Fortigate High CPU Usage

Posted by
Facebooktwitterredditpinterestlinkedintumblr

One of my Fortigate UTMs running on FortiOS 5.2 were having high CPU usage. This issue was going on for five weeks as per my monitoring tool. This wasn’t detected until I graphed all Fortigate UTM’s CPUs in one graph. My monitoring didn’t fire an alert because the threshold was set to 80% and above.

I investigated the issue and found out there were two processes that were running at 99.9%, these were the ipsengine and alertmail. This was known by running “diagnose sys top” command from the CLI. The odd thing was these two processes were turned off globally on the box.

fortigate (global) # diagnose sys top
Run Time:  43 days, 14 hours and 5 minutes
26U, 0N, 30S, 44I; 3954T, 2229F, 115KF
       ipsengine       74      R <    99.9     0.3
       alertmail       99      R      99.9     0.3
          httpsd      118      S      17.3     1.1
          httpsd    12560      S       6.4     0.5
          httpsd      116      S       0.9     1.2
           sqldb       84      S       0.0     1.4

The "diagnose sys kill 11 (process_id)" is the command to kill a process. Entering the said command one time didn't kill the process so I had to run this multiple times. However, this didn't kill the alertmail process, as you can see from the snippet below.

fortigate (global) # diagnose sys kill 11 74
fortigate (global) # diagnose sys kill 11 74
fortigate (global) # diagnose sys kill 11 74

Run Time:  43 days, 14 hours and 18 minutes
8U, 0N, 17S, 75I; 3954T, 2309F, 115KF
       alertmail       99      R      99.9     0.3
           sqldb       84      S       0.0     1.4
          httpsd      116      S       0.0     1.2
          httpsd      118      S       0.0     1.1
         updated       90      S       0.0     0.9
         pyfcgid    12581      S       0.0     0.7
         pyfcgid    12582      S       0.0     0.7
         pyfcgid    12583      S       0.0     0.7
         pyfcgid    12580      S       0.0     0.7

By using kill signal 9 (it means force termination immediately) I successfully killed alertmail process.

Fortigate high CPU usage

Fortigate high CPU usage

Leave a Reply

Your email address will not be published. Required fields are marked *

*