| Description |
This article explains how to configure exceptions in FortiGate's DoS policies for specific traffic types to prevent legitimate traffic from being flagged as anomalies. This is particularly useful when managing high-volume traffic, such as DNS queries, which can inadvertently trigger anomalies like udp_dst_session, ip_dst_session, or udp_flood.
By creating exceptions, administrators can ensure uninterrupted service for legitimate traffic while maintaining security for other network activities. |
| Scope | FortiGate. |
| Solution |
Similar to Firewall policies, DoS policy rules are processed in a top-down manner. Therefore, if a policy for a specific IP and service to which the DoS policy is not applied is created at the top, an exception is processed.
Example # 1:
2. The policyid 2 was set to block all packets when a DoS attack occurs on the source IP 10.0.1.0/24.
3. Policy3 was created to enable communication only for HTTP and DNS services of 10.0.1.10 IP. The action was arbitrarily selected as 'Disabled'.
4. Result in 10.0.1.10 PC.
The HTTPS site (https://google.com) failed to access, and the HTTP site (http://httpbin.org) succeeded.
Example # 2:
A common scenario involves DNS servers, where high query volumes from client devices often exceed default DoS thresholds, causing false positives. Following example demonstrates how to set up DoS policy exceptions, using DNS traffic specifically.
Topology Overview: 
To prevent legitimate DNS traffic from being blocked by the IPv4 DoS policy while maintaining anomaly detection for other types of traffic, a dedicated DoS policy can be created to whitelist DNS traffic directed to the DNS server. Placing this policy above the general blocking policy ensures that DNS queries are exempt from threshold limits without affecting the monitoring and protection of other network traffic.
Since the policy is configured to apply to all traffic, as shown in the Anomaly Logs, legitimate DNS traffic between the internal network and the DNS server is also blocked once the threshold is reached. Adjusting the threshold or disabling the specific anomaly type would impact all network traffic across the segments, which is not ideal.
Here’s how the firewall DoS policies can be configured and utilized effectively together:
Bypass IPv4 DoS Policy in GUI:
Bypass IPv4 DoS Policy in CLI:
edit 2 set name "Bypass DNS Traffic" set interface "port4" set srcaddr "Internal LAN" set dstaddr "DNS Server" set service "DNS" config anomaly edit "tcp_syn_flood" set threshold 2000 next edit "tcp_port_scan" set threshold 1000 next edit "tcp_src_session" set threshold 5000 next edit "tcp_dst_session" set threshold 5000 next edit "udp_flood" set status enable set log enable set threshold 2000 next edit "udp_scan" set threshold 2000 next edit "udp_src_session" set status enable set log enable set threshold 5000 next edit "udp_dst_session" set status enable set log enable set threshold 5000 next edit "icmp_flood" set threshold 250 next edit "icmp_sweep" next edit "icmp_src_session" set threshold 300 next edit "icmp_dst_session" set threshold 1000 next edit "ip_src_session" set status enable set log enable set threshold 5000 next edit "ip_dst_session" set status enable set log enable set threshold 5000 next edit "sctp_flood" set threshold 2000 next edit "sctp_scan" set threshold 1000 next edit "sctp_src_session" set threshold 5000 next edit "sctp_dst_session" set threshold 5000 next end next end
Save and ensure this policy is placed above the general DoS policy for the interesting traffic.
The action is set to Monitor, allowing the traffic to pass while still generating logs for visibility. This approach can be applied to whitelist specific types of traffic or bypass any type of anomaly detection. |
