When the application (google drive)upload or sync file, the traffic will trigger the DOS UPD flood as below.
itime=1436345294 dstname=tl-in-f116.1e100.net device_id=FG600B3909601201 log_id=18432 subtype=anomaly type=ips pri=alert policyid=0 serial=0 attack_id=285212772 severity=critical sensor=block_flood src=*.*.*.* dst=64.233.189.116 src_port=56355 dst_port=443 src_int=port4 dst_int=N/A status=clear_session proto=17 service=https user=N/A group=N/A ref=http://www.fortinet.com/ids/VID285212772 count=507 incident_serialno=0 msg="anomaly: udp_flood, 2074 > threshold 2000, repeats 507 times" vd=root identidx=0 attack_name=udp_flood intf_policyid=0 date=2015-07-08 time=16:48:14
itime=1436345279 dstname=tl-in-f116.1e100.net device_id=FG600B3909601201 log_id=18432 subtype=anomaly type=ips pri=alert policyid=0 serial=0 attack_id=285212772 severity=critical sensor=block_flood src=….dst=64.233.189.116 src_port=56355 dst_port=443 src_int=port4 dst_int=N/A status=clear_session proto=17 service=https user=N/A group=N/A ref=http://www.fortinet.com/ids/VID285212772 count=699 incident_serialno=0 msg="anomaly: udp_flood, 2001 > threshold 2000, repeats 699 times" vd=root identidx=0 attack_name=udp_flood intf_policyid=0 date=2015-07-08 time=16:47:59
How to except the similar action?
I find the official configuration suggestion as below link.
How does the fortigate configure the dos sensor to pass the domain name which express include *.
Does the address object support the configuration that FQDN include wildcard.
https://support.google.com/drive/answer/2589954?hl=en&ref_topic=14951
https://www.dropbox.com/help/23
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Whats the best or preferred way to let these through? The company I work for is a heavy user of Google's apps and we use Chrome because Google's stuff works better with Chrome. At least until the DoS sensor started identifying them as udp_flood and blocking them. Now, when accessing any of the Google stuff, it's slow and it sometimes doesn't seem to respond.
-Mike
Hi,
This is most likely due to Google's experimental QUIC, using UDP on port 443.
See https://www.chromium.org/quic
NSE 4
Whats the best or preferred way to let these through? The company I work for is a heavy user of Google's apps and we use Chrome because Google's stuff works better with Chrome. At least until the DoS sensor started identifying them as udp_flood and blocking them. Now, when accessing any of the Google stuff, it's slow and it sometimes doesn't seem to respond.
-Mike
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.