What is this 'Swap usage is high' alert telling me?


NG Firewall has a default email alert to notify the admin when swap partition is consumed above a certain threshold. This article provides some additional information that may be helpful.


What causes this alert to trigger?

By default, the alert is triggered when NG Firewall's swap partition is more than 25% full. For example, if your NG Firewall has 4 GB of swap, the alert will trigger when that partition is larger than 1 GB.

You can view or change the alert's threshold in Config > Events > Alerts.

Why would I change the alert?

Some swap usage is normal and nothing to worry about; you can check in Reports > System > Swap Usage to see if the amount of swap you're using is typical for your environment. Extend your timeframe back at least a few days to see what your typical amount of swap usage is.

What does this tell me?

You may find that your normal usage is around 30%, for example. In that instance, you're getting false positives because nothing is wrong: that amount of usage is normal for your environment. It's just that the alert itself is set too low.

If you're getting a lot of alerts but your swap usage is consistent, then it's recommended to change the alert threshold: set it to a value higher than your everyday usage. For example, if your NG Firewall hits 30% regularly, you may wish to set the alert to 0.40 (40%) to rule out the false positives from normal operation. Alternately, you might choose to set it to a very high value like 0.75 (75%), which will only alert you if swap usage becomes unusually high. Finally, you might disable the alert altogether; this may be preferable in environments with large amounts of physical RAM (32GB+).


Applications in use and memory considerations

Other swap usage occurs when the device is running out of physical RAM and has to use virtual memory. This is more common on units that have physical RAM (usually below 4 GB) and are using many NG Firewall applications.

What applications should I remove?

Virus Blocker Lite and Phish Blocker run at roughly 1 GB of RAM for just those two apps, so if you're using the full version of Virus Blocker and don't have an on-premise email server, those are great first candidates. Please refer to this article for more guidance on applications & memory usage: Reducing RAM Usage

You might also try bypassing any traffic that doesn't need to be scanned to try and limit the amount of traffic that's being processed: How to bypass traffic from filtering 

(Traffic that probably doesn't need to be scanned includes network printers, VoIP phones, PoS terminals, Internet of Things devices like smart light bulbs or speakers, &c.; as a general rule, anything that doesn't have a web browser.)

Was this article helpful?
3 out of 12 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk