Fortinet white logo
Fortinet white logo

Handbook

Using the ACL Drops graphs

Using the ACL Drops graphs

Use the ACL Drops graphs to monitor drops due to SPP ACL rules. Note, some drops due to Global ACL rules may appear in SPPs including the default SPP.

Customize the graph with the following viewing parameters: SPP, Reporting Period (1-hr to 1-yr), Linear/Logarithmic Y-Axis.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

Before you begin:

  • You must have Read permission for the Monitor menu.
  • Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graph:
  1. Go to Monitor > Drops Monitor > ACL Drops > [SPP] [Aggregate/Layer 3/4/7] [Y-Axis View] [Reporting Period].

Statistic

Description

Aggregate

Layer 3

An aggregation of drops due to ACL rules based on Layer 3 parameters.

Layer 4

An aggregation of drops due to ACL rules based on Layer 4 parameters.

Layer 7

An aggregation of drops due to ACL rules based on Layer 7 parameters.

Layer 3

Fragmented Packet Denied Drops

Drops due to Service ACL for UDP, TCP and/or Other Protocols Fragment.

Address Denied

Drops due to ACL rules based on IP address, geolocation, or Blocklisted IPv4

IP Reputation Denied

Drops due to ACL rules based on IP Reputation active Subscription settings in IP Profile

IP Multicast

Drops due to ACL rules based on IP Multicast Check setting in IP Profile assigned to the SPP.

IP Private Denied

Drops due to ACL rules based on IP Private Check setting in IP Profile assigned to the SPP.

Layer 4

Aggregate

Aggregate Layer 4 drops due to SPP ICMP Type/Code and other ACL

ACL Rule Drops

Drops due to SPP ACL rules

Layer 7

Aggregate

Aggregate drops due to rules for

  • HTTP
  • DNS
  • NTP

HTTP

Drops due to HTTP ACL rules for:

  • URL Denied
  • Host Denied
  • Referer Denied
  • Cookie Denied
  • User Agent Denied

DNS

Drops due to DNS ACL rules for:

  • DNS Fragments
  • Blocklisted Domains
  • DNS Resource Record Type

NTP

Drops due to NTP ACL rules for:

  • NTP Reflection Deny

Using the ACL Drops graphs

Using the ACL Drops graphs

Use the ACL Drops graphs to monitor drops due to SPP ACL rules. Note, some drops due to Global ACL rules may appear in SPPs including the default SPP.

Customize the graph with the following viewing parameters: SPP, Reporting Period (1-hr to 1-yr), Linear/Logarithmic Y-Axis.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

Before you begin:

  • You must have Read permission for the Monitor menu.
  • Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graph:
  1. Go to Monitor > Drops Monitor > ACL Drops > [SPP] [Aggregate/Layer 3/4/7] [Y-Axis View] [Reporting Period].

Statistic

Description

Aggregate

Layer 3

An aggregation of drops due to ACL rules based on Layer 3 parameters.

Layer 4

An aggregation of drops due to ACL rules based on Layer 4 parameters.

Layer 7

An aggregation of drops due to ACL rules based on Layer 7 parameters.

Layer 3

Fragmented Packet Denied Drops

Drops due to Service ACL for UDP, TCP and/or Other Protocols Fragment.

Address Denied

Drops due to ACL rules based on IP address, geolocation, or Blocklisted IPv4

IP Reputation Denied

Drops due to ACL rules based on IP Reputation active Subscription settings in IP Profile

IP Multicast

Drops due to ACL rules based on IP Multicast Check setting in IP Profile assigned to the SPP.

IP Private Denied

Drops due to ACL rules based on IP Private Check setting in IP Profile assigned to the SPP.

Layer 4

Aggregate

Aggregate Layer 4 drops due to SPP ICMP Type/Code and other ACL

ACL Rule Drops

Drops due to SPP ACL rules

Layer 7

Aggregate

Aggregate drops due to rules for

  • HTTP
  • DNS
  • NTP

HTTP

Drops due to HTTP ACL rules for:

  • URL Denied
  • Host Denied
  • Referer Denied
  • Cookie Denied
  • User Agent Denied

DNS

Drops due to DNS ACL rules for:

  • DNS Fragments
  • Blocklisted Domains
  • DNS Resource Record Type

NTP

Drops due to NTP ACL rules for:

  • NTP Reflection Deny