Appendix A: DDoS Attack Log Reference
The following table provides the description of the fields in the Log Reference table.
Fields and description
| Field | Description |
|---|---|
| Event code | 1 - Layer 3, 2 - Layer 4, 4 - Layer 7 |
| Subcode | Internal reference only. |
|
Trap Attack Type |
Attack Event identifier included in Attack SNMP Traps sent (instead of Event Name). |
| Event Name | Event Type in the web UI Attack Logs and Graphs, description field in syslog. |
| Category | Filter category in web UI Attack Logs. |
| Period |
Interrupt: Rate Flood means the first event is logged within two minutes after the start of an attack and reported every minute thereafter. Periodic: Events other than Rate Flood means events are logged every 5 minutes. |
| Note: Source IP address is reported only for drops due to per-source thresholds (see Source tracking table). | |
| Event code | Subcode | Trap attack type | Event name | Category | Period | Description | Parameter | Graph |
|---|---|---|---|---|---|---|---|---|
| 1 | 0 | 1000 | Protocol Flood | Rate Flood | Interrupt | Effective rate limit for the protocol (0-255) has been reached. Protocols are rate-limited at the Threshold. Protocols 6 (TCP) and 17 (UDP) do not normally have Thresholds. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Protocols | Monitor > Drops Monitor > Flood Drops > Layer 3 > Protocols Monitor > Layer 3/4/7> Layer 3 > Protocols |
| 1 | 1 | 1001 | Other Protocols Fragment Flood | Rate Flood | Interrupt |
Effective rate limit for fragments in Protocols other than TCP, UDP and DNS has been reached. Fragments are rate-limited at the Threshold. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > OTH Fragment | Monitor > Drops Monitor >Flood Drops > Layer 3 > Fragmented Packets (aggregate of all Protocol fragments) Monitor > Layer 3/4/7> Layer 3 > Other > Fragmented Packets > Other Fragmented Packets |
| 1 | 8 | 1008 | Source Flood | Rate Flood | Interrupt | Effective rate limit for the most-active-source threshold has been reached. Source IP address is reported. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Source | Monitor > Drops Monitor >Flood Drops > Layer 3 > Source Flood Monitor > Layer 3/4/7> Layer 3 > Sources > Most Active Source |
| 1 | 9 | 1009 | Destination Flood | Rate Flood | Interrupt |
Effective rate limit for the most-active-destination threshold has been reached. Note: This Threshold is not set by System Recommendations. You may manually add a Threshold if desired. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Destination | Monitor > Drops Monitor > Flood Drops > Layer 3 > Destinnation Flood Monitor > Layer 3/4/7> Layer 3 > Sources > Most Active Destination |
| 1 | 14 | 1014 | IP Header checksum error | Header anomaly | Periodic | Invalid IP header checksum. | Service Protection > IP Profile > IP Strict Anomalies. IP Profile must be assigned to an SPP. | Monitor >Drops Monitor >Anomaly Drops >Layer 3 > IP Header Checksum |
| 1 | 15 | 1015 | Source IP==dest IP | Header anomaly | Periodic | Identical source and protected IP addresses (LAND attack). | Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor >Drops Monitor >Anomaly Drops >Layer 3 > Source and Destination Address Match |
| 1 | 16 | 1016 | Source/dest IP==localhost | Header anomaly | Periodic | Source/destination address is the local host (loopback address spoofing). | Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor >Drops Monitor >Anomaly Drops >Layer 3 > Source/ Destination as Localhost |
| 1 | 17 | 1017 | L3 anomalies | Header anomaly | Periodic |
Drops due to predefined Layer 3 rules: - IP version other than IPv4 or IPv6. - EOP (End of Packet) before 20 bytes of IPv4 data. -EOP comes before the length specified by Total Length. -Reserved Flag set. -More Frag and Don't Frag Flags set. -Added Anomaly for DSCP and ECN. |
Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor >Drops Monitor >Anomaly Drops >Layer 3 > Layer 3 |
| 1 | 23 | 1023 | TCP Fragment Flood | Rate Flood | Interrupt |
Effective rate limit for the TCP fragment has been reached. Note: Use with care. Miss-configured clients can result in TCP fragmentation. Unless you are sure there can be no TCP Fragmentation, it is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > TCP Fragment | Monitor > Drops Monitor > Flood Drops > Layer 3> Fragmented Packets Monitor > Layer 3/4/7> Layer 3 > Other > Fragmented Packets > TCPFragmented Packets |
| 1 | 24 | 1024 | UDP Fragment Flood | Rate Flood | Interrupt |
Effective rate limit for the UDP fragment has been reached. Note: Use with care. Miss-configured clients can result in UDP fragmentation. Unless you are sure there can be no UDP Fragmentation, it is better to use the UDP Fragment Threshold than an ACL. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > UDP Fragment | Monitor > Drops Monitor > Flood Drops > Layer 3> Fragmented Packets Monitor > Layer 3/4/7> Layer 3 > Other > Fragmented Packets > UDPFragmented Packets |
| 1 | 54 | 1054 | Other Protocols Fragment denied | ACL | Periodic |
Fragments for Protocols other than TCP, UDP, DNS, denied by an SPP IP Profile Fragment Check setting. Note: Use with care. Miss-configured clients can result in fragmentation for Protocols like GRE (47) and IPSEC (50). Unless you are sure there can be no Other Protocol Fragmentation, it is better to use the Other Protocol Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check > Other Protocol Fragment IP Profile must be assigned to an SPP. | Monitor > Drops Monitor > ACL Drops > Layyer 3 > Fragmented Packet Denied Drops Monitor > Layer 3/4/7> Layer 3 > Other > Fragmented Packets > OtherFragmented Packets blocked |
| 1 | 60 | 1060 | Denied: IP address | ACL | Periodic | Denied by Global Blocklist | Global Protection > Blocklist > Blocklisted IPv4 | Monitor > Drops Monitor >ACL Drops > Layer 3 > Address Denied: Denied Address Drops |
