Skip to main content
bkashava
Staff
bkashava
Staff
April 27, 2026

Technical Tip: Exempting trusted fragmented traffic from global IP Fragmentation Protection on FortiADC

  • April 27, 2026
  • 0 replies
  • 31 views

Description

This article describes behavior where legitimate traffic can be dropped by FortiADC global IP Fragmentation Protection, even when no Web Application Firewall profile is applied to the Server Load Balance policy, and shows how to exempt trusted sources using a DoS exception.

In some deployments, traffic destined for back-end services, such as SIEM/syslog collectors behind FortiADC, may be blocked and logged with ddos_ip_fragmentation. This can occur independently of virtual server or Web Application Firewall policy configuration, because the drop is enforced by the global fragmentation protection mechanism.

Scope

FortiADC.
FortiADC v8.x (DoS exception feature available).

Solution

Observed behavior may occur when fragmented traffic reaches the global fragmentation protection threshold. FortiADC may drop new fragmented packets when fragment reassembly memory reaches the maximum (4096 KB). Related log indicators may include:

  • Event/log entries showing ddos_ip_fragmentation.

  • Traffic identified as: proto=0 service=ip

This may indicate raw IP traffic, including potentially fragmented syslog/UDP traffic (for example port 514). A packet capture can be used to validate fragmentation behavior.

To allow legitimate fragmented traffic from a trusted source, configure a DoS exception and apply it under IP fragmentation protection. Example configuration:

config security dos exception
    edit "SIEM_exception"
        config exception-rule
            edit 1
                set type ip-netmask
                set ip-network 192.0.2.10/32
            next
        end
    next
end


Then apply the exception under fragmentation protection:

config security dos ip-fragmentation-protection
    set exception "SIEM_exception"
end


After the exception is applied, fragmented traffic matching the trusted source can bypass fragmentation protection drops.

Additional notes:

  • The example configuration shown is based on the FortiADC v8.x CLI structure.

  • Earlier FortiADC branches may not support the DoS exception (fragmentation exemption) feature. In those versions, the exception method shown in this article may not be available.

  • Use a narrow source IP or subnet scope when defining exceptions, limiting the exemption only to trusted traffic sources.


Additional notes:

    Terms & ConditionsAccessibility statement