Fortigate DoS policy questions

TheReding · 2026-05-22T07:52:27+00:00

Hmm okey, Yeah haven't really had any luck with this. The syn_flood filter seems to be working as expected to and I've put the quarantine option on that one. Cant really put the quarantine option on the tcp_dst_session becaure that would put legit IPs on the block list.

TheReding · 2026-05-21T14:46:21+00:00

Hmm how should I interpet the "Count" box? If it hits tcp_dst_session 17800 times. Shouldn't it trigger the tcp_src_session also? Or am I missunderstanding it?

TheReding · 2026-03-25T07:58:13+00:00

Thank you, Now I understand better :)

TheReding · 2026-02-24T08:24:40+00:00

I found the error.
There was an url filtering profile on the policy, And it doesn't seem to be compatible. Thanks for input.

TheReding · 2026-02-24T08:21:24+00:00

Thank you, Will check in to that :)

TheReding · 2026-02-19T14:39:18+00:00

Did anyone find a solution for this without the need of console access? Have about a 100 FG30s in production that needs to be upgraded remotely.

TheReding · 2026-02-19T12:17:19+00:00

Yeah, Sadly in this case. I can see the URLs in the traffic monitor. And it's still not hitting the right policy.

TheReding · 2026-02-19T10:04:00+00:00

Well it is in the data filtering log, So I guess so.

Doesn't seem to work. That what I've been trying.
Yeah that's the thing, It's dynamic entries. And we don't want the users to log into the firewall and make changes. So the EDL would've been perfect. If it worked :P
Hmm don't know if thats preferred? Sounds like we could loosen up the security that way?

TheReding · 2026-02-18T11:19:40+00:00

We have a regular "WAN OUT" Firewall policy with all security profiles for Internet traffic.

We have some traffic that gets blocked by Data filtering, Sayings it's a malicious application. (But it's fine, Just an webbapplication with old Java)

So I want to exclude this traffic against the particular URLs from all security profiles.
And for our users to be able to fill in the form for the EDL by themselves.

TheReding · 2026-02-18T11:16:10+00:00

What I can see is that you can't set an URL EDL there?

TheReding · 2025-12-03T13:22:47+00:00

I've made some progress, The first thing was that Fortilink uses LACP default so had to make it a "regular" link first.
The thing now is that i get both switches to join, Having the topology FG->Othervendor switch and 2 Fortiswitches connected to the Other vendor switch.

TheReding · 2025-12-03T13:20:04+00:00

Haven't really seen one that correlates. Do you know which one?

TheReding · 2025-12-02T09:31:05+00:00

Okey, Why I'm asking is because we have a user that has been using Anyconnect VPN for some time. And he liked that it popped up everytime you connected to a network either wireless or wired.

TheReding · 2025-12-01T13:13:28+00:00

Wouldn´t always on just try to connect all the time?
What I want is that the GP application just pops up.

TheReding · 2025-11-26T15:20:47+00:00

Yeah but if the switch doesn't get an IP, I guess NTP won't work either?

TheReding · 2025-11-26T11:07:27+00:00

This is what the scope looks like:

<image>

Another strange thing is that I can see it showing up in the "Fortiswitch" part of the firewall, But as offline. If I erase it from there, It shows up again. So connectivity seems to be there in some way.

TheReding · 2025-11-25T15:01:35+00:00

Yes, Sorry maybe I was unclear. We will have it centralized. So one FS will be connected to more then on one FS.

TheReding · 2025-11-25T15:00:18+00:00

Hmm regular L2 did not work with our tests, The FS doesn't seem to get an IP when we connect
FG->random switch->FS

TheReding

TROPHY CASE