Appendix A: DDoS Attack Log Reference
The following table provides the description of the fields in the Log Reference table.
Fields and description
| Field | Description |
|---|---|
| Event code | 1 - Layer 3, 2 - Layer 4, 4 - Layer 7 |
| Subcode | Internal reference only. |
|
Trap Attack Type |
Attack Event identifier included in Attack SNMP Traps sent (instead of Event Name). |
| Event Name | Event Type in the web UI Attack Logs and Graphs, description field in syslog. |
| Category | Filter category in web UI Attack Logs. |
| Period |
Interrupt: Rate Flood means the first event is logged within two minutes after the start of an attack and reported every minute thereafter. Periodic: Events other than Rate Flood means events are logged every 5 minutes. |
| Note: Source IP address is reported only for drops due to per-source thresholds (see Source tracking table). | |
|
Event code |
Sub code |
Trap attack type |
Event name |
Category |
Period |
Description |
Parameter |
Graph |
|---|---|---|---|---|---|---|---|---|
| 1 | 0 | 1000 | Protocol Flood | Rate Flood | Interrupt | Effective rate limit for the protocol (0-255) has been reached. Protocols are rate-limited at the Threshold. Protocols 6 (TCP) and 17 (UDP) do not normally have Thresholds. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Protocols |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 3 > Protocols
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Protocols: Protocol Number |
| 1 | 1 | 1001 | Other Protocols Fragment Flood | Rate Flood | Interrupt | Effective rate limit for fragments in Protocols other than TCP, UDP and DNS has been reached. Fragments are rate-limited at the Threshold. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > OTH Fragment |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 3: Fragmented Packets (aggregate of all Protocol fragments)
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Other > Fragmented Packets: Other Fragmented Packets |
| 1 | 8 | 1008 | Source Flood | Rate Flood | Interrupt | Effective rate limit for the most-active-source threshold has been reached. Source IP address is reported. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Source |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 3: Source Flood
Monitor >Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Sources > Most Active Source |
| 1 | 9 | 1009 | Destination Flood | Rate Flood | Interrupt | Effective rate limit for the most-active-destination threshold has been reached. Note: This Threshold is not set by System Recommendations. You may manually add a Threshold if desired. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Destination |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 3: Destination Flood
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Destinations > Most Active Destination |
| 1 | 14 | 1014 | IP Header checksum error | Header anomaly | Periodic | Invalid IP header checksum. | Service Protection > IP Profile > IP Strict Anomalies. IP Profile must be assigned to an SPP. | Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 3: IP Header Checksum |
| 1 | 15 | 1015 | Source IP==dest IP | Header anomaly | Periodic | Identical source and protected IP addresses (LAND attack). | Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 3: Source and Destination Address Match |
| 1 | 16 | 1016 | Source/dest IP==localhost | Header anomaly | Periodic | Source/destination address is the local host (loopback address spoofing). | Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 3: Source/ Destination as Localhost |
| 1 | 17 | 1017 | L3 anomalies | Header anomaly | Periodic |
Drops due to predefined Layer 3 rules: - IP version other than IPv4 or IPv6. - EOP (End of Packet) before 20 bytes of IPv4 data. - EOP comes before the length specified by Total Length. - Reserved Flag set. - More Frag and Don't Frag Flags set. - Added Anomaly for DSCP and ECN. |
Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 3: Layer 3 |
| 1 | 23 | 1023 | TCP Fragment Flood | Rate Flood | Interrupt |
Effective rate limit for the TCP fragment has been reached. Note: Use with care. Miss-configured clients can result in TCP fragmentation. Unless you are sure there can be no TCP Fragmentation, it is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > TCP Fragment |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 3: Fragmented Packets (aggregate of all Protocol fragments)
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Other > Fragmented Packets > TCP Fragmented Packets |
| 1 | 24 | 1024 | UDP Fragment Flood | Rate Flood | Interrupt |
Effective rate limit for the UDP fragment has been reached. Note: Use with care. Miss-configured clients can result in UDP fragmentation. Unless you are sure there can be no UDP Fragmentation, it is better to use the UDP Fragment Threshold than an ACL. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > UDP Fragment |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 3: Fragmented Packets (aggregate of all Protocol fragments)
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Other > Fragmented Packets > UDP Fragmented Packets |
| 1 | 54 | 1054 | Other Protocols Fragment denied | ACL | Periodic |
Fragments for Protocols other than TCP, UDP, DNS, denied by an SPP IP Profile Fragment Check setting. Note: Use with care. Miss-configured clients can result in fragmentation for Protocols like GRE (47) and IPSEC (50). Unless you are sure there can be no Other Protocol Fragmentation, it is better to use the Other Protocol Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check > Other Protocol Fragment IP Profile must be assigned to an SPP. |
Monitor >Drops Monitor: SPP > (SPP) > ACL Drops > Layer 3: Fragmented Packet Denied (aggregate of all Protocol fragments denied)
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Other > Fragmented Packets > Other Fragmented Packets blocked |
| 1 | 60 | 1060 | Denied: IP address | ACL | Periodic | Denied by Global Blocklist | Global Protection > Blocklist > Blocklisted IPv4 | Monitor > Drops Monitor: Global > ACL Drops > Aggregate: Blocklist IP Denied Drops |
| 1 | 61 | 1061 | Denied: IP Reputation | ACL | Periodic | Denied by the IP Reputation ACL based on IP Profile per SPP. |
IP Reputation is an optional subscription which must be current for this ACL to work.
