[AF] No port mapping was done, but there was still a prompt for an external-internal DOS attack

Problem Description

The AF egress is configured with a bidirectional DOS Policies, but without a DNS Policies. It still matches the external-to-inside DOS Policies, showing a port scan with a source IP address that is a public network address.

Root cause

Port scanning is done in the first stage of DOS, before connection tracking.

solution

After confirming with R&D, port scanning will be performed in the first stage of DOS, before connection tracking, that is, port scanning that records external network return packets is normal behavior.

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1009&isOpen=true