While troubleshooting a VPN problem, I noticed a lot of udp_flood entries from the other side of the tunnel. The Source IP listed is ours. I changed the policy from block to detect for now, but I can't find a reason for all this traffic. We have 3 other IPsec tunnels that are pretty much identical, but this is the only Fortigate having this occurrence.
Source and destination port 4500. Service is IKE.
Just a false positive. When you have NAT Traversal enabled on your tunnel, it will use UDP port 4500.
It is recommended to exclude either the remote side's Public IP, or port 4500 from the DOS Policy.
See this document: https://community.fortinet.com/t5/Customer-Service/Technical-Tip-DoS-policy-can-cause-slowness-in-tr...
Yes, NAT Traversal is on by default so I never paid it much attention and I don't know if we should use it or not. I'm still confused if all 4 of our tunnels have NAT Traversal enabled, why this is only happening on one of our Gates.
NAT-T is usually fine to leave on. Your traffic probably just so happen to match the characteristics your DOS policy is looking for; e.g amount of pkts. in a specific timeframe.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.