Troubleshooting Tip: DoS-policy will cause sessions to not be offloaded for UDP and ICMP traffic

kyozloveyou_FTNT · ‎04-28-2024

Description

This article describes that session/traffic will not be offloaded when having a DoS-policy in place.

Scope

FortiGate.

Solution

When using a DoS-policy on FortiGate, for example:

config firewall DoS-policy
edit 1
set interface "xxxxx"
set srcaddr "all"
set dstaddr "all"
set service "ALL"

...

The session will not offloaded due to:

diagnose sys session list
session info: proto=1 proto_state=00 duration=6 expire=59 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty nds npu
statistic(bytes/packets/allow_err): org=588/7/1 reply=588/7/1 tuples=2
tx speed(Bps/kbps): 87/0 rx speed(Bps/kbps): 87/0
orgin->sink: org pre->post, reply pre->post dev=54->55/55->54 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.30.71.76:24793->10.30.72.77:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.30.72.77:24793->10.30.71.76:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=529 auth_info=0 chk_client_info=0 vd=3
serial=0000086d tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000000
npu info: flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0x0000/0x0000
vlifid=0/0, vtag_in=0x0000/0x0000 in_npu=0/0, out_npu=0/0, fwd_en=0/0, qid=0/0
no_ofld_reason: not-established<====================================================
total session 1

After removing the DoS-policy:

config firewall DoS-policy

cen_601f_1 (DoS-policy) # purge
This operation will clear all table!
Do you want to continue? (y/n)y

diagnose sys session list

session info: proto=1 proto_state=00 duration=7 expire=53 timeout=0 flags=00000000 socktype=0 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
class_id=0 ha_id=0 policy_dir=0 tunnel=/ vlan_cos=0/255
state=may_dirty npu
statistic(bytes/packets/allow_err): org=168/2/1 reply=168/2/1 tuples=2
tx speed(Bps/kbps): 0/0 rx speed(Bps/kbps): 0/0
orgin->sink: org pre->post, reply pre->post dev=54->55/55->54 gwy=0.0.0.0/0.0.0.0
hook=pre dir=org act=noop 10.30.71.76:24794->10.30.72.77:8(0.0.0.0:0)
hook=post dir=reply act=noop 10.30.72.77:24794->10.30.71.76:0(0.0.0.0:0)
misc=0 policy_id=1 pol_uuid_idx=529 auth_info=0 chk_client_info=0 vd=3
serial=00000888 tos=ff/ff app_list=0 app=0 url_cat=0
rpdb_link_id=00000000 ngfwid=n/a
npu_state=0x4000c00 ofld-O ofld-R
npu info: flag=0x81/0x81, offload=9/9, ips_offload=0/0, epid=128/128, ipid=128/128, vlan=0x0bff/0x0c00
vlifid=128/128, vtag_in=0x0bff/0x0c00 in_npu=1/1, out_npu=1/1, fwd_en=0/0, qid=8/7
total session 1

This is the same behavior with UDP traffic.

If there is too much UDP/ICMP traffic and it hits FortiGate's CPU, high CPU usage will occur.

Note:

There is an option to offload DoS policy traffic to the Network Processor based on the matched pre-defined signature in the DoS policy and the FortiGate device by applying the following configuration.

config system settings

set policy-offload-level dos-offload

end

Related document:

DoS policy hardware acceleration

Troubleshooting Tip: DoS-policy will cause sessions to not be offloaded for UDP and ICMP traffic

You are leaving our website