System > FortiGuard. For IP Reputation settings, subscription confirmation.
Service Protection > IP Profile > IP Reputation categories to enable when that IP Profile is assigned to an SPP. |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 3: IP Reputation Denied Drops |
| 1 | 63 | 1063 | Denied: IP Multicast | ACL | Periodic | Denied by IP profile per SPP. | Service Protection > IP Profile > IP Multicast Check IP Profile must be assigned to an SPP. | Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 3: P Multicast Denied Drops |
| 1 | 64 | 1064 | Denied: Private IP | ACL | Periodic | Denied by IP profile per SPP. | Service Protection > IP Profile > IP Private Check IP Profile must be assigned to an SPP. | Monitor >Drops Monitor: SPP > (SPP) > ACL Drops > Layer 3: Private IP Denied Drops |
| 1 | 71 | 1071 | TCP Fragment denied | ACL | Periodic |
TCP Fragments denied by an SPP IP Profile Fragment Check setting. Note: Miss-configured clients can send TCP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check >TCP Fragment IP
Profile must be assigned to an SPP. |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 3: Fragmented Packet Denied Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Other > Fragmented Packets: TCP Fragmented Packets Blocked |
| 1 | 72 | 1072 | UDP Fragment denied | ACL | Periodic |
UDP Fragments denied by an SPP IP Profile Fragment Check setting. Note: Miss-configured clients can send UDP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check > UDP Fragment IP
Profile must be assigned to an SPP. |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 3: Fragmented Packet Denied
Monitor >Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 3 > Other > Fragmented Packets: UDP Fragmented Packets blocked |
| 2 | 0 | 2000 | SYN Flood | Rate Flood | Interrupt |
Effective rate limit for the SYN Threshold has been reached. Note: 1. Crossing the SYN Threshold initiates SYN Validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking). 2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then allowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation. |
Service Protection > Service Protection Policy > Thresholds > Scalars >: SYN Service Protection > TCP Profile >TCP Packets Validation > SYN Validation.
Note: If SYN Validation is not enabled no SYN validation nor rate limiting is done. |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: SYN
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > SYN |
| 2 | 2 | 2020 | Global Rule Deny | ACL | Periodic |
Drops due to manual Global Access Control List entries. Note: 1. Global ACL drop logs will show "Global" SPP. SPP-based ACL drops will be shown in the SPP graphs. 2. Global ACLs are always on - there is no Detection/ Prevention Mode for Global ACLs. |
System > Address and Service + Global Protection > Access Control List |
Monitor > Drops Monitor: Global > (SPP) > ACL Drops > Aggregate: ACL Rule Denied Drops
Monitor > Drops Monitor: Global > (SPP) > ACL Drops > ACL Rule Drops |
| 2 | 6 | 2006 | State Anomalies: Foreign packet (Out of State) | State anomaly | Periodic | A foreign packet is a TCP packet that does not belong to any known connections. Tracked when TCP Profile for an SPP has Foreign Packet Validation enabled. |
Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation
TCP profile must be assignd to an SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4: State |
| 2 | 7 | 2007 | State Anomalies: Outside window | State anomaly | Periodic | Sequence number of a packet was outside the acceptable window. Tracked when TCP Profile for an SPP has Sequence Validation enabled. |
Service Protection > TCP Profile > TCP Packets Validation > Sequence Validation.
