Hello,
I created a DoS policy on our WAN Interface, and I observerd that i have a lot of udp_flood on WAN Interface as DST IP.
Question:
What exactly mean when I set to BLOCK or MONITOR ?? what impact is it on target device - in my case my WAN Interface ??
BLOCK = clear sessions and release resources ??
MONITOR = do nothing
????
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Ted
Better use Monitor first. It will just monitor and tell you in logs if anything like DoS is seen.
If you misuse Block on UDP, many legitimate traffic will be blocked, usually it affects your DNS queries.
udp_flood attack is triggered when the number of packets to a specific destination is higher than the threshold defined (number of packets per second).
For example, in your case if the threshold is 2000, if the firewall receives more than 2000 UDP packets per second destined to WAN IP, it will trigger the udp_flood action.
If the action is block, it will block the packets above 2000 for the reminder of the second, if it is monitor, the packets will be allowed and you will be notified with the log/alert.
Do you expect a lot of UDP packets destined to your WAN interface? If not, then enable block action else we may monitor and see if there is any specific pattern/source for this traffic and take action accordingly.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.