How to avoid FortiGate entering conserve mode

threat_landscape“The system has entered conserve mode”

“Fortigate has reached connection limit for n seconds”

That is status field from the “Alert message control”  on System Dashboard. that status indicates the critical level from FortiGate device if it has entered conserve mode.

This problem happens when shared memory goes over 80%, to exit this conserve mode you have to wait (or kill some of the processes) until the memory goes under 70%. A FortiGate goes into the conserve mode state as a self protection measure when a memory shortage appears on the system. When entering conserve mode the FortiGate activates protection measures in order to recover memory space. When enough memory is recovered, the system is leaving/exiting the conserve mode state and releases the protection measures.

Antivirus fail-open is a safeguard feature that determines the behavior of the FortiGate AntiVirus system, when it becomes overloaded with high traffic.

Pros & Cons on FortiOS 5.0


This is just appraisal based on my experience not an officially mention by Fortinet, Fortinet has improve their OS with many feature besides some of their features that were reduced on FortiOS 5.0

1. New console-interface with more contents and feature. And also more IPS signature and Antivirus database updates.

OmniSwitch 10K – Multi-Chassis Link Aggregation (MC-LAG)

Multi-Chassis Link Aggregation (MC-LAG)

Key points:
• MC-LAG provides active/active dual homed connectivity to standards based L2 edge devices. There is no support for standby ports.
• Internal automatic configuration will disable spanning tree functionality on MC-LAG aggregate ports.
• MC-LAG peers are seen as one aggregated group to dual homed edge device(s).
• MAC addresses learned on an MC-LAG aggregate in one of the multi-chassis peers are also learned on the other switch on the same MC-LAG aggregate.
• A loop or duplicate packet prevention mechanism is implemented so that non-unicast frames received on the Virtual Fabric Link are not flooded out any local MC-LAG ports
• MC-LAG aggregates can be configured using either static or dynamic link aggregation. The key point when configuring the aggregates is that from the edge switch’s point of view, it looks like the edge is connected to a single chassis.
• Brought to you by Alcatel-Lucent 😀

OSPF on Alcatel-Lucent 7750 Service Router

OSPF Configuration:

A:R1# configure router ospf
A:R1>config>router>ospf# area
A:R1>config>router>ospf>area# interface “system”
A:R1>config>router>ospf>area>if# back
A:R1>config>router>ospf>area# interface “Interface-to-R2”
A:R1>config>router>ospf>area>if# back
A:R1>config>router>ospf>area# interface “Interface-to-R3”
A:R1>config>router>ospf>area>if# exit

BGP on Alcatel-Lucent 7750 Service Router

UPSTREAM Router AS Number: 54321
UPSTREAM Router IP Address for eBGP peering with SR1:
SR1-7750 AS Number: 12345
SR1-7750 IP Address for eBGP:
SR1-7750 IP Address for iBGP:
SR2-7750 AS Number: 12345
SR2-7750 IP Address for eBGP:
SR2-7750 IP Address for iBGP:

1. Create Autonomous System (AS) Number
A:SR1-7750# configure router autonomous-system 12345
A:SR2-7750# configure router autonomous-system 12345

2. Preparing the interface
Telephone Numbers 2 (Indonesia)

Kode telepon untuk wilayah indonesia, Semoga berguna (terutama buat yg mudik dengan flexi). :p
Telephone Numbers 1 (International)

Daftar kode telepon internasional, Semoga berguna.
