Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jiyong
Staff
Staff

Created on ‎08-08-2024 01:08 AM Edited on ‎08-08-2024 01:12 AM By Community Manager

Article Id 331412

Troubleshooting Tip: User DNS communication fails randomly

Description This article describes an analysis of cases where DNS communication fails randomly.
Scope FortiGate.
Solution

Wireshark :

3766 2005-01-01 00:00:19.000000000 10.10.110.148 8.8.4.4 DNS 69 Standard query 0x0c68 A naver.com
4368 2005-01-01 00:00:24.000000000 10.10.110.148 8.8.8.8 DNS 69 Standard query 0x0c68 A naver.com

 

Normal example: 

IPS debug outputs: 

 

[1175@35316118]ips_run_session_verdict_check: serial=145418974 session is ACTIVE<-----------

[1175@35316118]ips_dsct_session_loop: serial=145418974 only: dns_udp

[1175@35316118]dns_dissector: Operation Code: 0 flags 0x8180

[1175@35316118]dissect_query_records: dns request: name naver.com, type 28, class 0x1, size 11

[1175@35316118]dissect_answer_records: dns reply: name naver.com, type 6, class 0x1, size 2 

 

Abnormal example:

IPS debug outputs:

 

[1175@-1]ips_run_session_verdict_check: can't find session <--

[1175@-1]ips_create_session: enter

[1175@-1]ips_create_session: set ignore_app_after_size from 204800 to 20480 by dependencies of 0 Root

[1175@-1]ips_create_session: copying ctags for session 35316118 (view 58)

[1175@-1]ips_tag_cset_on_new_session: (view 58) sess_id=35316118 ctags updated

 

See the below commands for the IPS debug command:

 

diag debug console timestamp enable
diag ips debug enable all
diag debug enable

 

FortiGate Anomaly log:


date=2024-07-22 time=11:51:57 eventtime=1721616717220791417 tz="+0900" logid="0720018432" type="utm" subtype="anomaly" eventtype="anomaly" level="alert" vd="root" severity="critical" srcip=8.8.8.8 srccountry="Korea, Republic of" dstip=40.40.40.40 dstcountry="Korea, Republic of" srcintf="wan1" srcintfrole="wan" sessionid=0 action="clear_session" proto=17 service="MMS" count=1838 attack="udp_flood" srcport=53 dstport=3992 attackid=285212772 policyid=2 policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID285212772" msg="anomaly: udp_flood, 2282 > threshold 2000, repeats 1838 times since last log, pps 2304 of prior second" crscore=50 craction=4096 crlevel="critical"

 

Here, the destination, 40.40.40.40, is the public IP.
All internal subnets 10.10.110.0/24 with SNAT 40.40.40.40 are affected.


As a result, FortiGate sent a DNS Request Query to the DNS server, but the session was cleared due to DoS Policy and no response was received.

 

Solution:
The DoS threshold needs to be modified through monitoring.
Labels:
267
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.