FortiOs Architecture DO NOT REPRINT © Conserve Mode NSE Training institute I ” In this section, you will examine conserve mode, now that you have a better understanding of how FortiGate uses memory. Enterprise Firewall 7.0 Study Guide 5iFortiOs Architecture DO NOT REPRINT © Conserve Mode * Triggered based on memory use + Prevents using so much memory that FortiGate becomes unresponsive + FortiGate leaves conserve mode as memory use goes below set threshold + Three memory thresholds that you can configure on the CLI + Extreme: threshold at which ForliGate starts drepping new sessions + Red: threshold at which FortiGate enters conseive mode + Green: threshold at which FortiGate exits conserve mode NSE training Institute Feit in: Aiea Rese * Conserve mode is a protection mechanism that is triggered when FortiGate doesn't have enough memory available to handle traffic. Content inspection (especially proxy-based) increases memory use beyond simple firewall policies. In other words, when antivirus is enabled, FortiGate is more likely to use more memory, which ‘can cause FortiGate to enter conserve mode. You can identify whether antivirus or any other process is using too much memory by running the CLl command diagnos= sys top. FortiGate has only one conserve mode. Itis triggered based on memory usage. There are three memory thresholds that you can configure on the CLI: + Extreme: The threshold at which FortiGate starts dropping new sessions. + Red: The threshold at which FortiGate enters conserve mode. + Green: The threshold at which FortiGate exits conserve mode. Enterprise Firewall 7.0 Study Guide 58FortiOs Architectur DO NOT REPRINT erve Mode Thresholds fig system global memory-use-threshold-extrene et memory=u NSE training Institute Feit in: Aiea Rese » You can use the commands shown on this slide to change the default conserve mode thrashold values.FortiOs Architecture DO NOT REPRINT Conserve Mode Logs la Sptentvene™ oaivancrwnsarenacs + Crash log: # diagnose debug crashlog read 2020-04-28 11:12:59 logdesc-"Menory conserve mode entered" 31 ernel conserve=on total="1234 MB" used="878 MB" red="876 MB" green="864 MB” msg="Kernel enters menory conserve mode" NSE training Institute Feit Ae Raton » This slide shows the entries that are generated in the event logs when FortiGate enters memory conserve mode. Ifthe GUI is under a heavy load, it may be unresponsive, making the GUI logs inaccessible. In this case, you can view the crash log on the CLI for conserve mode messages. This slide shows an example of a typical conserve mode crash log entry. Enterprise Firewall 7.0 Study Guide 60FortiOs Architecture DO NOT REPRINT © Proxy Inspection While in Conserve Mode * Antivirus failopen govems FortiGate behavior for proxy-based inspection while in conserve mode config system global set av-failopen {off | one-shot | pass) set ay-failopen-session {enable | disable) end + av-failopen-session - Enable or disadle failopen + Default seting is disable + av-£ailopen - Configure how sessions failopen + off ~All new sessions that require content inspection are dropped, butexisting sessions are still processed + pass ~ Stops inspecting new sessions, Inspecton is automatically restarted when FortiGate exits conserve mode one-shot = Similar to pass, But you must manually change the av-fai:lopen setting to restart NSE training Institute Feit Ae Raton Use the commands shown on this slide to control how FortiGate handles traffic that requires proxy-based content inspection during conserve mode. There are two settings—av-failopen-session and av-failopen. When you enable av-failopen- ses9ion, FortiGate applies the action configured in av-failopen. By default, FortiGate blocks new sessions (av-failopen-session disable). Note that while the command syntax references antivirus, the configuration applies to all proxy-based inspections and not just antivirus, Enterprise Firewall 7.0 Study Guide 61Forti Architectur DO NOT REPRINT © Flow Inspection While in Conserve Mode + IPS failopen governs FortiGate behavior for flow-based inspection while in conserve mode config ips global set fail-open {enable | disable} end NSE training Institute Feit in: Aiea Rese Alll fov-based inspection is handled by the IPS engine