Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wmichael
Staff
Staff

Created on ‎02-08-2024 09:35 PM Edited on ‎10-30-2024 06:12 AM By Moderator

Article Id 298215

Technical Tip: Using Zoom with IPv4 DoS Policy

Description

This article describes how to configure an IPv4 Dos Policy on FortiGate for use with Zoom meetings.

Zoom meetings generate a large amount of UDP packets.  Due to the large volume of UDP packets the, udp_flood on an IPv4 Dos policy can easily be triggered. This can cause a number of issues resulting in poor quality communication.
Scope FortiGate.
Solution

Zoom requires TCP ports 80,443 and UDP ports 3478, 3479, 8801 - 8810.

See the Zoom network firewall or proxy server settings:
Zoom network firewall or proxy server settings

 

If the IPv4 DoS policy is causing Zoom UDP packets to drop by triggering the udp_flood, it is necessary to allow the UDP ports that Zoom uses.

 

This can be done in a separate IPv4 DoS policy so that the normal DoS policy is still effective.

  • Create a new service object that covers UDP ports 3478-3479 and 8801-8810.  On the GUI, go to Policy & Objects -> Services and select 'Create New'.
  • Create the service object and have UDP destination ports 49152-65535 (ephemeral ports) and the source ports 3478, 3479, 8801 - 8810.

 

Here is an example of how the service object should be configured:

 

zoom-source-ports.jpg

 

CLI configuration of the service:


config firewall service custom
    edit "Zoom UDP Ports"
        set udp-portrange 49152-65535:8801-8810 49152-65535:3478-3479
    next
end

 

  • Create a new IPv4 DoS policy. This IPv4 DoS policy will allow the UDP flood on the wan interface for Zoom by allowing packets on UDP ports 3478-3479, and 8801-8810. This IPv4 DoS policy is configured using the WAN interface where the UDP packets will come to the FortiGate from the Zoom server.
  • If another more general IPv4 DoS policy is already configured, it can be copied and the new policy can be pasted above the current one. The new policy can then be edited.

 

In this example, port1 was used. The interface needs to be the Internet-facing WAN interface.

 

Zoom-DoS-policy.jpg

 

  • Ensure udp_flood on the IPv4 DoS policy is set to either 'Disable' or 'Monitor'.

 

Zoom-UDP_flood.jpg

 

  • Ensure the new policy is above any general use IPv4 DoS policies.  IPv4 DoS policies are matched from top to bottom, just like firewall policies.

 

Zoom-policy-order.jpg

 

CLI configuration of the IPv4DoS policy and udp_flood anomaly:


config firewall DoS-policy

    edit 2

        set name "Zoom-bypass"

        set interface "port1"

        set srcaddr "all"

        set dstaddr "all"

        set service "Zoom UDP Ports"

            config anomaly

                edit "udp_flood"

                    set status enable

                    set log enable

                    set action pass

                    set threshold 2000

                next

            end

    next

end

 

To move the IPv4 DoS policy on the CLI use the following command:

 

move 2 before 1

 

The result will be that traffic from Zoom servers will hit the Zoom-bypass DoS policy and not trigger the udp_flood.

If the action is set to 'monitor' the traffic will pass through but will be shown in the Anomaly logs as 'detected'.

 

3696
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.