| Description | This article describes how a DoS policy can cause slowness in traffic and IPsec issues due to the setup of rate-limiting on the external interface. |
| Scope | FortiGate. |
| Solution |
Generally, DoS policy is configured for rate-limiting traffic on external interfaces from public networks to internal to mitigate attacks coming in from the Internet.
In another scenario, DoS-policy can cause traffic slowness on VIP listening on the external interface or cause slowness of traffic on FortiGate.
This is due to the DoS policy rate limiting traffic on UDP ports flood/scan/src-session and TCP src-session.
To allow traffic expected from sources like IPSec where UDP packets are always traversing and are legitimate traffic, the new DoS policy is to be placed on top allowing traffic from legitimate public hosts with no limit on expected traffic.
This allows legitimate traffic to flow uninterrupted.
For the same, go to Policy and Objects -> IPv4 DoS-Policy -> and create a new DoS-policy. Select remote-ipsec gateway IPs and service as IKE to allow for ipsec traffic and ipsec connection setup.
Ensure that the UDP-scan and UDP-src-session are disabled. Save changes.
Move the new DoS policy to the top so it is first to be checked and allow that traffic without rate-limiting setup on the generic policy.
Create any other policy specific to legitimate traffic to be allowed unrestricted and move it to the top.
Check the anomaly logs under 'Log and Report' if any blocks are done by the DoS policy. |