You ean configure the IPS. flow-based inspection while FortiGate is in conserve mode. pen setting to manage When you have mixed UTM profiles using proxy-based inspection, and flow-based inspection is enabled on FortiGate, nTurbo does not work. In this case, all the packets for flow-based inspection must go through the socket buffer and deliver to IPS. When the socket buffer is full, the event is logged as a fail-open event and sessionact is used to reflect the fail-open settings. By default, IPS fail-open is disabled, which means the IPS engine drops all new sessions that require flow-based inspection, but tries to process all existing sessions. If IPS fail-open is enabled, the IPS engine does not perform any scan, but allows new packets. If you have all flow-based UTM profiles, nTurbo handies all packets, except the three-way handshake, and it does not require any software socket buffer. ise Firewall 7.0 Study Guide 62FortiOs Architecture DO NOT REPRINT © Conserve Mode Diagnostics # diagnose hardware sysinfo conserve total total nemory used + freeable threshold extrene: total nemory used threshold red: total nemory used threshold green: total NSE training Institute Feit Ae Raton ; Use the command shown on this slide ta identify if a FortiGate deviee is currently in conserve made. Enterprise Firewall 7.0 Study Guide 63FortiOs Architecture DO NOT REPRINT © Memory Tension Drops + Kernel deletes oldest sessions if it cannot allocate more memory pages + No direct link with conserve mode # diagnose sys session stat nt=184 setup_rate=0 exp_count=0 clash=0 /196608 removeabl 7, dev_down=16/120 ses_walker: nce sessions 38 in ESTABLISHED state 1 in CLOSE WAIT state NSE training Institute Feit Ae Raton 4 FortiGate has one more mechanism to free memory when there is not much available. If the kernel cannot allocate more memory pages. it deletes the oldest sessions. The command shown on this slide displays the numbers of sessions deleted by the kemel because of this mechanism. Enterprise Firewall 7.0 Study Guide 64FortiOs Architecture DO NOT REPRINT © Ephemeral Drops * Asession is categorized as ephemeral when one of the following is true: + ATCP session is not fully established + AUDP with only a single packet is received + These types of open sessions are common types of DoS attacks + To protect memory use, FortiOS sets a limit on the total number of ephemeral sessions (based on the model) # diagnose sys session stat moncry tension dop-0 [epnomera:-0/-90000] romiove abl delete=0, flush=87, dev. down tor sessions: 30 in ESTABLISHED state NSE training Institute orn: Rape Reed % FortiGate has a mechanism to protect memory use against same forms of DoS attacks. FortiGate categorizes an entry in the session table as an ephemeral session when it is a TCP session that is not fully established (three- way handshake not completed), or it is a UDP session with only one packet received. During some DoS attacks, the number of these types of sessions tends to increase abnormally, potentially consuming the unit memory. FortiGate sets a hard limit on the maximum number of ephemeral sessions that can exist at the same time in the session table. Enterprise Firewall 7.0 Study GuideFortiOs Architecture DO NOT REPRINT © Memory Use Optimization 4 I NSE Training institute What can you do if FortiGate enters conserve mode frequently, ar if its memory utilization is too high? In this section, you will learn how to optimize memory use by fine-tuning the FortiGate configuration. Enterprise Firewall 7.0 Study Guide 66DO NOT REPRINT © Memory Use Optimization * Disable features that are not required: + Inspection of specific protocols (HTTP, FTP, SMTP, POP, IMAP) + Logging to memory + DHCP server + Some IPS signatures + Reduce the maximum file size to inspect (default 10 MB): config firewall profi1e-protocol-options edit config [http|£tp| pop3 |smtp| imap] set oversize limit NSE training Institute Feit in: Aiea Rese FortiOs Architecture Many FortiGate processes, such as DLP or AV seanning, are memary intensive. So, memory optimization is important, especially in small devices, to guarantee that these processes do not force FortiGate into memory conserve mode. This slide shows some recommendations for optimizing