Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiahoong112
Staff
Staff

Created on ‎04-07-2023 12:30 AM Edited on ‎09-16-2024 12:15 AM By Community Manager

Article Id 251599

Technical Tip: Using Microsoft Teams with DOS Policy

Description

This article explains how to use Microsoft Teams with IPv4 DOS Policy on FortiGate.

Meetings/conferences held on Teams involve the communication of a large number of UDP packets. Due to the large number of UDP Packets, this can be picked up as a UDP Flood attack. 

 

This can easily trigger the UDP Flood threshold on the default settings of Fortigate's IPv4 DOS Policy causing FortiGate to drop the UDP sessions. When these sessions are dropped, Microsoft Teams will run into issues such as call freezing, drops, immense stutter, etc.
Scope

FortiGate v6.2.x, v6.4.x, v7.0.x, v7.2.x and above. 

For FortiOS versions that are End of Support, upgrade.
Solution

Microsoft Teams requires TCP ports 80,443 and UDP ports 3478-3481.

Refer here: 
https://learn.microsoft.com/en-us/microsoftteams/teams-security-guide#udp-3478-3481-and-tcp-443

 

As the DOS Policy is seen dropping UDP sessions for Teams, it will be necessary to Allow the UDP ports that Microsoft Teams uses through the DOS Policy without sacrificing DOS Protection. 

 

  1. Create a Service Object that covers UDP Ports 3478-3481. On the GUI, go to Policy & Objects -> Services and select 'Create New'.
  2. Ensure the Service Object is created as such for UDP Ports 3478-3481. Here the packet is coming from Teams server to FortiGate so the source port will be 3478-3481. For the destination port, it will define the range of ephemeral port which is used for establishing a session. If there is a particular range in the environment, it is possible to use that here. 

By default, it is 49152-65535. Here is an example of what it should look like:

 

screen-tream.png

 

  1. On the DOS policy, create a DOS policy and put it above the existing default DOS policies. This DOS policy is for allowing UDP Flood on UDP ports 3478-3481. This will be created on the WAN interface, where the Teams traffic is coming to FortiGate from the Teams server. 

 

2.JPG

 

In this DOS policy, ensure UDP Flood is set to Disable or Monitor.

 

2.5.JPG

 

Put this policy above the general block policy:

 

3.JPG

 

This means that only traffic that matches UDP Port 3478-3481 will hit this DOS Policy and get permitted. Other traffic that does not match these criteria will hit the DOS Policies below it.

 

Note:

DOS policies are not bidirectional, it will only take care of traffic coming into the FortiGate interface where the DOS policy is configured. Make sure to apply appropriate source/destination ports and IPs coming into the firewall.

 

Result:

  • Teams traffic will hit the teams-bypass DOS policy created.
  • As the udp_flood parameter is set to Monitor, the traffic will pass through but get logged in the logs and shown as Action: detected.
  • If the DOS policy blocks the traffic, the Action will be clear_session.

 

doslog.png

 

doslogd.png

 

Labels:
22623
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.