| 1 | 61 | 1061 | Denied: IP reputation | ACL | Periodic | Denied by the IP Reputation ACL based on IP Profile per SPP. | IP Reputation is an optional subscription which must be current for this ACL to work. System > FortiGuard. For IP Reputation settings, subscription confirmation Service Protection > IP Profile > IP Reputation categories to enable when that IP Profile is assigned to an SPP. | Monitor > Drops Monitor > ACL Drops > Layer 3 > Address Denied: IP Reputation Denied Drops |
| 1 | 63 | 1063 | Denied: IP Multicast | ACL | Periodic | Denied by IP profile per SPP. | Service Protection > IP Profile > IP Multicast Check IP Profile must be assigned to an SPP. | Monitor > Drops Monitor > ACL Drops > Layer 3 > IP Multicast Denied Drops |
| 1 | 64 | 1064 | Denied: Private IP | ACL | Periodic | Denied by IP profile per SPP. | Service Protection > IP Profile > IP Private Check IP Profile must be assigned to an SPP. | Monitor > Drops Monitor > ACL Drops >Layer 3 >Private IP Denied Drops |
| 1 | 71 | 1071 | TCPFragment denied | ACL | Periodic |
TCP Fragments denied by an SPP IP Profile Fragment Check setting. Note: Miss-configured clients can send TCP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check >TCP Fragment IP Profile must be assigned to an SPP. | Monitor > Drops MonitoACL Drops > Layer 3 > Fragmented Packet Denied Drops Monitor > Layer 3/4/7> Layer 3 > Other > Fragmented Packets > TCPFragmented Packets blocked |
| 1 | 72 | 1072 | UDPFragment denied | ACL | Periodic |
UDP Fragments denied by an SPP IP Profile Fragment Check setting. Note: Miss-configured clients can send UDP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check >UDP Fragment IP Profile must be assigned to an SPP. | Monitor > Drops Monitor >ACL Drops > Layer 3 > Fragmented Packet Denied Drops Monitor > Layer 3/4/7> Layer 3 > Other > Fragmented Packets > UDPFragmented Packets blocked |
| 2 | 0 | 2000 | SYN Flood | Rate Flood | Interrupt |
Effective rate limit for the SYN Threshold has been reached. Note: 1. Crossing the SYN Threshold initiates SYN Validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking). 2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then allowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation. |
Service Protection > Service Protection Policy > Thresholds > Scalars >: SYN Service Protection > TCP Profile >TCP Packets Validation > SYN Validation. Note: If SYN Validation is not enabled no SYN validation nor rate limiting is done. |
Monitor > Drops Monitor >Flood Drops > Layer 3> SYN Monitor > Layer 3/4/7> Layer 4 > SYN |
| 2 | 6 | 2006 | State Anomalies: Foreign packet (Out of State) | State anomaly | Periodic | A foreign packet is a TCP packet that does not belong to any known connections. Tracked when TCP Profile for an SPP has Foreign Packet Validation enabled. | Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation TCP profile must be assignd to an SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 4 > State |
| 2 | 7 | 2007 | State Anomalies: Outside window | State anomaly | Periodic | Sequence number of a packet was outside the acceptable window. Tracked when TCP Profile for an SPP has Sequence Validation enabled. | Service Protection > TCP Profile > TCP Packets Validation > Sequence Validation. TCP profile must be assignd to an SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 4 > State |
| 2 | 12 | 2012 | State Anomalies: State transition error | State anomaly | Periodic | State of the TCP packet received was not consistent with the expected state. Tracked when TCP Profile for an SPP has State Transition Validation enabled. | Service Protection > TCP Profile > TCP Packets Validation > State Transition Anomalies Validation TCP profile must be assignd to an SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 4 > State |
| 2 | 13 | 2013 | SPP Rule Deny | ACL | Periodic |
Global or SPP-based IPv4, IPv6, Geolocation, Service ACL drops. Note: 1. In Release 6.1.1, Global ACL drops will be shown in the default SPP graphs. SPP-based ACL drops will be shown in the SPP graphs. 2. Global ACLs are always on - there is no Detection/Preventionn Mode for Global ACLs. |
Global Protection > Access Control List >IPv4 or Global Protection > Access Control List >IPv6 or Service Protection > Service Protection Policy > Service Protection Policy Rule > ACL | Monitor > Drops Monitor > ACL Drops > Layer 4 |
| 2 | 16 | 2016 | TCP zombie Flood | Rate Flood | Interrupt | Effective rate limit for the new-connections Threshold has been reached. Note: this Threshold is set to maximum by System Recommendations to avoid rate-limiting new connections. You can add a manual Threshold if desired. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > New Connections | Monitor > Drops Monitor> Flood Drops >Layer 4 > Zombie Flood Monitor > Layer 3/4/7 > Layer 4 > Other > New Connections |
| 2 | 17 | 2017 | TCP Port Flood | Rate Flood | Periodic |
Effective rate limit for the port has been reached. Note: Several TCP Ports like 80, 443 are set to system maximum (no thresholds) by System Recommendations. Other parameters (like the various SYN thresholds and Foreign Packet Validation) mitigate DDoS Floods to these Ports. You can add a Threshold for these ports if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >TCP Ports | Monitor > Drops Monitor > Flood Drops > Layer 4> TCP Ports Monitor > Layer 3/4/7 > Layer 4 > Ports > TCP |
| 2 | 18 | 2018 | UDP Port Flood | Rate Flood | Periodic |
Effective rate limit for the port has been reached. Note: No Threshold is set for UDP 53 where DNS mitigations are expected to be used. You can add a Threshold if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > UDP Ports | Monitor > Drops Monitor > Flood Drops >Layer 4> UDP Ports Monitor > Layer 3/4/7 > Layer 4 > Ports > UDP |
| 2 | 19 | 2019 | ICMP Flood | Rate Flood | Periodic | Effective rate limit for the ICMP Type/Code has been reached. Type/Codes will be rate-limited to the Threshold. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > ICMP Types and Codes | Monitor > Drops Monitor >Flood Drops >Layer 4> ICMP Types/Codes Monitor > Layer 3/4/7 > Layer 4 > Other > ICMP |