memory use. These tips might significantly increase the available memory in a device that is frequently entering conserve mode. The first and most logical step is to disable features that are not required. For example, if the network already has a FortiMail device doing antispam, an administrator dozs not need to do antispam on FortiGate. Also, usually not all the IPS signatures are required, Another recommendation is to reduce the maximum fil size to inspect, which is set to 10 MB by default. You can reduce this value to 2 or 3 MB without significantly reducing the virus catching rate, because a typical virus size is, less than 1 MB. Enterprise Firewall 7.0 Study GuideFortiOs Architectur DO NOT REPRINT © Memory Use Optimization (Contd) * Reduce the FortiGuard cache TTL (default 3800 and 1800 seconds): config system fortiguard set Webfilter-cache-ttl 500 set antispam-cache-ttl 500 * Reduce DNS cache (default 1800 seconds): config system dns set dns-cache-ttl 300 end NSE training Institute Feit in: Aiea Rese 8 Additionally, you ean reduce the amount of memory allacated to some caches, such as the ones for FortiGuard and DNS. Enterprise Firewall 7.0 Study Guide 68FortiOs Architecture DO NOT REPRINT © Memory Use Optimization (Contd) + Reduce the session time to live (TTL) __* For each service: + Globally: config system sossion-tt + For TCP (default to 3600 seconds) config port config aystem session-ttl edit set default 300 set protocol + For UDP (default to 180 seconds) set start-port set end-port set timeout 300 config system global set udp-idle-tiner 90 NSE training Institute Feit in: Aiea Rese 0 The FortiGate session table can consume an important portion of memory, especially in networks with a high rate of traffic. By default, a session without traffic remains in the table for up to one hour. Although a TTL this high might be required by some applications, in most networks, you can reduce the session TTL. When you reduce the TTL, FortiGate ages out idle sessions much more quickly, increasing the amount of available memory. ‘There are four places in the FortiGate configuration where you can reduce the session TTL. Two of them are + Globally, for all the traffic + Onan IP protocol and port number basis Enterprise Firewall 7.0 Study Guide 69FortiOs Architecture DO NOT REPRINT © Memory Use Optimization (Contd) + Reduce the session TTL (default 3600 seconds) + For each firewall policy: config firewall policy edit |Secury Profiles > Application Control set session-ttl 300 (aepkctionand Filter Overrides + Per application control ‘FcreateNew # Edit @ Delete Priotity Details Action 1 wo110 Dall Bays DAL —w ACCEPT O Disabled EM cetaut onl certieatinspection NSE Training institute Fen AR o The other two places where you ean reduce the sessicn TTL are: + For each firewall policy + For each application control {fan application requires a high session TTL, you can reduce the TTL globally to five minutes. However, you can also set it to a higher number for the specific application port number, firewall policy, or with an application control application override entry by setting the session-tt! option using the CLI Enterprise Firewall 7.0 Study Guide 70FortiOs Architecture DO NOT REPRINT © Memory Use Optimization (Contd) « Reduce TCP session timers: contig system global set tep-halfclose-timer 30 (dereuit 120) set tep-halfopen-timer 8 (defeuit 10) set tep-timewait-timer 1 (default 1) tep-hal fclose-timer tep-timevait-timer NSE training Institute Feit in: Aiea Rese a You can also reduce most TCP session timers from their default values without causing problems to the applications. This slide shows some recommended values that are equal to or below the default values. Use these recommended values to optimize the memory use. The tc the table. -halfopen-timer controls for how long, after a SYN packet, a session without SYN/ACK remains in The tep-halfclose-timer controls for how long, after a FIN packet, a session without FIN/ACK remains in the table. The tcp-timewait-timer controls for how long, after a FIN/ACK packet, a session remains in the table. A closed session remains in the session table for a few seconds more to allow any out-of-sequence packet Enterprise Firewall 7.0 Study Guide