1

I am working with a Fortinet FG-60F firewall. It has 2 WAN sources and both have a maximum link speed of 100Mbps. Throughout the day, I am repeatedly getting downstream bandwidth spikes of 100Mbps+ on both WAN links:

enter image description here

Our usage is not much at all. When I check my Fortiview sources, the bandwidth consumed by individual IPs is not more than 10Mbps:

enter image description here

We are repeatedly getting connectivity issues and packet losses. Users are repeatedly losing their connections and pings are getting timed out.

Please guide how do I find out what is causing this or consuming the bandwidth.

EDIT: I was suggested to enable the DoS Policy and check the Anomaly logs. It was right. I instantly got Anomaly logs which showed UDP and ICMP Floods from reputed IPs (even 8.8.8.8). The problem is that the Destination IP in these floods is not mine. For e.g., my IP is 220.110.94.94. The destination IPs of these floods are 220.110.94.93 OR other IPs belonging to the the Data Centre / ISP.

I am unable to understand how I am getting these floods even though the destination IP is not mine. Even after changing my IPs to a different pool, these haven't stopped.

Improve this question
2
  • 1
    Notice WAN1 and WAN2 graphs are identical. That's very unlikely.
    – Ricky
    Commented Apr 17 at 20:23
  • @Ricky Yes, WAN1 and WAN2 are identical. This is even though we have set WAN1 preferred over WAN2 in SD-WAN rule, and the implicit SD-WAN rule has Spillover from WAN1 to WAN2 beyond 100Mbps.
    – WishIWasACoder
    Commented Apr 18 at 8:23

1 Answer 1

Reset to default
0

It's possible that not all traffic shows up in FortiView. I remember dimly that that depends on the actual rule used.

Accordingly, you should examine your policies for any ones not submitting data to the FortiView. (Logging might need to be turned on.)

Another option is to run a packet capture (in Network -> Diagnostics) on the LAN port if you know when things happen. You can only run it for a very limited time. Alternatively, you could use port mirroring on the LAN-side switch with longer capturing on a workstation.

Yet another possibility is to use sFlow or NetFlow - if supported - on the LAN switch the FG is connected to in order to view protocols and bandwidths.

[Re EDIT]

my IP is 220.110.94.94. The destination IPs of these floods are 220.110.94.93 OR other IPs

That might indicate that your ISP has set a route to those IP addresses via your firewall. You should talk to them.

Improve this answer
3
  • I was suggested to enable a DoS Policy. I started getting Anomaly logs showing hits every minute.
    – WishIWasACoder
    Commented Apr 24 at 15:40
  • I agree, you need to do a packet capture on each interface and actually figure out what the traffic is. Then speak with your ISP(s) to determine why your firewall is getting hit with traffic that is not destined to its IP addresses, if that is the case.
    – FrameHowitzer
    Commented Apr 24 at 19:49
  • 1
    Yes, turns out the data center/ISP had done some mistake at their end and all that traffic was coming to our FW. A friend helped me check it via a Packet Capture.
    – WishIWasACoder
    Commented Apr 29 at 9:02

Not the answer you're looking for? Browse other questions tagged or ask your own question.