In all cases below, contact FortiCare Support if assistance is needed.

There are 2 ways IPsec works in a network:

• IPsec normally uses Layer 3 Protocol 50 (ESP).
• IPsec NAT traversal, using UDP port 4500, is used by most home users who cannot connect via Protocol 50.

Both variants above also use IKE over UDP Port 500 for setup and key exchange.

If Protocol 50, UDP Port 4500, or UDP Port 500 are not currently in use, FortiDDoS has low thresholds for these parameters.  After FortiOS upgrade, traffic on Protocol 50, UDP 4500, and/or UDP 500 may increase substantially in the firewall or VPN Server SPP,s resulting in VPN impairment or failure.

Modifying FortiDDoS Thresholds for the above conditions:

The following instructions may show changes based on platforms and Releases. If no platform or release is shown, the change applies to all.

• (B-E) refers to FortiDDoS B-Series and E-Series.
• (F 7.0.3) refers to FortiDDoS F-Series and the Release in use.

Before modifying FortiOS VPN settings, place any SPPs with firewalls and/or VPN servers into Detection Mode so VPN traffic will not be affected. If unsure, place all SPPs in Detection Mode.

After changing FortiOS VPN settings:

• (F 7.0.4) Check the IP Profile for the above SPPs and disable the IKE Strict Anomalies feature.
  This does not impact DDoS mitigation.

• View Protocol 50 graphs in each SPP for traffic in both directions. Where there is a possibility of asymmetric traffic and there are 2 appliances, check both appliances for traffic in each direction.  Where there is Protocol 50 traffic, modify or create a new Threshold for Protocol 50 without setting that Threshold (it will default to system max). This may require deleting a range of Protocols (e.g., 18-255) and replacing them with 3 ranges (e.g., 18-49, 50-50, 51-255). 
• View UDP Port 4500 graphs in the affected SPPs for traffic in both directions. Where there is UDP Port 4500 traffic, modify or create a new threshold for UDP Port 4500 without setting a Threshold (it will default to system max). If UDP Port 4500 is part of a range of ports, it is acceptable to change the Threshold for that range to 100,000.
  • If there is UPD Port 4500 traffic, go to the IP Profile for that SPP and
    • (F 7.0.4) Disable the UDP Empty Checksum Check or,
    • (7.0.3 and below) Disable IP Strict Anomalies (IP Strict Anomalies- FortiDDOS Handbook: IP Profile).

• View UDP Port 500 (IKE) graphs in each firewall and/or VPN server SPP for traffic in both directions.  IKE is the setup and key exchange protocol for IPsec. It is normally a very slow protocol with a few packets every few hours per connected device, but initial connections (every morning, for example) can increase these rates. Modify or create a new UDP 500 Threshold and leave the Threshold at default (system max). If UDP 500 is part of a range of ports, it is acceptable to set the Threshold for the range to 100,000.
• Return the SPP to Prevention.
• After 1-2 weeks, observe the graphs for Protocol 50, UDP 4500, and UDP 500. Record the peak rates seen. Change the Protocol 50 Threshold and/or the UDP Port 4500 Threshold to 3-5x the observed peak. Change the UDP Port 500 to 2-3x the observed peak.