| 2 | 20 | 2020 | Foreign Packets (Aggressive Aging and Slow Connections) | State anomaly | Periodic | Foreign (out-of-state) Packets seen after Slow Connection Aggressive Aging (RST to server) | Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation Service Protection > TCP Profile > TCP Session Settings > Aggressive Aging Feature Control > Slow TCP Connections | Monitor > Drops Monitor >Anomaly Drops >Layer 4> State |
| 2 | 22 | 2022 | Slow Connection: Source Flood | Rate Flood | Interrupt | Slow connection attack detected and “Source blocking for slow connections” enabled. Source IP address is reported. | Service Protection > TCP Profile > TCP Slow Connection Protection > Block Sources With Slow TCP Connections | Monitor > Drops Monitor >Flood Drops > Layer 4> Slow Connection |
| 2 | 24 | 2024 | TCP checksum error | Header anomaly | Periodic | Invalid TCP checksum. | Service Protection > TCP Profile > Strict Anomalies TCP Profile must be assigned to the SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 4> Header > TCP Checksum Error |
| 2 | 26 | 2026 | ICMP checksum error | Header anomaly | Periodic | Invalid ICMP checksum. | Service Protection > ICMP Profile > ICMP Strict Anomalies ICMP Profile must be assigned to the SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 4 > Header > ICMP Checksum Error |
| 2 | 27 | 2027 | TCP invalid flag combination | Header anomaly | Periodic | Invalid TCP flag combination. If the urgent flag is set, then the urgent pointer must be non-zero. SYN, FIN or RST is set for fragmented packets, no flags, all flags and others. | Service Protection > TCP Profile > Strict Anomalies TCP Profile must be assigned to the SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 4 > Header > TCP Invalid Flag Combination |
| 2 | 28 | 2028 | L4 anomalies | Header anomaly | Periodic | Drops due to predefined Layer 4 header rules: Data offset is less than 5 for a TCP packet; EOP (End of packet) is detected before the 20 bytes of TCP header; EOP before the data offset indicated data offset; Length field in TCP window scale option is a value other than 3; Length field in TCP window scale option is a value other than 3: Missing UDP payload; Missing ICMP payload,TCP Option Anomaly based on Option Type; and others. SYN with Payload if SPP Option in TCP Profile is set. | Service Protection > TCP Profile >Strict Anomalies Service Protection > TCP Profile > SYN with Payload Service Protection > ICMP Profile >Strict Anomalies ICMP and TCP Profiles must be assigned to the SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 4 > Header > Anomaly Detected |
| 2 | 54 | 2054 | ICMP Type/Code denied | ACL | Periodic | Denied by an ICMP Profile TypeCode ACL | Service Protection > ICMP Profile > ICMP Type Code ACL ICMP Profile must be assigned to the SPP. | Monitor > Drops Monitor > ACL Drops > Layer 4 > Aggregate > ICMP Type/Code Denied Drops |
| 2 | 56 | 2056 | SYN Flood from source | Rate Flood | Interrupt |
Effective rate limit for the syn-per-src threshold from a single Source IP has been reached. Source IP address is reported. Note: No SYN Validation is done on SYNperSource Floods. The Source is rate-limited to the Threshold |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN Per Source | Monitor > Drops Monitor >Flood Drops > Layer 4 > SYN Per Source Monitor > Layer 3/4/7 > Layer 4 > SYN per Source |
| 2 | 61 | 2061 | Excessive Concurrent Connections Per Source Flood | rate Flood | interrupt | Effective rate limit for the concurrent-connections-per-source threshold has been reached. Source IP address is reported. Per-Source Connections are rate-limited to the Threshold. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > Concurrent-Connections-per-Source | Monitor > Drops Monitor >L4> Flood Drops > Concurrent Connection per Source Monitor > Layer 3/4/7 > Layer 4 >Other > Concurrent Connections per Source |
| 2 | 62 | 2062 | SYN per Destination Flood | rate Flood | interrupt |
Effective rate limit for the SYN per Destination threshold has been reached. Note: 1. Crossing the SYN per Destination Threshold initiates SYN validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking). 2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then alllowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN-per-Destination | Monitor > Drops Monitor >Flood Drops > Layer 4 > SYN per Destination Monitor > Layer 3/4/7 > Layer 4 >SYN per Destination |
| 2 | 82 | 2082 | DNS Query Flood from Source | rate Flood | Periodic |
Effective rate limit for the DNS-Query-per-Source threshold has been reached. Note: 1. No Source Validation (Anti-Spoofing) is attempted for DNS Query per Source. Queries from Sources are rate-limited to the Threhsold. 2. DNS Query per Source Threshold is not set by System Recommendations. A manual Threshold can be added if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS-Query-per-Source | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Query per Source Monitor > Layer 3/4/7 > Layer 7 > DNS > Query per Source |
| 2 | 83 | 2083 | DNS Packet Track Flood from Source | rate Flood | Periodic |
Effective rate limit for the DNS-Packet-Track-per-Source (Suspicious Sources) threshold has been reached. Note: 1. No Source Validation (Anti-Spoofing) is attempted for DNS Packet Track per Source (Suspicious Sources). Queries from Sources are rate-limited to the Threhsold. 2. DNS Packet Track per Source (Suspicious Sources) Threshold is not set by System Recommendations. A manual Threshold can be added if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Packet Track per Source | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Suspicious Sources Monitor > Layer 3/4/7 > Layer 7 > DNS > DNS Packet Track per Source |
