Technical Tip: Using Zoom with IPv4 DoS Policy

Zoom requires TCP ports 80,443 and UDP ports 3478, 3479, 8801 - 8810.

See the Zoom network firewall or proxy server settings:
Zoom network firewall or proxy server settings

If the IPv4 DoS policy is causing Zoom UDP packets to drop by triggering the udp_flood, it is necessary to allow the UDP ports that Zoom uses.

This can be done in a separate IPv4 DoS policy so that the normal DoS policy is still effective.

• Create a new service object that covers UDP ports 3478, 3479, and 8801-8810.  On the GUI, go to Policy & Objects -> Services and select 'Create New'.
• Create the service object and have UDP destination ports 49152-65535 (ephemeral ports) and the source ports 3478, 3479, 8801 - 8810.

Here is an example of how the service object should be configured:

• Create a new IPv4 DoS policy. This IPv4 DoS policy will allow the UDP flood on the wan interface for Zoom by allowing packets on UDP ports 3478, 3479, and 8801-8810. This IPv4 DoS policy is configured using the wan interface where the UDP packets will come to the FortiGate from the Zoom server.

In this example, port1 was used. The interface needs to be the Internet-facing WAN interface.

• Ensure udp_flood on the IPv4 DoS policy is set to either 'Disable' or 'Monitor'.

• Ensure the new policy is above any general use IPv4 DoS policies.  IPv4 DoS policies are matched from top to bottom, just like firewall policies.

The result will be that traffic from Zoom servers will hit the Zoom-bypass DoS policy and not trigger the udp_flood.

If the action is set to 'monitor' the traffic will pass through but will be shown in the Anomaly logs as 'detected'.