Fortinet High CPU Usage Issue

Published on April 17, 2025, by Graham Melville

We wrote about Secure Fortinet CVE Issues in early March. Around the same time that we published that article, users on Reddit and Fortinet Support Forum started to report crashes and high CPU activity on their FortiGate devices after updating FortiOS. 

 What’s the Issue Being Reported?

 Fortinet users have observed significant CPU spikes on FortiGate devices, particularly associated with the IPS engine consuming excessive resources. This elevated CPU usage can degrade network performance, leading to slow or disrupted internet connectivity. In some cases, the issue persists even after rebooting the device. The devices reported as being affected by system admins in the discussion of the problem on Reddit (see references) are: 

  • FortiGate 60F
  • FortiGate 80F
  • FortiGate 90E
  • FortiGate 100F
  • FortiGate 200E

 While this is not an official list, it suggests that multiple models across the FortiGate product line may be susceptible. The software versions reported to exhibit the issue include FortiOS versions 7.0.12, 7.2.8, and 7.2.9. However, users have specifically noted that it is upgrading to version 7.2.9, which leads to increased CPU load due to the IPS engine. 

 A March 17th post from Fortinet support acknowledged the issue (see link in references). They provided the following information:

Customer Facing Description: High CPU peak issue after upgrading to versions higher than the following ones: 7.0.16, 7.0.17, 7.2.11, 7.4.6, or 7.4.7.

Workaround: To disable IPsec phase1 npu-offload during the maintenance window

  • FW1 #config vpn ipsec phase1-interface
  • FW1 (phase1-interface) # edit <Phase1 Name>
  • FW1 # set npu-offload disable
  • FW1# end

Trigger Condition: np6xlite(soc4), np6lite(soc3) and np7lite(soc5) can all be affected. 

In a March 18th post in the same Fortinet Support Forum thread, they wrote: “Our dev has investigated and made a code fix, which is expected to be resolved in the next GA version.” They expect this update to get released in April 2025.

Another Reason to Start the Switch to Cloudbrink 

As we outlined in our blog about the ongoing and recurring Fortinet CVE problems, there is a strong case for implementing Cloudbrink with Fortinet to mitigate Fortinet zero-day CVEs both as an immediate security boost and as a stepping stone to making Cloudbrink your primary remote access and WAN solution. This new issue with FortiGate devices, which results from applying the latest FortiOS update, highlights that system admins are often in a dilemma. They frequently need to apply patches to address a known security issue, but they don’t know if the update will cause additional problems. Comprehensive testing in a non-production environment is the gold standard, of course, but in the real world, it’s not always possible.

Cloudbrink: A Next-Generation Approach to Secure Remote Access

The Cloudbrink approach to network connectivity and security uses a modern Zero Trust Network and Secure Access Service Edge combination. The key aspects of the Cloudbrink approach that make it both an ideal remote access solution in its own right and suitable to plug the security gaps commonly discovered in Fortinet (and other legacy VPN) solutions include:

Dark Network Implementation: Eliminating Attack Surfaces

Cloudbrink uses a fully outbound-only dark network connectivity model with no ports exposed, making it invisible to threat actors and preventing direct attacks. Its architecture is based on a zero-trust framework, requiring continuous authentication and authorization.

Automated Moving Target Defense (AMTD): Dynamic Security at Scale

Cloudbrink uses AMTD to rotate security certificates several times per day, effectively countering low-and-slow cyberattacks that depend on prolonged access.

High-Performance ZTNA with Adaptive Routing

Cloudbrink builds on Zero Trust Network Access (ZTNA), whichdynamically enforces access controls for each session. Its adaptive routing algorithms automatically identify the fastest and most secure network paths, reducing latency and enhancing connectivity performance speeds up to 30x (see references). Unlike traditional VPNs, which can experience packet loss and congestion, Cloudbrink ensures seamless connectivity through intelligent packet loss recovery mechanisms. This means that if you migrate to a Cloudbrink native remote access solution, you’ll improve both security and performance for your remote workforce.

Last-Mile Optimization with FAST Edge Technology

Traditional remote access solutions often route traffic through centralized data centers, which can create performance bottlenecks. In contrast, Cloudbrink’s distributed FAST Edge network uses thousands of globally distributed Points of Presence (PoPs) to minimize latency and improve reliability. As a result, remote users can enjoy performance that feels like being in the office, no matter where they work.

No Patch Dependency: Built-in Resilience Against Zero-Day Exploits

Fortinet’s (and other supplier’s) ongoing security vulnerabilities force businesses into a continuous patching cycle, which can lead to other problems, as demonstrated by the high CPU performance issues. Cloudbrink’s zero-trust encrypted tunnels prevent typical remote code execution, authentication bypass, and credential harvesting attacks by design. With Cloudbrink, enterprises no longer need emergency patches in these situations to avert catastrophic breaches.

Final Thoughts

The recurring issues with Fortinet solutions highlight the urgent need for businesses to deploy access solutions that don’t make System Admins worry if applying the latest update will cause new problems. By adopting Cloudbrink, you can eliminate the management overhead and ongoing vulnerabilities in Fortinet products and secure your remote access infrastructure against zero-day threats using a proactive, zero-trust solution. 

Find Out More

Take control of your network security and eliminate the risks of zero-day vulnerabilities for good. Deploy Cloudbrink's Personal SASE solution and empower your workforce with the security, speed, and simplicity they deserve.

For a demo and to learn more about how Cloudbrink can transform your organization's remote access, visit our Request a Demo page. 

References

 

Author

  • Graham Melville is a marketing executive with over 25 years in security, networking, and mobility. He is technically savvy with a broad business background, including leadership roles in marketing, product management, business alliances, and corporate strategy. Graham holds patents in WLAN technology and has contributed to global standards such as the IEEE802.11i security specification.

    View all posts

Related Posts

May 27, 2025
Uncategorized
Secure VPN Zero-day CVE issues
Read More
May 23, 2025
140x Faster Than Required: How 8-Hour Certificate Rotation Defeats Quantum Threats
Read More
May 21, 2025
What is Personal SASE for the Enterprise
Read More

Categories

All
AMTD (2)
General (91)
HAaaS (16)
Network (12)
Remote Work (15)
SD-WAN (4)
SOC 2 (1)
UCaaS (1)
Uncategorized (10)
VDI (3)
VPN (7)
ZTNA (15)
Demonstration form (#8)

I'm interested

Connect with Us

Recent Posts

Secure VPN Zero-day CVE issues
140x Faster Than Required: How 8-Hour Certificate Rotation Defeats Quantum Threats
What is Personal SASE for the Enterprise
Cloudbrink Wins Global InfoSec Award for Most Innovative Secure Remote Access
Considering a Switch to ZTNA: Advice from a Senior VPN Expert
Patching Fortinet against Zero-Day Attacks