Using Traffic Monitor Layer 3/4/7 graphs
Use the Layer 3 graphs to monitor trends in Layer 3 traffic parameter rates and drops.
Customize the graph with the following viewing parameters: SPP, Linear/Logarithmic Y-Axis, Direction, Reporting Period (1-hr to 1-yr).
Most graphs in this group will show Inbound/Outbound and Ingress/Egress. Remember Inbound Ingress is from the Internet to FortiDDoS and Inbound Egress is from FortiDDoS to your network. Any divergence of Ingress and Egress traffic on the graph indicated that the system is dropping packets (real, in Prevention mode or virtually in Detection Mode).
If Ingress and Egress traffic diverges, you will also see Drop Counts on this graph if the drop reason is directly related to this graph. You may see Ingress/Egress divergence on a graph but no drops. This indicates that the traffic on this graph was affected by drops on another graph. For example, a high rate of Layer 3 Anomalies may affect a Layer 3 Protocol graph but the drops will be shown on the Anomalies graphs.
If you are uncertain about what is causing the drops, use the Dashboard > Top Attacks page to find the actual attack vector and then choose the appropriate graph.
Placing the cursor on the Monitor graph will display a tool-tip with additional information.
On graphs with many subgraphs all graph labels may not show at once. If so, the right side of the label section will show navigation arrows to display further graph labels:
On pages with multiple graphs, you can scroll to see all graphs or you can use the +/- icon at the top-left of each graph name to hide that graph. The pages always open with all graphs showing.
Estimated Thresholds
FortiDDoS sets Thresholds by learning traffic, creating Traffic Statistics Reports and from them creating System Recommended Thresholds (also called configured minimum thresholds in some text) shown on the top left of the graph (Threshold: 500, for example).
For selected “Scalar” parameters, the system then creates a continuously adaptive, machine-learned Estimated Threshold which automatically adjusts the System Recommended Threshold, based on historical traffic, traffic trend and “seasonality”. Action is taken by the system only when traffic exceeds the higher of the System Recommended Threshold or the adaptive Estimated Threshold. Estimated Thresholds are by default limited to 150% of the System Recommended Threshold to prevent excess traffic. The 150% limit is user-modifiable in System Recommendations.