| 2 | 86 | 2086 | Invalid ICMP Type/Code | Header Anomaly | Periodic | Invalid ICMP Type/Code. | Service Protection > ICMP Profile > ICMP Type Code Anomaly ICMP Profile must be assigned to an SPP | Monitor > Drops Monitor >Anomaly Drops > Layer 4 > Header > Invalid ICMPv4 Type/Code or Invalid ICMPv6 Type/Code |
| 2 | 87 | 2087 | HTTP Method Flood from source | rate Flood | Interrupt | Effective rate limit for the HTTP-Method-per-Source threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > HTTP Method Per Source | Monitor > Drops Monitor > Flood Drops > Layer 7 > HTTP > Method Per Source Monitor > Layer 3/4/7 > Layer 7 > HTTP > Method per Source |
| 4 | 0 | 4000 | HTTP Method Flood | Rate Flood | Interrupt | Effective rate limit for a particular HTTP method threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > HTTP Methods | Monitor > Drops Monitor >Flood Drops > Layer 7 > HTTP > Method Flood Monitor > Layer 3/4/7 > Layer 7 > HTTP > Methods (Select Method from drop-down) |
| 4 | 1 | 4001 | Known HTTP Method Anomaly | Header anomaly | Periodic | HTTP Known Method anomaly as defined in an HTTP Profile. | Service Protection > HTTP Profile > Known Method Anomaly HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor >L7>Anomaly Drops > HTTP > Known Method |
| 4 | 2 | 4002 | Invalid HTTP Version Anomaly | Header anomaly | Periodic | Packets dropped due to the HTTP Profile version anomaly option | Service Protection > HTTP Profile > Version Anomaly HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > HTTP > Invalid HTTP Version |
| 4 | 3 | 4003 | URL denied | ACL | Periodic | Denied by an HTTP Profile ACL rule. | Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor > ACL Drops > Layer 7 > HTTP > URL Denied Drops Monitor > Layer 3/4/7 > Layer 7 > HTTP > URL: Packets Blocked |
| 4 | 4 | 4004 | URL Flood | Rate Flood | Periodic | Effective rate limit for a particular URL threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > URLs | Monitor > Drops Monitor >L7> Flood Drops > HTTP > URL Flood Monitor > Layer 3/4/7 > Layer 7 > HTTP > URLs |
| 4 | 5 | 4005 | Unknown HTTP Method Anomaly | Header Anomaly | Periodic | HTTP Profile Unknown HTTP Method. | Service Protection > HTTP Profile > Unknown Method Anomaly HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > HTTP > Unknown Method |
| 4 | 6 | 4006 | HTTP L7 Host Flood | Rate Flood | Interrupt | Effective rate limit for a particular Host threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Hosts | Monitor > Drops Monitor >Flood Drops > Layer 7 > HTTP > Host Flood Monitor > Layer 3/4/7 > Layer 7 > HTTP > Hosts |
| 4 | 7 | 4007 | HTTP L7 Host Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. | Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor > ACL Drops > Layer 7 > HTTP > Host Denied Drops Monitor > Layer 3/4/7 > Layer 7 > HTTP > Hosts: Packets Blocked |
| 4 | 8 | 4008 | HTTP L7 Referer Flood | Rate Flood | Interrupt | Effective rate limit for a particular Referer header threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Referers | Monitor > Drops Monitor > Flood Drops > Layer 7 > HTTP > Referer Flood Monitor > Layer 3/4/7 > Layer 7 > HTTP > Referers |
| 4 | 9 | 4009 | HTTP L7 Referer Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. | Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor > ACL Drops > HTTP > Layer 7 > Referer Denied Drops Monitor > Layer 3/4/7 > Layer 7 > HTTP > Referers: Packets Blocked |
| 4 | 10 | 4010 | HTTP L7 Cookie Flood | Rate Flood | Interrupt | Effective rate limit for a particular Cookie header threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Cookies | Monitor > Drops Monitor > Flood Drops > Layer 7 > HTTP > Cookie Flood Monitor > Layer 3/4/7 > Layer 7 > HTTP > Cookies |
| 4 | 11 | 4011 | HTTP L7 Cookie Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. | Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor > ACL Drops > Layer 7 > HTTP > Cookie Denied Drops Monitor > Layer 3/4/7 > Layer 7 > HTTP > Cookies: Packets Blocked |
| 4 | 12 | 4012 | HTTP L7 User Agent Flood | Rate Flood | Interrupt | Effective rate limit for a particular User-Agent threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds> User Agents | Monitor > Drops Monitor >Flood Drops > Layer 7 > HTTP > User Agent Flood Monitor > Layer 3/4/7 > Layer 7 > HTTP > User Agents |
| 4 | 13 | 4013 | HTTP L7 User Agent Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. | Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP | Monitor > Drops Monitor > ACL Drops > Layer 7 > HTTP > User Agent Denied Drops Monitor > Layer 3/4/7 > Layer 7 > HTTP > User Agents: Packets Blocked |
| 4 | 37 | 4037 | DNS Fragment Deny | ACL | Periodic | Denied by an DNS Profile DNS fragment option | Service Protection > DNS Profile > DNS Fragment | Monitor > Drops Monitor > ACL Drops > Layer 7 >DNS > Frag Drops |
| 4 | 41 | 4041 | DNS Rcode Flood | Rate Flood | Interrupt | Effective rate limit for the DNS Rcode threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > DNS Rcode | Monitor > Drops Monitor > Flood Drops > Layer 7 >DNS:Response Code Drop Monitor > Layer 3/4/7 >L7> DNS > DNS Response Code |
| 4 | 42 | 4042 | DNS Header Anomaly: Invalid Opcode | DNS Anomaly | Periodic | Invalid value in the DNS OpCode field., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Op Code DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Header |
| 4 | 43 | 4043 | DNS Header Anomaly: Illegal Flag Combination | DNS Anomaly | Periodic | Invalid combination in the flags field., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Illegal Flag Combination DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Header |
| 4 | 44 | 4044 | DNS Header Anomaly: Same Source/Destination Port | DNS Anomaly | Periodic | DNS Header where Source Port==Destination Port == 53., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > SP,DP Both 53 DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Header |
