| Description | This article describes how an inaccurate DOS policy can impact the SD-WAN performance SLA of a member to be dead. |
| Scope | FortiGate |
| Solution |
In an IPV4 DOS policy, there is a pattern for ICMP_FLOOD, which calculates the threshold based on total packets destined to a single destination. Now, if there are 2 destination servers in the SD-WAN performance SLA, then the above threshold would be calculated based on total ICMP packets received from both servers on a single interface.
This value can trigger an ICMP_FLOOD attack, and the legitimate traffic will be blocked if the value for this threshold is too small. The default recommended value for this threshold is 250 packets per second.
Make sure the value is not below 100; otherwise, the ICMP response packets for the SLA probe could also be detected as ICMP_FLOOD and will be dropped.
Consider the setup below: Internet Performance SLA:
SD-WAN Rule:
DOS policy ID=1, configured as source interface Port1 and ALL source to ALL destination.
Threshold is 10 for ICMP_FLOOD pattern:
ICMP_FLOOD was detected as an Anomaly, and sessions were cleared: Check the service, which shows it was a reply traffic for the SLA probe.
Due to this DOS action, the performance SLA was down for port1, and the member was declared dead.
So in case if below logs are visible in the SD-WAN event:
Service disabled caused by no outgoing path ---> It should be noticed since both ISPs can not go down at the same time.
Below is the reference log screenshot:
Note: The threshold should be increased for the ICMP_FLOOD pattern, or increase the SD-WAN performance check interval. Increasing the DOS threshold is the more feasible option. |
