Critical process(es) down for Fortinet

Vendor

Fortinet

Description

Many devices have critical processes, usually daemons, that must be up for certain functions to work. Indeni will alert if any of these goes down.

Remediation Steps

Review the cause for the processes being down.

1. Login via ssh to the Fortinet firewall and run the FortiOS command "diagnose sys top [refresh_time_sec] [number_of_lines]" to get the Proccess-id, State, CPU & Memory utilization per process. Press to sort by CPU usage or to sort by memory usage.

2. Login via ssh to the Fortinet firewall and run the FortiOS command "diagnose sys top-summary '-h' " to get the command options and receive additional info per process. A sample command could be "diagnose sys top-summary '-s mem -i 60 -n 10' ". In case that the value to the FDS (File Descriptors) column keeps constantly increasing, it might indicate a memory leak problem.

3. Review the state of each process provided by the above commands. The normal states are S (Sleeping), R (Running) and D (Do not Disturb). The abnormal states are Z (Zombie) and D (Do not Disturb).

4. Try to restart the process which has problem by running the command "diag sys kill 11 ". The can be found by the aforementioned commands.

5. Check the logs for any reasons why the process stops or can't restart.

6. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.

How does this work?

This script logs into the Fortinet firewall through SSH and retrieves the status of running processes by running the FortiOS command fnsysctl ps. The script then compares the list of currently running processes to a known list of critical processes and checks to see that they are all up. If any are down or in an abnormal state, Indeni raises an alert.

Why is this important?

This script logs into the Fortinet firewall through SSH and retrieves the status of running processes by running the FortiOS command fnsysctl ps. The script then compares the list of currently running processes to a known list of critical processes and checks to see that they are all up. If any are down or in an abnormal state, Indeni raises an alert.

Without Indeni how would you find this?

An administrator could manually login and retrieve/parse the data, or could write a script to poll the firewalls and parse the returned data.


View Source Code