| 4 | 45 | 4045 | DNS Query Anomaly: Query Bit Set | DNS Anomaly | Periodic | (QR) bit set to 1., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit Set DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Query |
| 4 | 46 | 4046 | DNS Query Anomaly: RA Bit Set | DNS Anomaly | Periodic | recursion allowed (RA) bit set., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > RA Bit Set DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Query |
| 4 | 47 | 4047 | DNS Query Anomaly: Null Query | DNS Anomaly | Periodic | DNS query with count 0., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Null Query DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Query |
| 4 | 48 | 4048 | DNS Query Anomaly: QD Count not One in query | DNS Anomaly | Periodic | Question count not 1., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > DNS Query Anomaly: QD Count not One in query DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Query |
| 4 | 50 | 4050 | DNS Reply Anomaly: Qclass in reply | DNS Anomaly | Periodic | DNS response with QCLASS., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > QCLASS in Reply | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Response |
| 4 | 51 | 4051 | DNS Reply Anomaly: Qtype in reply | DNS Anomaly | Periodic | DNS response with a resource specifying a TYPE ID., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > QType in Reply DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Response |
| 4 | 52 | 4052 | DNS Reply Anomaly: Query bit not set | DNS Anomaly | Periodic | (QR) bit set to 0., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit not Set DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Response |
| 4 | 53 | 4053 | DNS Reply Anomaly: QD count not 1 in response | DNS Anomaly | Periodic | DNS Response where QD count is not 1., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > QDCOUNT not One in Response DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Response |
| 4 | 54 | 4054 | DNS Buffer Overflow Anomaly: Message too long | DNS Anomaly | Periodic | DNS Query or Response message that exceeds the maximum header length., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Message too Long/UDP Message too Long DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Buffer Overflow |
| 4 | 55 | 4055 | DNS Buffer Overflow Anomaly: Name too long | DNS Anomaly | Periodic | DNS name that exceeds 255 characters., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name too Long DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Buffer Overflow |
| 4 | 56 | 4056 | DNS Buffer Overflow Anomaly:Label length too large | DNS Anomaly | Periodic | Query or response with a label that exceeds the maximum length (63)., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Label Length too Large DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Buffer Overflow |
| 4 | 57 | 4057 | DNS Exploit Anomaly: Pointer loop | DNS Anomaly | Periodic | DNS message with a pointer that points beyond the end of data., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Pointer Loop DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Exploit |
| 4 | 58 | 4058 | DNS Exploit Anomaly: Zone Transfer | DNS Anomaly | Periodic | An asynchronous Transfer Full Range (AXFR) request (QTYPE=252)., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Zone transfer DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >L7> Anomaly Drops > DNS > Exploit |
| 4 | 59 | 4059 | DNS Exploit Anomaly: Class is not IN | DNS Anomaly | Periodic | A query/response in which the question/resource address class is not IN., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Class not IN DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Exploit |
| 4 | 60 | 4060 | DNS Exploit Anomaly: Empty UDP message | DNS Anomaly | Periodic | UDP DNS Query has no data., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Empty UDP DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Exploit |
| 4 | 61 | 4061 | DNS Exploit Anomaly: Message ends prematurely | DNS Anomaly | Periodic | DNS message ends before proper EOP info., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Message Ends Prematurely DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Exploit |
| 4 | 62 | 4062 | DNS Exploit Anomaly: TCP Buffer Underflow | DNS Anomaly | Periodic | A query/response with less than two bytes of data specified in the two-byte prefix field., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Buffer Underflow DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Exploit |
| 4 | 63 | 4063 | DNS Info Anomaly:DNS type all used | DNS Anomaly | Periodic | DNS request with request type set to ALL (QTYPE=255)., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Info Anomaly enable DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Info |
| 4 | 64 | 4064 | DNS Data Anomaly: Invalid type class | DNS Anomaly | Periodic | A query/response with TYPE or CLASS reserved values., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Class Type DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Data |
| 4 | 65 | 4065 | DNS Data Anomaly: Extraneous data | DNS Anomaly | Periodic | A query/response with excess data., selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Extraneous Data DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Data |
| 4 | 66 | 4066 | DNS Data Anomaly: TTL too long | DNS Anomaly | Periodic |
TTL value is greater than 7 days, selected in DNS Profile. Note: Some services (Yahoo Mail for example) have TTLs lnger than 7 days.This Anomaly should remain disabled. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > TTL too Long DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > DNS > Data |
| 4 | 67 | 4067 | DNS Data Anomaly: Name length too short | DNS Anomaly | Periodic | A query/response with a null DNS name or lacking a TLD, selected in DNS Profile. | Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name Length too Short DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > DNS > Data |
