Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bascheew
New Contributor III

Created on ‎10-18-2021 10:09 AM

Can't use srcaddr-negate on DoS policies. How can we filter out private IPs?

We have applied a DoS policy on a WAN interface with the intent that all inbound public traffic will be checked for anomalies.  However we're seeing in the logs that traffic from the VPN tunnels (using that WAN interface) are being inspected.  We do not want the "child" VPN tunnels to be DoS inspected.

 

To work around this on a normal firewall policy we would use "srcaddr-negate" and match all traffic that is not a private IP.  That command is not available on a DoS policy, so I don't see a way to exempt that VPN traffic.  Any ideas?

 

2335
0 Kudos
1 REPLY 1
bascheew
New Contributor III

Created on ‎10-19-2021 03:08 PM

Found a work around.  Create a second DoS policy with the VPN peer IPs as the source addresses and set the action to disable:  https://www.adnsolutions.com/fortigate-dos-policy-on-wan-blocking-vpn-traffic/

 

1966
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.