Hot!SSL-VPN triggering a IPS upd_flood (i think)

New Member
  • Total Posts : 5
  • Scores: 2
  • Reward points: 0
  • Joined: 2012/05/21 09:34:20
  • Status: offline
2018/06/18 03:34:52 (permalink) 6.0
5 (1)

SSL-VPN triggering a IPS upd_flood (i think)

Hi y'll
I've got this challenge with a lot of alert emails from my fortigate. It looks like it's triggered trough the DoS IpV4 policy on WAN1. If I read and analize the message i see it's from a customer that uses SSL-VPN connection to our center. It's not just one customer but several that can trigger. I raised the treshold for this DoS IpV4 from 2000 to 3500 and it reduced the amount of mails :-) . I can of course raise it even higher or just turn it off but that's not a good solution because I want to understand what happens. I see that it seems to be in connection with the logon (but not 100% sure).
i post the Alert and hope somebody can give me a hint or a solution
Message meets Alert condition
The following intrusion was observed: "udp_flood".
date=2018-06-18 time=12:00:56 devname=FGT92D-prim-SMS devid=FGT92D3G1400xxxx logid="0720018432" type="anomaly" subtype="anomaly" level="alert" vd="root" eventtime=1529316056 severity="critical" srccountry="Norway" srcintf="wan1" srcintfrole="undefined" sessionid=0 action="clear_session" proto=17 service="udp/10443" count=137 attack="udp_flood" srcport=53797 dstport=10443 attackid=285212772 policyid=1 policytype="DoS-policy" ref="" msg="anomaly: udp_flood, 3501 > threshold 3500, repeats 137 times" crscore=50 crlevel="critical"
Kind regards 
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/13 01:22:09
  • Status: offline
Re: SSL-VPN triggering a IPS upd_flood (i think) 2019/11/15 01:54:55 (permalink)
Same behavior on our system.
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/21 03:29:38
  • Status: offline
Re: SSL-VPN triggering a IPS upd_flood (i think) 2020/06/08 21:29:10 (permalink)
I am having the same problem
I had to turn it off for the UDP-Flood cause it was causing a problem for SSL-VPN users
but then we had a a real udp attack which affected the CPU for several hours, I now need to explain this to the client
Jump to:
© 2020 APG vNext Commercial Version 5.5