| 4 | 68 | 4068 | DNS UDP Unsolicited Response | Rate Flood | Periodic | UDP Drops due to a response with no matching query, selected in DNS Profile. | Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM). DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Flood Drops > Layer 7 > DNS:Unsolicited DNS Response Drops |
| 4 | 69 | 4069 | DNS TCP Unsolicited Response | Rate Flood | Periodic | TCP Drops due to a response with no matching query, selected in DNS Profile. | Service Protection > DNS Profile > DNS Feature Controls >Match Response With Queries(DQRM). DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Flood Drops > Layer 7 > DNS:Unsolicited DNS Response Drops |
| 4 | 71 | 4071 | DNS DQRM Out of Memory | - | Periodic | An issue with DQRM table internal logic or memory. Contact Fortinet. | None. Internal Table issue. Report to Fortinet. | Monitor > Drops Monitor >Out of Memory Drops > Layer 7 > DNS |
| 4 | 72 | 4072 | DNS UDP Response same direction | Rate Flood | Periodic | Drops due to UDP DNS Response sent to port 53. | Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM) DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Unsolicited DNS Response Drops |
| 4 | 73 | 4073 | DNS TCP Response same direction | Rate Flood | Periodic | Drops due to TCP DNS Response sent to port 53 | Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM) DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Unsolicited DNS Response Drops |
| 4 | 74 | 4074 | DNS LQ: UDP Query Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS QG88:G94uery Flood | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood (LQ) DNS Profile must be assigned to SPP. | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > LQ Drops |
| 4 | 75 | 4075 | DNS LQ: UDP Question Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS Question Flood | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS > Question Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ) DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Flood Drops > Layer 7 > DNS > LQ Drops |
| 4 | 76 | 4076 | DNS LQ: UDP Qtype All Flood | Rate Flood | Periodic | UDP drops due to LQ check during UDP Qtype All (ANY/*) Flood, selected in DNS Profile. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ) DNS Profile must be assigned to SPP. | Monitor > Drops Monitor >Flood Drops > Layer 7 > DNS > LQ Drops |
| 4 | 78 | 4078 | DNS LQ: UDP Qtype MX Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS Qtype MX Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ) | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > LQ Drops |
| 4 | 80 | 4080 | DNS LQ: UDP Query Flood due to Negative Response | Rate Flood | Periodic | UDP drops due to LQ check during Flood. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ) | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > LQ Drops |
| 4 | 81 | 4081 | DNS TTL: UDP Query Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Query Flood | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS QueryUDP and Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TTL Drops |
| 4 | 82 | 4082 | DNS TTL: UDP Question Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Question Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TTL Drops |
| 4 | 83 | 4083 | DNS TTL: UDP Qtype All Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Qtype ALL (ANY/*) Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP | Monitor > Drops Monitor >Flood Drops > Layer 7 > DNS > TTL Drops |
| 4 | 85 | 4085 | DNS TTL: UDP Qtype MX Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Qtype MX Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TTL Drops |
| 4 | 87 | 4087 | DNS Spoofed IP: UDP Query Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Query Flood | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 88 | 4088 | DNS Spoofed IP: UDP Question Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Question Flood | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 89 | 4089 | DNS Spoofed IP: UDP Qtype All Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Qtype All (ANY/*) Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSAll UDP and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 91 | 4091 | DNS Spoofed IP: UDP Qtype MX Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Qtype MXFlood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 93 | 4093 | DNS Spoofed IP: UDP Query Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Query Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 94 | 4094 | DNS Spoofed IP: UDP Question Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Question Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNSQuestion Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 95 | 4095 | DNS Spoofed IP: UDP Qtype All Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Qtype All (ANT/*) Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNSAll UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 96 | 4096 | DNS Spoofed IP: UDP Qtype Zone Transfer Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Qtype Zone Transfer Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNSQuery UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 97 | 4097 | DNS Spoofed IP: UDP Qtype MX Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP Qtype MX Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Spoofed IP Drops |
