Help
Customer Service
Customer Service Information and Announcements
vprabhu_FTNT
Staff
Staff

Created on ‎12-18-2022 11:34 PM Edited on ‎12-01-2024 09:52 PM By Community Manager

Article Id 240076

Technical Tip: DoS policy on WAN interface can cause slowness in IPsec throughput or block IPsec traffic

 

Description This article describes how a DoS policy can cause slowness in traffic and IPsec issues due to the setup of rate-limiting on the external interface.
Scope FortiGate.
Solution

Note:

DoS policy applies to both tunnel establishment traffic (IKE) and also the encrypted traffic in the tunnel itself. Even though the traffic is encrypted in the tunnel, the DoS policy can still match the source and destination of the traffic flowing in the tunnel. DoS policy will apply to this traffic even though the interface in DoS policy is selected as the WAN interface and not the tunnel interface. 

 

Generally, DoS policy is configured for rate-limiting traffic on external interfaces from public networks to internal to mitigate attacks coming in from the Internet.


However, this can cause issues with IPsec tunnel operations and data transfer and is hard to detect. If the threshold is defined under 'udp_flood' in the DoS policy, it can limit IPsec throughput when NAT-T is set to enabled/forced under IPsec phase1-settings. If NAT-T is set to disabled under IPsec phase1-settings, ESP is sent instead of ESP encapsulation with UDP port 4500 which will not trigger the 'udp_flood' threshold under DoS policy.

 

In another scenario, DoS-policy can cause traffic slowness on VIP listening on the external interface or cause slowness of traffic on FortiGate.

 

This is due to the DoS policy rate limiting traffic on UDP ports flood/scan/src-session and TCP src-session.

 

To allow traffic expected from sources like IPSec where UDP packets are always traversing and are legitimate traffic, the new DoS policy is to be placed on top allowing traffic from legitimate public hosts with no limit on expected traffic.

 

This allows legitimate traffic to flow uninterrupted.

 

For the same, go to Policy and Objects -> IPv4 DoS-Policy -> and create a new DoS-policy.

Select remote-ipsec gateway IPs and service as IKE to allow for IPsec traffic and IPsec connection setup.

If the IPsec traffic is being blocked by the DoS policy then a similar policy can be created with service all and Source Address as the remote private IP sending traffic in the tunnel 

 

001.png

 

Ensure that the UDP-scan and UDP-src-session are disabled. Save changes.

 

002.png

 

003.png

 

Move the new DoS policy to the top so it is first to be checked and allow that traffic without rate-limiting setup on the generic policy.

 

004.png

 

Create any other policy specific to legitimate traffic to be allowed unrestricted and move it to the top. Check the anomaly logs under 'Log and Report' if any blocks are done by the DoS policy.

 

Labels:
2066
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.