This above message may be displayed on the Alert Message Console GUI. It is similar to the “The system has entered conserve mode” Event log message.

Explanation:

The antivirus engine was low on memory for the duration of time shown. Depending on model and configuration, content can be blocked or pass unscanned under these conditions.

“The system has entered conserve mode” log message explanation

The FortiGate antivirus system operates in one of two modes, depending on the unit’s available memory. If the free memory is greater than 30% of the total memory then the system is in non-conserve mode. If the free memory drops to less than 20% of the total memory, then the system enters conserve mode. When the free memory once again reaches 30% or greater of the total memory, the system returns to non-conserve mode.

Antivirus functionality and performance is impacted when the unit enters conserve mode. For more information, see the Fortinet Knowledge Center article "Antivirus failopen and optimization".

A Fortigate unit that continuously and frequently enters conserve mode may be under scaled for the type of network flows that are being scanned by it. You can do the following to alleviate the problem:

• disable logging to memory (Log&Report > Log Config > Log Setting).
• disable certain protocols (HTTP, FTP, SMTP, POP, IMAP) from being antivirus scanned (Firewall > Protection Profile).
• reduce the ‘Oversize Threshold Configuration’ memory settings for each respective protocol (Anti-Virus > Config > Config).
• disable the DHCP server if it is not necessary (System > DHCP > Service and System > DHCP > Server).
• disable DNS Forwarding if it is not necessary (System > Network > DNS).
• disable all IPS Signatures and Anomaly detections, if IPS is not being used.  This can be done in a single operation by issuing the CLI command : diag ips global all status disable .  If IPS is being used, disable all Signatures/Anomalies that are not relevant or required in your network environment (IPS > Signature and IPS > Anomaly).
• replace the Fortigate unit with a model that has more memory. See the Fortinet Knowledge Center article "Maximum oversize threshold" for memory sizes per Fortigate model.

Note: You will have to reboot the FortiGate unit after having disabled the various features and services, in order to free up the memory.

See also the Fortinet Knowledge Center article "How to Achieve Maximum Performance with a FortiGate Antivirus Firewall" for other related information. Although this document states that it is for v2.50, it can also be applied to v2.80.