This article describes why the user may see a large amount of FortiCron log entries seen related to IPS debugging in logs. A solution is offered.
Scope
FortiOS 5.X, 6.X and 7.X.
Solution
These messages are for IPS related processes:
One step of the current process of enabling/disabling the IPS engine debug messages is:
- A process sends a message to ipsmonitor to run a diagnose command in each IPS daemon process.
- The ipsmonitor then forwards the message to each IPS daemon process one by one. A loop is in place to find each ipsengine process and send it a message, wait for its acknowledgement, and then continue with the next one.
- Once ipsmonitor finishes all of the ipsengine processes, it will acknowledge the process sent in the message in step 1.
In the above steps, the step 2 can be time consuming if the platform has many ipsengine processes, and the process sending messages to
ipsmonitor may time out, so it can give informational messages related to forticron and IPS.
Manually resetting debug filter in such instances using the following commands will stop the messages:
diag debug reset diag debug flow filter clear diag debug flow trace stop diag debug disable