Fortigate Firewall restart IPS service

Fortigate Firewall (virtual or physical) can have a high CPU usage. It’s not recommended to have High CPU usage or a CPU usage over than 50 or 60% on a Firewall device, it can cause some critical trouble (lost packet, connexion timeout, slow web access, firewall crash, etc….).

Fortigate firewall has a tool like the command “top” on Linux, it’s a very useful command if you want to identify whichprocess or service cause this abnormal CPU usage.

I – Example of CPU load analysis

In some case you can have an abnormal High CPU usage on Fortigate device, you can “easily” identify the process which cause the CPU load with the command diagnose sys top

The command must be launched in CLI via the local console or via an SSH access with administrator rights.

diagnose sys top 1

Fortigate Firewall restart IPS service

This example is a “fake”, i don’t have this kind of problem when i write this post. On the console screen, we can see that the IPS process than more than 95% of CPU.

You have two solutions if you want to fix this issue :

The first is to reload the firewall, not great in my opinion, if the firewall is in production

The second solution, the better, is to reload/restart the IPS service. You need to have a CLI access like the last debug command.

diag test app ipsmonitor 99

II – More information about the command “diag test app ipsmonitor”


# diag test application ipsmonitor
IPS Engine Test Usage: (Values for >
1: Display IPS engine information
2: Toggle IPS engine enable/disable status
3: Display restart log
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor

III – Sources

http://kb.fortinet.com/kb/viewContent.do?externalId=13825

florian

Hi, I'm Florian and I'm 32 years old. I have discover IT at 17, and i had my first internet connection at 23. So i'm not going to say that i was very precocious in this domain... PS : I 'm French, so please, be lenient with my english ;)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.