Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
kyozloveyou_FTNT
Staff
Staff

Created on ‎04-28-2024 11:58 PM Edited on ‎04-28-2024 11:58 PM By Community Manager

Article Id 312022

Troubleshooting Tip: DoS-policy will cause session not offloading for UDP and ICMP

Description This article describes that session/traffic will not offloaded when having DoS-policy in place.
Scope

FortiGate.
Solution

When having DoS-policy for example:

 

config firewall DoS-policy
    edit 1
        set interface "xxxxx"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"

    ...

 

The session will not offloaded due to:

 

diagnose sys session list
session info: proto=1 proto_state=00 duration=6 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nds npu
statistic(bytes/packets/allow_err): org=588/7/1 reply=588/7/1 tuples=2
tx speed(Bps/kbps): 87/0 rx speed(Bps/kbps): 87/0
orgin->sink: org pre->post, reply pre->post dev=54->55/55->54 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.30.71.76:24793->10.30.72.77:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.30.72.77:24793->10.30.71.76:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=529 auth_info=0 chk_client_info=0 vd=3
serial=0000086d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: not-established<====================================================
total session 1

 

After removing the DoS-policy:

 

config firewall DoS-policy

cen_601f_1 (DoS-policy) # purge
This operation will clear all table!
Do you want to continue? (y/n)y

 

diagnose sys session list

session info: proto=1 proto_state=00 duration=7 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=54->55/55->54 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.30.71.76:24794->10.30.72.77:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.30.72.77:24794->10.30.71.76:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=529 auth_info=0 chk_client_info=0 vd=3
serial=00000888 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=128/128, ipid=128/128, vlan=0x0bff/0x0c00
vlifid=128/128, vtag_in=0x0bff/0x0c00 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=8/7
total session 1

 

This is the same behavior with UDP traffic.

 

If DoS-policy is required for the network requirement, reevaluate the Model and CPU usage accordingly.

If there is too much UDP/ICMP traffic and hitting FortiGate's CPU, high CPU usage will occur.
431
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.