Hello forum,
We got a lot of Anomalies with udp_flood attack base.
Is this something we should worry about, what is the best practices on trying to resolve if those attacks like anomalies, intrusion preventions etc are false possitive or not
We have FortiAnalyzer also but don't have so much knoweledge about it since I didn't started any NSE5 preparation.
What do you have your DoS policies set to? Do you actually need UDP_Flood protection? I have seen many, many false positives of this alert for customers that use Zscaler or other UDP tunneling apps/clients. What is that source IP? Is it something you recognize?
Hello Adam,
Yes we have it configured but it was configured from our ex external company so I'm not sure why and how they configured it.
We have 2 WAN connections and its the same setting for both of them:
Hi @Infotech22,
You should set action to Block for better security. However, your thresholds are low which can cause false positive. You can adjust them accordingly.
Regards,
My money is also on false positive. Why did your external vendor configure these thresholds? And why is it only set to Monitor?
I really don' know why they do it like that..
There we no explanation regarding this.
You can verify if the source IP address is something you recognize or trusted one if yes, then you can consider to increase the threshold value for this source IP or set the action to monitor where this IP address is called as the source.
Hello,
What are the default values for this?
IP address is not something that we know off, but it's not the only one, we have from 5-10 IP addresses that are showing here, sometimes even more. So I don't know are they false positive only because of low threshold or it's something that I need to worry about
Policy & Objects >> IPv4 DoS policy>> create new, you should see default values.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.