Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Infotech22
Contributor

Anomaly - udp_flood

Hello forum,

We got a lot of Anomalies with udp_flood attack base.

 

Is this something we should worry about, what is the best practices on trying to resolve if those attacks like anomalies, intrusion preventions etc are false possitive or not
udp_flood.png

We have FortiAnalyzer also but don't have so much knoweledge about it since I didn't started any NSE5 preparation. 

8 REPLIES 8
adambomb1219
Contributor III

What do you have your DoS policies set to?  Do you actually need UDP_Flood protection?  I have seen many, many false positives of this alert for customers that use Zscaler or other UDP tunneling apps/clients.  What is that source IP?  Is it something you recognize? 

Infotech22

Hello Adam,

Yes we have it configured but it was configured from our ex external company so I'm not sure why and how they configured it.

We have 2 WAN connections and its the same setting for both of them:

 

ddos policy.png

hbac

Hi @Infotech22,

 

You should set action to Block for better security. However, your thresholds are low which can cause false positive. You can adjust them accordingly. 

 

Regards, 

adambomb1219

My money is also on false positive.  Why did your external vendor configure these thresholds?  And why is it only set to Monitor?

Infotech22

I really don' know why they do it like that..
There we no explanation regarding this.

pbangari
Staff
Staff

You can verify if the source IP address is something you recognize or trusted one if yes, then you can consider to increase the threshold value for this source IP or set the action to monitor where this IP address is called as the source.

Infotech22

Hello,

What are the default values for this?
IP address is not something that we know off, but it's not the only one, we have from 5-10 IP addresses that are showing here, sometimes even more. So I don't know are they false positive only because of low threshold or it's something that I need to worry about

 

pbangari

Policy & Objects >> IPv4 DoS policy>> create new, you should see default values.

Labels
Top Kudoed Authors