Conserve mode
FortiGate units perform all Security Profiles processing in physical RAM. Since each model has a limited amount of memory, the Conserve mode is activated to avoid a situation where the device is using so much memory to scan files that it becomes unresponsive. When the Conserve mode is activated the Antivirus engine proxy will not accept anymore sessions until the FortiGate leaves Conserve mode. This not only effects the Antivirus function but the DLP function as well.
The AV proxy
Most content inspection the FortiGate unit performs requires that the files, email messages, URLs, and web pages be buffered and examined as a whole. The AV proxy performs this function, and because it may be buffering many files at the same time, it uses a significant amount of memory. Conserve mode is designed to prevent all the component features of the FortiGate unit from trying to use more memory than it has. Because the AV proxy uses so much memory, conserve mode effectively disables it in most circumstances. As a result, the content inspection features that use the AV proxy are also disabled in conserve mode.
All of the Security Profiles features use the AV proxy with the exception of IPS, application control, DoS as well as flow-based antivirus, DLP, and web filter scanning. These features continue to operate normally when the FortiGate unit enters conserve mode.
Conserve mode trigger mechanisms
There are two separate triggers for activating the Conserve mode in FortiOS:
The first mechanism is that the proxies used for scanning content track the amount of shared memory that is in use and when it passes a given threshold the proxy triggers conserve mode. This mechanism is only operational if the applicable proxies are running. In past versions AV proxies were always running regardless of whether or not an AV profile was part of the configuration. In FortiOS version 5.x this was changed so that AV proxies were only running if required by the presence of an AV profile in the configuration. Because SIP is handled in the same proxy as the IM protocols and IM protocols require an AV proxy meant that, because starting in 5.2 the SIP ALG was enabled by default, the AV proxies were again always running.
FortiOS 5.2.3 changed this so that AV proxies were not needed unless there was an AV profile because the proxies used to scan SIP could also do Conserve mode checking. This does mean that if you want to avoid the proxy Conserve mode checking mechanism you will also have to disable the SIP ALG.
The second mechanism is that the kernel checks the amount of free memory on the system and if the amount of memory available for use drops below the given threshold the kernel will trigger the Conserve mode. Although the second mechanism was added to augment the first mechanism, the two triggers actually measure different things. So the second trigger actually runs regardless of whether there is AV scanning enabled.
Entering and exiting conserve mode
A FortiGate unit will enter conserve mode because it is nearly out of physical memory, or because the AV proxy has reached the maximum number of sessions it can service. The memory threshold that triggers conserve mode varies by model, but it is about 20% free memory. When memory usage rises to the point where less than 20% of the physical memory is free, the FortiGate unit enters conserve mode. A noticeable change to what is happening to traffic only occurs if the AV proxy is being used and what change happens will depend on the av-failopen
setting.
For example, if the default av-failopen
setting, 'pass' is being used then any files that are not in the process of being scanned will go into AV bypass mode and all new connections will automatically go into AV bypass until member availability increases to the proper threshold. Conserve mode does not normally result in sessions being flushed from the session table unless the av-failopen
setting is 'idledrop’, in which case the AV proxy will delete what it considers to be the idle connections which in turn will result in sessions being deleted in the kernel.
The FortiGate unit will leave conserve mode only when the available physical memory exceeds about 30%. When exiting conserve mode, all new sessions configured to be scanned with features requiring the AV proxy will be scanned as normal, with the exception of a unit configured with the one-shot option.
The kernel conserve mode detection runs even when no policy in any VDOM has any form of AV/DLP scanning enabled. This means that even if there is no AV scanning occurring and the memory gets low conserve mode may be triggered and informational log messages are generated to this effect, but because no AV scanning is occurring, the actions associated with Conserve mode will not actually take place.
Conserve mode effects
What happens when the FortiGate unit enters conserve mode depends on how you have av-failopen
configured. There are four options:
off
The off setting forces the FortiGate unit to stop all traffic that is configured for content inspection by Security Profiles features that use the AV proxy. New sessions are not allowed but current sessions continue to be processed normally unless they request more memory. Sessions requesting more memory are terminated.
For example, if a security policy is configured to use antivirus scanning, the traffic it permits is blocked while in conserve mode. A policy with IPS scanning enabled continues as normal. A policy with both IPS and antivirus scanning is blocked because antivirus scanning requires the AV proxy.
Use the off setting when security is more important than a loss of access while the problem is rectified.
pass
The pass setting allows traffic to bypass the AV proxy and continue to its destination. Since the traffic is bypassing the proxy, no Security Profiles scanning that requires the AV proxy is performed. Security Profiles scanning that does not require the AV proxy continues normally.
Use the pass setting when access is more important than security while the problem is rectified.
Pass is the default setting.
one-shot
The one-shot setting is similar to pass in that traffic is allowed when conserve mode is active. The difference is that a system configured for one-shot will force new sessions to bypass the AV proxy even after it leaves conserve mode. The FortiGate unit resumes use of the AV proxy only when the av-failopen
setting is changed or the unit is restarted.
idledrop
The idledrop setting will recover memory and session space by terminating all the sessions associated with the host that has the most sessions open. The FortiGate may force this session termination a number of times, until enough memory is available to allow it to leave conserve mode.
The idledrop setting is primarily designed for situations in which malware may continue to open sessions until the AV proxy cannot accept more new sessions, triggering conserve mode. If your FortiGate unit is operating near capacity, this setting could cause the termination of valid sessions. Use this option with caution.
Configuring the av-failopen command
You can configure the av-failopen command using the CLI.
config system global
set av-failopen {off | pass | one-shot | idledrop}
end
The default setting is pass.
Conserve mode and session removal
It is a common misconception that one of the things that Conserve mode does is remove sessions to assist with memory, but there is no direct relationship between Conserve mode and session removal.
- The function of Conserve mode memory tracking is avoid using any more memory for scanning files in case the becomes unresponsive.
- The Session removal function is used as a last resort when the kernel becomes incapable of allocating a page of memory.
There is a mechanism to delete kernel sessions based on lack of memory. If the kernel attempts to allocate a page for any reason and a page cannot be allocated, then the session table is scanned and the oldest session in every bucket is deleted. The count of how many sessions have been deleted due to this process is visible in the 'memory_tension' count.
The connection between Conserve mode and session removal is that by definition page allocation cannot fail unless the device has already hit conserve mode.