Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tedew
New Contributor

UDP Flood and Action

Hello,

I created a DoS policy on our WAN Interface, and I observerd that i have a lot of udp_flood on WAN Interface as DST IP. 

 

Question:

What exactly mean when I set to BLOCK or MONITOR ?? what impact is it on target device - in my case my WAN Interface ??

 

BLOCK = clear sessions and release resources ??

MONITOR = do nothing 

????

 

Thanks

 

 

 

 

 

2 REPLIES 2
AEK
Honored Contributor

Hello Ted

Better use Monitor first. It will just monitor and tell you in logs if anything like DoS is seen.

If you misuse Block on UDP, many legitimate traffic will be blocked, usually it affects your DNS queries.

 

AEK
AEK
srajeswaran
Staff
Staff

udp_flood attack is triggered when the number of packets to a specific destination is higher than the threshold defined (number of packets per second).

For example, in your case if the threshold is 2000, if the firewall receives more than 2000 UDP packets per second destined to WAN IP, it will trigger the udp_flood action.

If the action is block, it will block the packets above 2000 for the reminder of the second, if it is monitor, the packets will be allowed and you will be notified with the log/alert.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-DoS-attack-log-according-to-action-set-on-...

 

Do you expect a lot of UDP packets destined to your WAN interface? If not, then enable block action else we may monitor and see if there is any specific pattern/source for this traffic and take action accordingly.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

Labels
Top Kudoed Authors