FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 267946

This article describes how to effectively manage Webex voice calls and video media streams while ensuring the DOS policy is enabled on the FortiGate.


The Webex voice calls utilize a range of UDP ports for communication, which may vary based on the Webex service and version in use.


It is essential to note that the specified port ranges have the potential to trigger the UDP Flood threshold in FortiGate's default settings for IPv4 DOS Policy, leading to the dropping of UDP sessions by FortiGate. As a result, Webex calling may experience problems like call freezing, drops, or severe stuttering. To mitigate this, ensure that the UDP ports used by Webex are allowed through the DOS Policy while still maintaining effective DOS Protection.

Scope FortiGate versions 6.2.x, 6.4.x, 7.0.x, 7.2.x, 7.4.x and above.

Generally, the following UDP ports are employed for Webex voice calls and video media streams:


  1. UDP port 9000 to 9009: Used for Webex Calling signaling traffic.
  2. UDP port 16384 to 32767: Used for Webex Calling media traffic.


These ports are utilized for Webex Calling, which includes voice calls and video calls made through the Webex platform. The signaling traffic is handled through UDP ports 9000 to 9009, and the actual media (audio and video) is transmitted through UDP ports 16384 to 32767. Note: The port ranges are subject to change or customization by the Webex service provider. Make sure to verify the specific port requirements with the WebEx service provider or refer to the official documentation for the specific version of WebEx being used.


Read more in Port Reference Information for Webex Calling - Webex help.


Due to the DOS policy dropping UDP sessions for Webex, it is essential to allow the specific UDP ports used by Webex while still maintaining effective DOS Protection.


  1. Create a Service Object that encompasses UDP Ports 9000 to 9009 and 16384 to 32767.
    Navigate to Policy & Objects -> Services on the GUI and select 'Create New'.
  2. Ensure that the Service Object is configured to cover UDP Ports 9000 to 9009 and 16384 to 32767 as follows:




  1. Create a new DOS policy and place it above the current default DOS policies. This policy is designed to permit UDP Flood on UDP ports 9000 to 9009 and 16384 to 32767.





In this DOS policy, ensure UDP Flood is set to Disable or Monitor.




This implies that only traffic matching UDP ports 9000 to 9009 and 16384 to 32767 will be affected by this DOS policy and allowed through. Any other traffic not meeting these criteria will be handled by the DOS policies positioned below it.