Can't use srcaddr-negate on DoS policies. How can we filter out private IPs?

Forum|Forum|4 years ago
October 18, 2021
1 reply
3050 views

We have applied a DoS policy on a WAN interface with the intent that all inbound public traffic will be checked for anomalies. However we're seeing in the logs that traffic from the VPN tunnels (using that WAN interface) are being inspected. We do not want the "child" VPN tunnels to be DoS inspected.

To work around this on a normal firewall policy we would use "srcaddr-negate" and match all traffic that is not a private IP. That command is not available on a DoS policy, so I don't see a way to exempt that VPN traffic. Any ideas?

bascheewAuthor

Visitor III

Found a work around. Create a second DoS policy with the VPN peer IPs as the source addresses and set the action to disable: https://www.adnsolutions.com/fortigate-dos-policy-on-wan-blocking-vpn-traffic/

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded