Technical Tip: Threshold setting when using a custom port on an SSL VPN connection

Topology:

Remote SSL VPN user (custom port 20443) --->   ISP link  ---->   FortiDDoS  -----> FortiGate  ---> (Internal network).

1. By default, FortiGate uses port 443, and FortiDDoS does not configure any threshold setting for this port. 

2. Verify whether there are drops on port 443/UDP and monitor the traffic:

Monitor -> Layer 3/4/7 (Traffic Monitor) ->  select (SPP and Layer 4, examine the UDP graphic). If some drops are present, set a large threshold for Layer 4/ UDP Ports.

If FortiGate uses dtls on the connection, disable it on the FortiDDoS DTLS (see DTLS Profile - FortiDDOS handbook) and SSL Profile:

To verify whether it is enabled on FortiClient:

To verify whether it is enabled on FortiGate through the CLI:

config vpn ssl setting
    set dtls-tunnel enable

3. Locate the sys_reco that contains the custom SSL port:
                                                   

1. Break the sys_reco:
   
   

2. Delete the original sys_reco and re-create the 3 custom sys_recs:

Validate traffic Monitor -> Layer 3/4/7(Using Traffic Monitor Layer 3/4/7 graphs ) -> to see if there is any other drop, and if an increase is required in the threshold on the custom port. Optionally, use Wireshark on the Remote user's PC when replicating the SSL VPN connection to confirm the traffic/ports in use.