Some swap usage is normal and nothing to worry about; you can check in Reports > System > Swap Usage to see if the amount of swap you're using is typical for your environment. If you're getting a lot of alerts but the usage is only a small amount higher than 25% (the default alert threshold), then it's safe to change the alert threshold.
You can configure that in Config > Events > Alerts. The default value is 0.25, or 25% of the system's total swap partition. Set it to a value higher than your everyday usage; for example, if your NGFW hits 27% regularly, you may wish to set the alert to 0.30 (30%) to rule out the false positives from normal operation. Alternately, you might choose to set it to a very high value like 0.75 (75%), which will only alert you if swap usage becomes unusually high. Finally, you might disable the alert altogether; this may be preferable in environments with large amounts of physical RAM (32GB+).
Other swap usage occurs when the device is running out of physical RAM and has to use virtual memory. This is more common on units that have lower physical RAM (usually below 4 GB).
The most common cause of high swap usage is your application configuration. Virus Blocker Lite and Phish Blocker run at roughly 1 GB of RAM for just those two apps, so if you're using the full version of Virus Blocker and don't have an on-premise email server, those are great first candidates. Please refer to this article for more guidance on applications & memory usage: Reducing RAM Usage
You might also try bypassing any traffic that doesn't need to be scanned to try and limit the amount of traffic that's being processed: How to bypass traffic from filtering
(Traffic that probably doesn't need to be scanned includes network printers, VoIP phones, PoS terminals, Internet of Things devices like smart light bulbs or speakers, &c.; as a general rule, anything that doesn't have a web browser.)Follow