High CPU Usage

Symptom: FortiGate CPU at 80%+ sustained, GUI slow, calls/sessions degraded, log alerts firing.

Diagnose

# Current CPU + memory:
get system performance status

# Per-process CPU/memory (like top):
get system performance top
diagnose sys top 5    # refresh every 5 sec

Identify which process(es) burn CPU:

• ipsengine / urlfilter / scanunitd — security inspection (AV/IPS/Web Filter). Either high traffic, or inspection set too aggressive.
• httpsd — HTTPS admin GUI or REST API.
• sshd — SSH sessions.
• miglogd — log forwarding.
• fnbamd — auth (RADIUS/LDAP) under heavy load.
• node — Node.js (GUI).

# Top sessions / source IPs:
diagnose sys session stat
diagnose sys session list | head -50

# Active calls / flows by app:
diagnose firewall iprope show 100004 | head -20

Fixes by Process

ipsengine high

• Heavy AV/IPS load. Options:
  • Reduce inspection scope (turn off proxy mode where flow mode suffices).
  • Use IPS signature filters (don't enable Linux signatures on Windows-only network).
  • Hardware capacity — upgrade model if sustained.

httpsd high

• Lots of admin GUI / API hits. Restrict GUI access (local-in policy) so external scanners can't hit it.
• Rate-limit REST API consumers.

sshd high

• SSH brute-force from public. Block via firewall.

miglogd high

• Logging too verbose. Filter categories you don't need.

fnbamd high

• Auth server (RADIUS/LDAP) overloaded. Cache replies (set auth-cache-timeout), or scale auth backend.

Sustained high CPU on small models

Some symptoms reflect the FortiGate model being undersized for traffic. Check get hardware status — sustained 80%+ across days means upgrade.

Related Pages

• Check System Information
• View System Status
• Configure Firewall Policies