Understanding Proxy Conserve Mode and Kernel Conserve Mode in FortiGate
This article provides an overview of proxy conserve mode, often called 'conserve mode,' as well as kernel conserve mode within the FortiGate environment.
FortiGate devices, which are part of the Fortinet security fabric, utilize various modes to optimize performance and resource management. Two such modes are Proxy Conserve Mode and Kernel Conserve Mode. Understanding these modes is crucial for network administrators who aim to maintain optimal performance while ensuring security.
Proxy Conserve Mode
Definition
Proxy Conserve Mode is a feature that allows FortiGate devices to manage their resources more efficiently when under heavy load. This mode is primarily used in the context of web filtering and application control, where the FortiGate acts as a proxy server.
Total Memory | Enter Threshold | Exit Threshold |
>=128 MB | 10MB | 20MB |
>=256 MB | 40MB | 60MB |
>=512MB | 20% | 30% |
>= 1 GB | 12% | 18% |
How It Works
When Proxy Conserve Mode is activated, the FortiGate device reduces the number of concurrent sessions it can handle by limiting certain functionalities. This helps prevent system overload during peak traffic times. The device prioritizes essential functions while temporarily disabling less critical features to ensure that core services remain operational.
Triggering Conditions
Proxy Conserve Mode is typically triggered under specific conditions:
- High CPU Utilization: When CPU usage exceeds a predefined threshold (often around 80% or higher), the system may automatically switch to conserve mode.
- Memory Constraints: If available memory drops below a certain level, this mode may be activated to free up resources.
- Traffic Spikes: Sudden increases in traffic can lead to resource exhaustion; thus, the system may enter conserve mode to maintain stability.
Kernel Conserve Mode
Definition
Kernel Conserve Mode operates at a lower level than Proxy Conserve Mode and focuses on conserving kernel resources. It is designed to ensure that critical networking functions continue to operate even when the device faces extreme resource constraints.
Total Memory | Enter Threshold | Exit Threshold |
512 MB | 20% | 30% |
>= 1GB | 200MB | 300MB |
How It Works
In Kernel Conserve Mode, the FortiGate device limits its processing capabilities by reducing the number of active processes and prioritizing essential tasks. This includes:
- Reducing logging verbosity
- Limiting session creation
- Disabling non-essential features
This approach ensures that vital security functions like firewall rules and intrusion prevention systems remain functional even under duress.
Triggering Conditions
Kernel Conserve Mode can be triggered by:
- Severe Resource Exhaustion: When both CPU and memory usage reach critical levels.
- System Alerts: Certain alerts from monitoring systems indicating potential overload situations can prompt an automatic switch into Kernel Conserve Mode.
- Manual Configuration: Administrators can also manually enable this mode if they anticipate high loads based on historical data or planned events.
Conclusion
Both Proxy Conserve Mode and Kernel Conserve Mode serve as essential mechanisms for maintaining performance and reliability in FortiGate environments under stress. They help ensure that critical security functions remain operational while managing limited resources effectively.
In summary, Proxy Conserve Mode focuses on optimizing proxy-related operations during high load scenarios, while Kernel Conserve Mode conserves kernel-level resources for overall system stability.
Authoritative Sources Used:
- Fortinet Documentation
- Network World Articles on Fortinet Technologies
- TechTarget Guides on Firewall Management