? Lot of perf/memory bugs that were reported fixed in 6.2.3, many of which were WAD process, so flow mode might be a temp workaround.

As others mentioned, we’re just guessing without a FortiOS version and diag says top.
#5
James_G
Gold Member
  • Total Posts : 235
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: 60F high mem 2020/01/01 04:26:15 (permalink)
0
Or, if this is a new implementation and the issues are that bad, try 6.0.8

Warning, it will require manual reconfig from scratch
#6
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: 60F high mem 2020/01/01 07:22:56 (permalink)
0
Running 6.2.2.  This is my attempt at coming back to Fortinet from the 5 days.
 
I will be calling TAC to get some info, but just to try an answer some of the questions here...
 
Which part would be proxy vs flow, looking through my list i didn't see anything glaring sticking out.
Also looking through cookbook to see if i can just turn off the NPU, right now it seems to be the app control that really pushes it over.
 
WIth the setup the only filtering on is web/av/dns
 
#7
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: 60F high mem 2020/01/01 07:24:43 (permalink)
0
Run Time: 1 days, 2 hours and 3 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1819T, 303F
ipshelper 188 S < 0.0 16.9
ipsengine 255 S < 0.1 5.3
httpsd 4721 S 0.0 5.3
ipsengine 253 S < 0.0 5.3
ipsengine 256 S < 0.0 5.2
ipsengine 254 S < 0.1 5.2
cmdbsvr 128 S 0.0 2.3
scanunitd 6590 S < 0.0 1.9
pyfcgid 4455 S 0.0 1.9
pyfcgid 4454 S 0.0 1.9
pyfcgid 4451 S 0.0 1.8
scanunitd 175 S < 0.0 1.8
scanunitd 6592 S < 0.0 1.8
scanunitd 6587 S < 0.0 1.8
scanunitd 6588 S < 0.0 1.7
scanunitd 6589 S < 0.0 1.7
scanunitd 6591 S < 0.0 1.7
scanunitd 6593 S < 0.0 1.7
scanunitd 6594 S < 0.0 1.7
httpsd 4725 S 1.3 1.5
Run Time: 1 days, 2 hours and 3 minutes
0U, 0N, 0S, 100I, 0WA, 0HI, 0SI, 0ST; 1819T, 303F
ipshelper 188 S < 0.0 16.9
ipsengine 255 S < 0.1 5.3
httpsd 4721 S 0.0 5.3
ipsengine 253 S < 0.0 5.3
ipsengine 256 S < 0.0 5.2
ipsengine 254 S < 0.1 5.2
cmdbsvr 128 S 0.0 2.3
scanunitd 6590 S < 0.0 1.9
pyfcgid 4455 S 0.0 1.9
pyfcgid 4454 S 0.0 1.9
pyfcgid 4451 S 0.0 1.8
scanunitd 175 S < 0.0 1.8
scanunitd 6592 S < 0.0 1.8
scanunitd 6587 S < 0.0 1.8
scanunitd 6588 S < 0.0 1.7
scanunitd 6589 S < 0.0 1.7
scanunitd 6591 S < 0.0 1.7
scanunitd 6593 S < 0.0 1.7
scanunitd 6594 S < 0.0 1.7
httpsd 4725 S 0.9 1.5
post edited by micahawitt - 2020/01/01 07:28:30
#8
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: 60F high mem 2020/01/01 07:37:09 (permalink)
0
restarting the engine took me from 75% down to 63%
#9
simonorch
Gold Member
  • Total Posts : 334
  • Scores: 14
  • Reward points: 0
  • Joined: 2009/06/05 00:05:08
  • Location: Norway
  • Status: offline
Re: 60F high mem 2020/01/01 23:51:04 (permalink)
0
I also have a 60F running 6.2.2 the last 6 weeks or so, with a couple of fortiswitches and and ap. got a mix of rules including a couple with AV, webfiltering etc. in proxy mode, no deep ssl inspection though. During that time i've had to reboot the box once due to a suspected problem with fortilink, it hadn't gone to conserve though.
6.2.3 isn't out yet for the SOC4 models.

NSE8
Fortinet Expert partner - Norway
#10
micahawitt
Silver Member
  • Total Posts : 96
  • Scores: 2
  • Reward points: 0
  • Joined: 2013/05/07 10:33:51
  • Status: offline
Re: 60F high mem 2020/01/02 10:39:00 (permalink)
0
@simonarch whats your mem % at with that?  I have noticed the app filtering is really killing me.  
 