| 4 | 99 | 4099 | DNS Cache: UDP Query Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Query Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 100 | 4100 | DNS Cache: UDP Question Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNA Question Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 101 | 4101 | DNS Cache: UDP Qtype All Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Qtype All (ANY/*) Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSAll UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 103 | 4103 | DNS Cache: UDP Qtype MX Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Qtype MX Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 105 | 4105 | DNS Cache: UDP Query Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was not served from the cache during a UDP DNS Query Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 106 | 4106 | DNS Cache: UDP Question Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was not served from the cache during a UDP DNS Question Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 107 | 4107 | DNS Cache: UDP Qtype All Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query dropss because the response was not served from the cache during a UDP DNS Qtype All (ANY/*) Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSAll UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 109 | 4109 | DNS Cache: UDP Qtype MX Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query dropss because the response was not served from the cache during a UDP DNS Qtype MX Flood. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Cache Drops |
| 4 | 111 | 4111 | DNS TCP Query Flood | Rate Flood | Interrupt | Effective rate limit for the dns-query threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query TCP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TCP Query Drops |
| 4 | 112 | 4112 | DNS TCP Question Flood | Rate Flood | Interrupt | Effective rate limit for the dns-question-count threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >> Scalars > DNS Question Count TCP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TCP Question Drops |
| 4 | 113 | 4113 | DNS TCP Fragment Flood | Rate Flood | Interrupt | Effective rate limit for the dns-fragment threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Fragment TCP | Monitor > Drops Monitor >Flood Drops > Layer 7 > DNS > Fragment Drops |
| 4 | 114 | 4114 | DNS TCP Zone Transfer Flood | Rate Flood | Interrupt | Effective rate limit for the dns-zone-xfer threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Zone Transfer TCP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TCP Zone Transfer Drops |
| 4 | 115 | 4115 | DNS TCP MX Flood | Rate Flood | Interrupt | Effective rate limit for the dns-mx threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS MX Count TCP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TCP MX Drops |
| 4 | 116 | 4116 | DNS TCP All Flood | Rate Flood | Interrupt | Effective rate limit for the dns-all threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS All TCP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > TCP ALL Drops |
| 4 | 117 | 4117 | DNS UDP Unexpected Query before Response | Rate Flood | Periodic | UDP Drops due to DQRM duplicate query check (more then 3 identical Queries (Source, XID) per second | Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Unexpected Query Drops |
| 4 | 118 | 4118 | DNS TCP Unexpected Query before Response | Rate Flood | Periodic | TCP Drops due to DQRM duplicate query check. | Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS > Unexpected Query Drops |
| 4 | 120 | 4120 | DNS Query Blocked (Blocklisted Domains) | ACL | Periodic | DNS Query or Response ACL Drops due to Blocklisted Domains and Domain Reputation | Global Protection > Blocklist > Blocklisted Domains Service Protection > DNS Profile > DNS Feature Controls > Domain Reputation | Monitor > Drops Monitor > ACL Drops > Layer 7 > DNS > Query Blocked Drops |
| 4 | 121 | 4121 | DNS Resource Record Type Deny | ACL | Periodic | DNS Query ACL drops due to Resource Record ACL | Service Protection > DNS Profile > DNS Feature Controls > DNS Resource Record Type ACL DNS Profile must be assigned to the SPP | Monitor > Drops Monitor >ACL Drops > Layer 7 > DNS > DNS Resource Record Type Drops |
| 4 | 122 | 4122 | DNS Query Anomaly: UDP Session Reuse | Anomaly | Periodic | DNS UDP Query reuse session within one second | Service Protection > DNS Profile | Monitor > Drops Monitor >L7> Anomaly Drops > DNS > Query |
| 4 | 201 | 4201 | HTTP Header Range Present Anomaly | Header anomaly | Periodic | Drops due to packets with a header range request. | Service Protection > HTTP Profile > Drop Range Header DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > HTTP > Range Present |
| 4 | 203 | 4203 | Incomplete HTTP Request | Header anomaly | Periodic | Drops due to HTTP requests that do not end in the correct end-of-packet information. | Service Protection > HTTP Profile > Incomplete Request Action = Drop or Aggressive Aging DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > HTTP > Incomplete HTTP Request |
| 4 | 204 | 4204 | SSL Renegotiation | Anomaly | Periodic | Drop due to SSL/TLS Renegotiation Check | Service Protection > SSL/TLS Profile > Renegotiation Check DNS Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > SSL > SSL Renegotiation |
| 4 | 205 | 4205 | NTP Request Flood | Rate Flood | Interrupt | Rate Threshold for NTP Requests has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Request Flood | Monitor > Drops Monitor > Flood Drops > Layer 7 > NTP > Request Flood Drops |
| 4 | 206 | 4206 | NTP Response Flood | Rate Flood | Interrupt | Rate Threshold for NTP Responses has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Flood | Monitor > Drops Monitor > Flood Drops > Layer 7 > NTP > Response Flood Drops |
| 4 | 207 | 4207 | NTP Broadcast Flood | Rate Flood | Interrupt | Rate Threshold for NTP Broadcasts has been exceeded. | SeService Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Broadcast Flood | Monitor > Drops Monitor > Flood Drops > Layer 7 > NTP > Broadcast Flood Drops |
| 4 | 208 | 4208 | NTP Reflection ACL | ACL | Periodic | Drops due to NTP Reflection Deny option. Blocks NTP Mode 6 (varlist) and Mode 7 (monlist) Queries or Responses. | Service Protection > NTP Profile > Reflection Deny NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > ACL Drops > Layer 7 > NTP > NTP Reflection ACL Drops |
