Hi y'll
I've got this challenge with a lot of alert emails from my fortigate. It looks like it's triggered trough the DoS IpV4 policy on WAN1. If I read and analize the message i see it's from a customer that uses SSL-VPN connection to our center. It's not just one customer but several that can trigger. I raised the treshold for this DoS IpV4 from 2000 to 3500 and it reduced the amount of mails :) . I can of course raise it even higher or just turn it off but that's not a good solution because I want to understand what happens. I see that it seems to be in connection with the logon (but not 100% sure).
i post the Alert and hope somebody can give me a hint or a solution
Message meets Alert condition
The following intrusion was observed: "udp_flood".
date=2018-06-18 time=12:00:56 devname=FGT92D-prim-SMS devid=FGT92D3G1400xxxx logid="0720018432" type="anomaly" subtype="anomaly" level="alert" vd="root" eventtime=1529316056 severity="critical" srcip=79.160.97.xxx srccountry="Norway" dstip=193.71.1xx.xxx srcintf="wan1" srcintfrole="undefined" sessionid=0 action="clear_session" proto=17 service="udp/10443" count=137 attack="udp_flood" srcport=53797 dstport=10443 attackid=285212772 policyid=1 policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID285212772" msg="anomaly: udp_flood, 3501 > threshold 3500, repeats 137 times" crscore=50 crlevel="critical"
Kind regards
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Same behavior on our system.
I am having the same problem
I had to turn it off for the UDP-Flood cause it was causing a problem for SSL-VPN users
but then we had a a real udp attack which affected the CPU for several hours, I now need to explain this to the client
I'm experiencing the same thing. Have you found a solution to this? Out of curiosity do you have DTLS enabled in the forticlient?
any solution?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.