I start a new topic while this problem is still not resolved and since the other topic about this same issue is not accurate anymore. This topic starts with a clear description of the issue including an overview of the situation.
This is the old topic (for reference please do not refer anymore to it to avoid confusion).
The network schematic:
If connected wireless to ssid "test99" all is fine. No issues and superfast.
If connected to "ssid" clients experience weird issues.
1. Roblox games do not (never) load, and give an error message.
2. Downloading apps/update from google play store is terribly slow ... 1%,2%,3%...
I deliberately do not (yet include) and config/capture (see also previous topic).
I never had any of these issue, for over ~7 years. It started after upgrading to 7.0.11. And if you read the old topic, 2 things constantly cross: software switch vs hardware switch, that issue is now gone. All is connected to 1 hardware switch and VLANs with bridged ssids.
The netgear is configured to tag VLANs on the uplink and to the FAP. furthermore there are no (known) issues in the network other than this...
Please help out in finding if this could be a configuration issue or bug. Thank you!
I suggest you read all about DoS Policies to try and understand for yourself why it might be hitting on VLAN 10 and not VLAN 99. There are timers, thresholds, etc all involved. As I already stipulated above, it could be that moving a device to VLAN 99 allowed it to work momentarily before the DoS policy got hit.
Those DoS policies are in for a long time. Why would they trigger on sessions setup from inside out? I can't find or read in your link, other than "traffic arriving" that return traffic is policed by a DoS policy.
It says right on the first paragraph of that linked doc: "DoS policies are checked before security policies". DoS policies are checking all traffic regardless of FW state or traffic origination.
That bug ID is not applicable to you.
At this point, I've spent hours helping you out. We've identified your issue. You have options now to either disable or tweak the highly restrictive DOS policy (threshold 1 with US Geo blocking) or revert back to 7.0.10.
I have asked you also for logs and other info but you haven't shown those to me. So there's not much else in my opinion I can offer you at this point.
At the moment of testing the are NO devices connected to Roblox... Only 1, connected to 10 or 99.
And once again, Roblox is not the only issue...
2 things clearly standout:
1. It did not throw any errors in <7.0.10
2. The DoS policy are only configure INbound. IMHO has nothing to do with outgoing or otherwise policed sessions.
Bottomline, the "strict" GEO DoS policy with a theshold of "1" worked very well to limit all traffic INbound from those GEO's. After all the same GEO list is used on INbound policies to BLOCK that same traffic (coming from US and etc.)
Thus, I am still surprised in 7.0.11 it now suddenly looks like my DoS policy now suddenly also blocks RETURN traffic.
Remember: I BLOCK all that traffic coming from that GEOs (including US) INBOUND. That has nothing to do with OUTBOUND sessions, both policy wise as DoS wise...
1. You have no support on this FortiGate and you are continuously pushing the boundaries of what is expected from a community-based forum for assistance with little to no appreciation for the work and time people are spending to help you
2. You refuse to provide useful information that we ask for and continue to complain about things that you have already brought up. So again, without logs and other info requested we can't really do much more to help you.
Bottomline, you still don't understand how DoS policies work despite multiple attempts to get this through to you: DoS Policies are applied before security policies. Therefore if you are initiating a connection to a server on the internet, that server's return traffic will be hit by the DoS policy. It has nothing to do with who initiates what side of the connection.
Remember: I already pointed out to you that you do not in fact block all traffic coming from those GEOs including US. You are only blocking inbound traffic from those GEOs to a single VIP.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.