| 4 | 209 | 4209 | NTP Version Anomaly | NTP Header Anomaly | Periodic | NTP Version and Modes must match currently ratified versions (Version =1-4 and Mode >0 if Version =1). | Service Protection > NTP Profile > Version Anomaly Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > NTP > Header |
| 4 | 210 | 4210 | NTP Stratum Anomaly | NTP Header Anomaly | Periodic | Stratum must be 1-16 (17-255 are invalid). If Stratum >2, Refence ID cannot be null/empty. | Service Protection > NTP Profile > Stratum Anomaly Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > NTP > Header |
| 4 | 211 | 4211 | NTP Data Length Anomaly | NTP Header Anomaly | Periodic | Enforces minimum and maximum data lengths defined in NTP Versions 1-4) | Service Protection > NTP Profile > Data Length Anomaly Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor >Anomaly Drops > Layer 7 > NTP > Header |
| 4 | 212 | 4212 | NTP Control Header Anomaly | NTP Header Anomaly | Periodic | Examines Control Header for 10 different Anomalies and drops if seen. | Service Protection > NTP Profile > Control Header Anomalies Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > NTP > Header |
| 4 | 213 | 4213 | NTP Duplicate Request Before Response | Anomaly | Periodic | Drops identical requests in a few seconds before a reply (mini-Flood). | Service Protection > NTP Profile > Retransmission Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > NTP > State |
| 4 | 214 | 4214 | NTP Unsolicited Response | Rate Flood treated like Anomaly | Periodic | Drops Responses where the Query was not recorded in NTP Response Matching (NRM)table. Use ONLY with symmetric traffic or asymmetric traffic where both links traverse FortiDDoS. | Service Protection > NTP Profile > Unsolicited Response Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > NTP > State |
| 4 | 215 | 4215 | NTP State Anomalies: Sequence mismatch | State Anomaly | Periodic | Drops Queries where Sequence number is incorrect. Normally only used when hosting NTP Servers | Service Protection > NTP Profile > Sequence Mismatch Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > NTP > State |
| 4 | 218 | 4218 | NTP State Anomalies: Mode Mismatch | State Anomaly | Periodic | Client Query/Server Response Modes do not match 1/2 or 3/4. If NTP Reflection ACL not enabled, then also checks or not matching Modes 6/6 or 7/7. Anything other than the above mode pairs is dropped as mismatched. | Service Protection > NTP Profile > Mode Mismatch Check NTP Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > NTP > State |
| 4 | 219 | 4219 | NTP Response Per Destination | Rate Flood | Interrupt | Rate Threshold for NTP Responses Per Destination has been exceeded. This inidcates a reflected NTP Response Flood towards a single destination. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Per Destination | Monitor > Drops Monitor > Flood Drops > Layer 7 > NTP > Response Per Destination Flood Drops |
| 4 | 224 | 4224 | SSL/TLS Protocol Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Procotol Anomaly check | Service Protection > SSL/TLS Profile > Procotol Anomaly SSL/TLS Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > SSL > SSL Protocol |
| 4 | 225 | 4225 | SSL/TLS Version Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Version Anomaly check | Service Protection > SSL/TLS Profile > Version Anomaly SSL/TLS Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > SSL > SSL Version |
| 4 | 226 | 4226 | SSL/TLS Cipher Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Cipher Anomaly check | Service Protection > SSL/tLS Profile > Cipher Anomaly SSL/TLS Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > SSL > SSL Cipher |
| 4 | 227 | 4227 | SSL/TLS Incomplete Request Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Block Incomplete Request check | Service Protection > SSL/TLS Profile > Block Incomplete Request SSL/TLS Profile must be assigned to the SPP | Monitor > Drops Monitor > Anomaly Drops > Layer 7 > SSL > SSL Incomplete Request |
| 4 | 228 | 4228 | SSL/TLS Incomplete Request: Source Flood | Rate Flood | Interrupt | Drop due to SSL/TLS profile's Block Source With Incomplete Request | Service Protection > SSL/TLS Profile > Block Source With Incomplete Request SSL/TLS Profile must be assigned to the SPP | Monitor > Drops Monitor > Flood Drops > Layer 7 > SSL > SSL/TLS Incomplete Request Source Flood |
DDoS Attack log Directionality for TCP
| Setup | Traffic Direction | Source | Destination | Source Port | Destination Port | Attack Log Direction | Protected IP |
|---|---|---|---|---|---|---|---|
| SYN | Outbound | Inside | Outside | High | Low | Outbound | Inside |
| ACK | Inbound | Outside | Inside | Low | High | Outbound | Inside |
| SYN | Inbound | Outside | Inside | High | Low | Inbound | Inside |
| ACK | Outbound | Inside | Outside | Low | High | Inbound | Inside |
| SYN | Outbound | Inside | Outside | High | High | Outbound | Inside |
| ACK | Inbound | Outside | Inside | High | High | Outbound | Inside |
| SYN | Inbound | Outside | Inside | High | High | Inbound | Inside |
| ACK | Outbound | Inside | Outside | High | High | Inbound | Inside |
| SYN | Outbound | Inside | Outside | Low | Low | Outbound | Inside |
| ACK | Inbound | Outside | Inside | Low | Low | Outbound | Inside |
| SYN | Inbound | Outside | Inside | Low | Low | Inbound | Inside |
| ACK | Outbound | Inside | Outside | Low | Low | Inbound | Inside |
DDoS Attack log Directionality for UDP
| Traffic Direction | Source | Destination | Source Port | Destination Port | Attack Log Direction | Protected IP |
|---|---|---|---|---|---|---|
| Outbound | Inside | Outside | High | Low | Outbound | Inside |
| Inbound | Outside | Inside | Low | High | Inbound | Inside |
| Inbound | Outside | Inside | High | Low | Inbound | Inside |
| Outbound | Inside | Outside | Low | High | Outbound | Inside |
| Outbound | Inside | Outside | High | High | Outbound | Inside |
| Inbound | Outside | Inside | High | High | Inbound | Inside |