Fortigate Firewall restart IPS service
Fortigate Firewall (virtual or physical) can have a high CPU usage. It’s not recommended to have High CPU usage or a CPU usage over than 50 or 60% on a Firewall device, it can cause some critical trouble (lost packet, connexion timeout, slow web access, firewall crash, etc….).
Fortigate firewall has a tool like the command “top” on Linux, it’s a very useful command if you want to identify whichprocess or service cause this abnormal CPU usage.
I – Example of CPU load analysis
In some case you can have an abnormal High CPU usage on Fortigate device, you can “easily” identify the process which cause the CPU load with the command diagnose sys top
The command must be launched in CLI via the local console or via an SSH access with administrator rights.
diagnose sys top 1
This example is a “fake”, i don’t have this kind of problem when i write this post. On the console screen, we can see that the IPS process than more than 95% of CPU.
You have two solutions if you want to fix this issue :
The first is to reload the firewall, not great in my opinion, if the firewall is in production
The second solution, the better, is to reload/restart the IPS service. You need to have a CLI access like the last debug command.
diag test app ipsmonitor 99
II – More information about the command “diag test app ipsmonitor”
# diag test application ipsmonitor
IPS Engine Test Usage: (Values for >
1: Display IPS engine information
2: Toggle IPS engine enable/disable status
3: Display restart log
4: Clear restart log
5: Toggle bypass status
6: Submit attack characteristics now
97: Start all IPS engines
98: Stop all IPS engines
99: Restart all IPS engines and monitor