System Resources Flashcards
(30 cards)
FortiOS Architecture
Configuration Layer contains: CLI, GUI, API, and FortiManager
User Space: Application Processes
Kernel
Device Drivers
Hardware
FortiOS memory is
64 bit.
Kernel does not need to use memory paging to access the whole memory. Instead, it is all directly accessible.
diagnose hardware sysinfo memory:
MemTotal = Total amount of memory
MemFree = Total amount of free memory
FGT memory is used for:
System I/O Cache
Kernel Memory Slabs
Buffers
Process Memory
Shared Memory
System I/O Cache
There are no direct reads or writes made to HDD or flash disks. Each access is done through a cache held in memory.
Used to speed up hard disk and flash dis writing and reading operations:
Logging, WAN optimization, Explicit Proxy
Made of pages (4K size) of disk block (1K Size)
Two types of pages:
Active - Recently Accessed.
Inactive - Not used after some time. Might be reclaimed by the Kernel in case of Shortage.
Can use the diagnose memory command here to check usage for these.
Slabs
Collections of objects with a common purpose. Used by the Kernel.
Examples are:
tcp_session
ip_session
ip_dst_cache
buffer_head
inode_cache
dentry_cache
arp_cache
Command to check Slab memory
diagnose hardware sysinfo slab
Three colums in the output:
Active Objects, Available Objects, Object Size
Total Slab size = available times size
Command to see processes that are using the most CPU or Memory
diagnose sys top
To sort by CPU usage, press c
To sort by RAM, press m
Process Name: fgfmd
For FortiManager connections
Process Name: forticron
For Scheduling
Most Common Processes
cmdbsrv - applies config changes
miglogd - Logs collection and automation stitches
httpsd - GUI access
sslvpnd - SSL VPN
updated - FortiGuard updates
wad - WAN optimization, explicit proxy, proxy-based inspection for HTTP and HTTPS, and FTP
scanunitd - File Scanning
iked - IPsec
hatalk, hasync - HA protocol and sync
urlfilter - FortiGuard web filtering
authd - User authentication
fssod - FSSO
proxyworker - Proxy-based inspection for IMAP, POP, SMTP
Process States
S = Sleeping
R = Running
D = Do Not Disturb
Z = Zombie
S,R, and D(short periods) are normal.
Abnormal are Z and D(longer periods)
Shared Memory (SHM)
Allocated Dynamically
Allows the sharing of information among multiple processes
System information Command
get system status
Resource Use Command
get system performance status
also shows info on UTM such as number of viruses caught and number of attacks blocked by IPS.
Conserve Mode
Triggered based on Memory use. Prevents using so much memory that FGT becomes unresponsive.
Thresholds:
Extreme - FGT starts dropping new sessions. 95% is default
Red - Enters conserve Mode. 88
Green - Exits conserve mode. 82
Logs in Conserve Mode
When in conserve mode, the GUI can be unresponsive. Use commands below.
execute log filter category 1
execute log display
diagnose debug crashlog read
Command to check if FGT is in Conserve mode
diagnose hardware sysinfo conserve
During Conserve mode, FortiOS activates certain protection measures:
System Config cannot be changed (because it might increase memory usage)
FGT skips quarantine actions (including FortiSandbox analysis)
For proxy-based inspected traffic during conserve mode:
av-failopen settings defines the action that is applied when not exceeding the extreme threshold:
config system global
set av-failopen [off | pass | one-shot]
end
off: all new sessions with content scanning enabled are not passed
pass (default) : All new sessions pass without traffic inspection
one-shot: Similar to pass in that traffic is not inspected. However, it will keep bypassing the AV proxy even after leaving conserve mode. Admins must either change this setting or restart the device in order for AV to start scanning again.
this setting also applies to flow-based AV inspection.
Fail-Open Session Setting
This setting controls how FortiOS handles a session when it exhausts available sockets to process proxy-based inspection:
config system global
set av-failopen-session [enable | disable]
enable - Sessions are allowed
disable (default) - block all new sessions that require proxy-based inspection
Memory Tension Drops
Kernel deletes oldest sessions if it cannot allocate more memory pages
No direct link with conserve mode.
in output of diagnose sys session stat
memory_tension_drop=X
Ephemeral Drops
Ephemeral = A TCP session is not fully established or a UDP with only a single packet received
These types of open sessions are common in DoS attacks
To protect memory use, FortiOS sets a limit on the total number of ephemeral sessions(based on FGT model)
From diagnose sys session stat output
ephemeral= current session count / max number
Memory Optimization
Disable features that are not required:
Inspection of specific protocols(HTTP, FTP, SMTP, POP, IMAP)
Logging to memory
DHCP server
Some IPS signatures
Reduce maximum file size to inspect (10MB is default):
config firewall profile-protocol-options
edit (profile_name)
config (protocol)
set oversize-limit (MB)
end
TTL Memory Use Optimization
FortiGuard cache TTL:
config system fortiguard
set webfilter-cache-ttl (seconds - 3600 is default)
set antispam-cache-ttl (seconds - 1800 is default)
end
Reduce session TTL: Global for TCP = config system session-ttl (seconds - 2600 is default)
For UDP = config system global
set udp-idle-timer (seconds - 180 is default)
Reduce DNS cache
config system dns
set dns-cache-ttl (seconds - 1800 is default)
end
For each service:
config system session-ttl
config port
edit (id)
set timeout (seconds)
end
For each firewall policy
config firewall policy
edit (id)
set session-ttl (seconds - 3600 is default)
For each application control
config application list
edit (name)
config entries
edit (id)
set session-ttl (seconds)
end
end
