Fortinet Firewall shows 100Mbps (100%) bandwidth usage but unable to check in Sources!

aakashrajwani · ‎04-17-2024

I am working with a Fortinet FG-60F firewall. It has 2 WAN sources and both have a maximum link speed of 100Mbps. Throughout the day, I am repeatedly getting downstream bandwidth spikes of 100Mbps+ on both WAN links:

Our usage is not much at all. When I check my Fortiview sources, the bandwidth consumed by individual IPs is not more than 10Mbps:

We are repeatedly getting connectivity issues and packet losses. Users are repeatedly losing their connections and pings are getting timed out.

Please guide how do I find out what is causing this or consuming the bandwidth

Toshi_Esumi · ‎04-17-2024

since no one is responding so far I'll put some comments here.
First thing I would do is to see the usage on the internal interfaces instead of each users, if they have a mirror image of WAN1/2 usage pattern.
My assumption is nothing similar to those. Then you're likely getting attacks on both interfaces.

Then I would look for the sources of those attacks by just sniffing on the interface to see if there are some common sources. From there, there are some different options to mitigate.

Toshi

aakashrajwani · ‎04-18-2024

Hello,

I am not seeing much utilization on the LAN interface. As suggested in another answer, I enabled the ipv4 DoS policy first and I could still see spikes. Then, I am seeing UDP and ICMP flooding events in the Security events log:

I am not sure if this is causing it and if so, how to resolve it.

aakashrajwani · ‎04-18-2024

Hello,

Adding one thing to this, I am also seeing these entries in my log: a lot of blocks from random IPs to random IPs on UDP ports 137 and 138:

DPadula · ‎04-17-2024

You can try to add the LAN interface bandwidth to the dashboard to confirm if the traffic seen on WAN1 and 2 is indeed going to the internal LAN.
Another option would be install SNMP monitoring tool to a computer or server and monitor both interfaces (LAN and WAN) on FGT.

aakashrajwani · ‎04-18-2024

Hi,

I added the internal VLAN in the dashboard and it is showing a utilization of less than 10Mbps. WAN1 and WAN2 are still going higher than 75Mbps, both being identical. Have I done it correctly? How do I check further?

hbac · ‎04-18-2024

Hi @aakashrajwani,

I noticed that the spikes only show as inbound. I would suggest configuring DoS policy. Please refer to https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/771644/dos-policy

Regards,

aakashrajwani · ‎04-18-2024

Hello,

I configured the DoS policy for both WAN sources - all sources, all destinations, all services, and enabled all suggested policies to block it with default packet values, but the bandwidth utilization is still higher than 80Mbps:

AEK · ‎04-18-2024

Hi @aakashrajwani

Just be careful when enabling DoS policy, you may deny legitimate traffic if you squeeze too much.

AEK

aakashrajwani · ‎04-18-2024

On checking the Security events, I found this:

The IPs involved in the UDP Flood ones are showing to be from Google - resolved domain: maps.googleapis.com, maps.googleapis.com. The IPs involved in ICMP Flood ones are from Amazon EC2 instances in Brazil, Korea, London, etc.

Is this useful information in finding out what is happening?