Which, i have to say, one of the main reasons i got his is for the filtering capabilities, and the upgraded hardware/throughput on these.  Such a shame seemingly that one policy can push this thing over the edge. 
#11
simonorch
Gold Member
  • Total Posts : 334
  • Scores: 14
  • Reward points: 0
  • Joined: 2009/06/05 00:05:08
  • Location: Norway
  • Status: offline
Re: 60F high mem 2020/01/02 11:44:49 (permalink)
0
With proxy mode enabled on the main general internet policy with a maximum of 20Mbps throughput as that's the limit of the connection i'm at a steady 73%, in flow mode it's about 71%

NSE8
Fortinet Expert partner - Norway
#12
robertp
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/16 18:25:36
  • Status: offline
Re: 60F high mem 2020/03/09 19:40:44 (permalink)
0
It appears to be an issue with the 40F 60F and 100F given they share the same ASIC, try 6.0.8
 
I've had one ticket open for over a month now with bug confirmed but there is no guarantee of when it will be fixed, understand this is an architecture issue?
#13
Alivo_ FTNT
Expert Member
  • Total Posts : 94
  • Scores: 46
  • Reward points: 0
  • Joined: 2013/04/30 12:42:47
  • Location: Fortinet TAC Prague
  • Status: offline
Re: 60F high mem 2020/03/10 02:44:58 (permalink)
0
Hello,
Question is what is your expectation - what the percentage of memory usage should be?
FortiOS buffers and caches some data that are cleared when RAM is needed for something more
important. 60-70% right after device's start does not mean any issue at all.
 
Best Regards,
Alivo
 
#14
robertp
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/16 18:25:36
  • Status: offline
Re: 60F high mem 2020/03/10 03:23:38 (permalink)
0
I expect it not to go into conserve mode daily, I expect it not to use that much RAM it causes site to site VPN tunnels to drop. I expect it not to affect other system services. Buffers and cache are great.
#15
Alivo_ FTNT
Expert Member
  • Total Posts : 94
  • Scores: 46
  • Reward points: 0
  • Joined: 2013/04/30 12:42:47
  • Location: Fortinet TAC Prague
  • Status: offline
Re: 60F high mem 2020/03/10 06:27:38 (permalink)
0
Hello Robert P.
I was referring to OP's original query.
Alivo
 
 
#16
paulo.borchardt
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/10/23 06:37:00
  • Status: offline
Re: 60F high mem 2020/03/10 11:06:44 (permalink)
0
I have the same problem. However with 6.2.3 memory usage dropped to 58% compared to 6.2.2 with 76% usage.
Support gave me some settings for IPS, to reduce the use of memory. In my case it is the IPS that is sucking the memory.
 
global ips config
set cp-accel-mode basic
regular set database
end
 
And disable the log for memory:
 
config log memory setting
set status disable
end
#17
muhkida
Bronze Member
  • Total Posts : 27
  • Scores: 5
  • Reward points: 0
  • Status: offline
Re: 60F high mem 2020/07/27 11:04:26 (permalink)
0
I am also VERY disappointed in the performance of the FGT-60F.  Replaced a FGT-80D v5.6.11(build3955) running IPS/App.Control and WCF/AV/DLP (proxy-mode) with a FGT-60F v6.0.10 and we are seeing basically the exact same throughput (80Mbps/20Mbps) as the FGT-80D with much higher memory utilization (65 - 72% compared to 54 - 60% with the 80D).  A large majority of the memory utilization are the IPS engine daemon(s). This device does not have any ingress policies, just a small office with all outbound traffic. 
 
Tried stopping/restarting the engines via ipsmonitor to no avail. 
 
Bypassed all UTM inspection (except for botnet and IPS on the internal/external interface-policies) and still saw very little improvement in throughput, if any at all. 
 
Next step is to switch the entire device to flow-mode just to see what types of throughput it is capable of albeit losing some WCF/AV/DLP functionality.
 
This is very frustrating as this customer would have upgraded to a larger device like a 100 or 200E had Fortinet not published such unrealistic throughput specs on the 60F datasheet, it looked like a clear winner compared to the datasheet for the 80D:
 
80D - 210Mbps NGFW // 190 Mbps Threat Protection
60F - 1Gbps NGFW // 700 Mbps Threat Protection
#18
brycemd
Silver Member
  • Total Posts : 105
  • Scores: 6
  • Reward points: 0
  • Joined: 2016/12/03 11:24:30
  • Status: online
Re: 60F high mem 2020/07/27 11:36:12 (permalink)
0
What is the bandwidth of the connection? I'm getting my full bandwidth 600/150 on my 60F with everything turned on(mostly default settings). Running 6.2.3 in flow mode, it's not doing a whole lot... managing 2 switches and 2 APs and it's sitting at 60% memory. In my experience the F models don't run as well on the 6.0.x firmware - which is unfortunate as 6.0.x is more stable in general.
post edited by brycemd - 2020/07/27 11:41:34
#19
James_G
Gold Member
  • Total Posts : 235
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/02/28 02:55:47
  • Status: offline
Re: 60F high mem 2020/07/27 11:56:02 (permalink)
0
I think you are spot on, f series were released with 6.2 and had 6.0 back ported, it's not perfect and some of the hardware acceleration does not work on 6.0.

The throughput values in the spec are for 6.2 and higher.
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5