I am working with a Fortinet FG-60F firewall. It has 2 WAN sources and both have a maximum link speed of 100Mbps. Throughout the day, I am repeatedly getting downstream bandwidth spikes of 100Mbps+ on both WAN links:
Our usage is not much at all. When I check my Fortiview sources, the bandwidth consumed by individual IPs is not more than 10Mbps:
We are repeatedly getting connectivity issues and packet losses. Users are repeatedly losing their connections and pings are getting timed out.
Please guide how do I find out what is causing this or consuming the bandwidth
since no one is responding so far I'll put some comments here.
First thing I would do is to see the usage on the internal interfaces instead of each users, if they have a mirror image of WAN1/2 usage pattern.
My assumption is nothing similar to those. Then you're likely getting attacks on both interfaces.
Then I would look for the sources of those attacks by just sniffing on the interface to see if there are some common sources. From there, there are some different options to mitigate.
Toshi
Hello,
I am not seeing much utilization on the LAN interface. As suggested in another answer, I enabled the ipv4 DoS policy first and I could still see spikes. Then, I am seeing UDP and ICMP flooding events in the Security events log:
I am not sure if this is causing it and if so, how to resolve it.
Hello,
Adding one thing to this, I am also seeing these entries in my log: a lot of blocks from random IPs to random IPs on UDP ports 137 and 138:
You can try to add the LAN interface bandwidth to the dashboard to confirm if the traffic seen on WAN1 and 2 is indeed going to the internal LAN.
Another option would be install SNMP monitoring tool to a computer or server and monitor both interfaces (LAN and WAN) on FGT.
Hi,
I added the internal VLAN in the dashboard and it is showing a utilization of less than 10Mbps. WAN1 and WAN2 are still going higher than 75Mbps, both being identical. Have I done it correctly? How do I check further?
Hi @aakashrajwani,
I noticed that the spikes only show as inbound. I would suggest configuring DoS policy. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/771644/dos-policy
Regards,
Hello,
I configured the DoS policy for both WAN sources - all sources, all destinations, all services, and enabled all suggested policies to block it with default packet values, but the bandwidth utilization is still higher than 80Mbps:
Just be careful when enabling DoS policy, you may deny legitimate traffic if you squeeze too much.
On checking the Security events, I found this:
The IPs involved in the UDP Flood ones are showing to be from Google - resolved domain: maps.googleapis.com, maps.googleapis.com. The IPs involved in ICMP Flood ones are from Amazon EC2 instances in Brazil, Korea, London, etc.
Is this useful information in finding out what is happening?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.