Solved

Fortigate 60C stops passing Internet traffic randomly

Posted on 2012-03-13
3
7,807 Views
Last Modified: 2012-04-11
We recently received a Fortinet FortiGate 60C unit as an RMA replacement for a 60B. About 10 days after we received it the unit began to stop passing Internet traffic at seemingly random intervals. The only solution we found was to restart it.

Fortinet support suggested that the reason the unit was freezing was because it was going into conserve mode which happens when memory usage gets to 80%. We reduced the number of policies in use and changed UTM inspection mode from proxy to flow based. I also shut off dns-upd session helper. The resources now level out at about 20% CPU and 70% memory.

And still the device randomly freezes and stops passing traffic. We are running 4.0 MR3 Patch 5, NAT mode, standalone, one internal and one external interface, no virtual domains. UTM: Antivirus, Web Filter, Application Control, IPS, Email Filter. Also, we are using per-IP traffic shaping. We are logging to disk and not to memory. This is on a network of 113 clients, 63 of whom are regular Internet users.

The only consistent "fix" I have found is to reload the firmware. This buys about 10 days of uninterrupted Internet access.

If anyone has suggestions of what to try to get this thing to stay up I would very much appreciate it. My biweekly Fortinet support ticket ritual is becoming tiresome.
0
Comment
Question by:vmsrf
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
xanandu earned 500 total points
ID: 37802465
The 70% memory is still high. especially as during peak hours of heavy traffic shaping this will cause this number to go up quite a bit. I have seen devices peak from 40% usage early morning to north of 95% during noon due to demand "spikyness"

Check the memory used during the next crash. and try a "diag system top" to see what the top memory consuming process is.

From the sounds of it, the Per-IP traffic shaping is what is causing it, more traffic during peak hours cause certain UTM functions to REALLY suck back the resources. Traffic shaping is one of them. Per IP means each computer has its own traffic shaping policy instead of using a group policy.

If you wish to continue to use your fortigate like this, you will probably have to upsize. In the meantime you can apply ID based policies, release the traffic shaping, and anybody that abuses the network gets put into the throttling groups.
0
 

Author Comment

by:vmsrf
ID: 37802854
Interesting. On the last crash the CPU went to 95% and the offending service was httpd. I will try disabling Per-IP traffic shaping for a week and report back. That could be it.
0
 

Author Closing Comment

by:vmsrf
ID: 37835893
The unit hasn't crashed all week so I'm thinking the traffic shaping may indeed have been causing this. There is another patch out now that addresses high CPU utilization so I will apply that as well.

I would have to agree that this unit is probably undersized for the environment and the way we use it.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now