TCP profile must be assigned to an SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4: State: Forward/ Reverse Transmission Not Within Window |
| 2 | 12 | 2012 | State Anomalies: State transition error | State anomaly | Periodic | State of the TCP packet received was not consistent with the expected state. Tracked when TCP Profile for an SPP has State Transition Validation enabled. |
Service Protection > TCP Profile > TCP Packets Validation > State Transition Anomalies Validation
TCP profile must be assigned to an SPP. |
Monitor >Drops Monitor: SPP >(SPP) > Anomaly Drops > Layer 4 > State: TCP State Transition |
| 2 | 13 | 2013 | SPP Rule Deny | ACL | Periodic |
Global or SPP-based IPv4, IPv6, Geolocation, Service ACL drops. Note: 1. In Release 6.1.1, Global ACL drops will be shown in the default SPP graphs. SPP-based ACL drops will be shown in the SPP graphs. 2. Global ACLs are always on - there is no Detection/ Prevention Mode for Global ACLs. |
System > Address and Service +
Service Protection > Service Protection Policy > ACL |
Monitor >Drops Monitor: SPP > (SPP) > ACL Drops > Aggregate: ACL Rule Denied Drops
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 4 > ACL Drop Rules
Note: Layer 3 (Protocols, IP addresses/ geolocation) and Layer 4 (Ports/Services) ACLs all show on Layer 4 > ACL Drop Rules to simplify graphs. |
| 2 | 16 | 2016 | TCP zombie Flood | Rate Flood | Interrupt |
Effective rate limit for the new-connections Threshold has been reached. Note: this Threshold is set to maximum by System Recommendations to avoid rate-limiting new connections. You can add a manual Threshold if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > New Connections |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops >Layer 4: Zombie Flood
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > Other > New Connections |
| 2 | 17 | 2017 | TCP Port Flood | Rate Flood | Periodic |
Effective rate limit for the port has been reached. Note: Several TCP Ports like 80, 443 are set to system maximum (no thresholds) by System Recommendations. Other parameters (like the various SYN thresholds and Foreign Packet Validation) mitigate DDoS Floods to these Ports. You can add a Threshold for these ports if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > TCP Ports |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: TCP Ports
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > Ports > TCP: Port Number |
| 2 | 18 | 2018 | UDP Port Flood | Rate Flood | Periodic |
Effective rate limit for the port has been reached. Note: No Threshold is set for UDP 53 where DNS mitigations are expected to be used. You can add a Threshold if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > UDP Ports |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: UDP Ports
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > Ports > UDP: Port Number |
| 2 | 19 | 2019 | ICMP Flood | Rate Flood | Periodic | Effective rate limit for the ICMP Type/Code has been reached. Type/Codes will be rate-limited to the Threshold. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > ICMP Types and Codes |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: ICMP Types/Codes
Monitor >Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > Other > ICMP: Type/Code Number |
| 2 | 20 | 2020 | Foreign Packets (Aggressive Aging and Slow Connections) | State anomaly | Periodic | Foreign (out-of-state) Packets seen after Slow Connection Aggressive Aging (RST to server) |
Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation
Service Protection > TCP Profile > TCP Session Settings > Aggressive Aging Feature Control > Slow TCP Connections |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4 > State: Foreign Packets (Aggressive Aging and Slow Connections) |
| 2 | 22 | 2022 | Slow Connection: Source Flood | Rate Flood | Interrupt | Slow connection attack detected and “Source blocking for slow connections” enabled. Source IP address is reported. | Service Protection > TCP Profile > TCP Slow Connection Protection > Block Sources With Slow TCP Connections | Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: Slow Connection |
| 2 | 23 | 2023 | Possible UDP Reflection Flood | Rate flood | Interupt | UDP Port Flood where the Source Port is <10240 and the Destination Port is >10239. For example, this would indicate an NTP reflection attack if the Associated Port displayed was 123. | Service Protection > Service Protection Policy > Thresholds > UDP Port Thresholds 1-10239 |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: UDP Ports
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > Ports > UDP: Port Number |
| 2 | 24 | 2024 | TCP checksum error | Header anomaly | Periodic | Invalid TCP checksum. |
Service Protection > TCP Profile > Strict Anomalies TCP
Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4 > Header: TCP Checksum Error |
| 2 | 26 | 2026 | ICMP checksum error | Header anomaly | Periodic | Invalid ICMP checksum. |
Service Protection > ICMP Profile > ICMP Strict Anomalies
ICMP Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4 > Header: ICMP Checksum Error |
| 2 | 27 | 2027 | TCP invalid flag combination | Header anomaly | Periodic | Invalid TCP flag combination. If the urgent flag is set, then the urgent pointer must be non-zero. SYN, FIN or RST is set for fragmented packets, no flags, all flags and others. |
Service Protection > TCP Profile > Strict Anomalies
TCP Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4 > Header: TCP Invalid Flag Combination |
| 2 | 28 | 2028 | L4 anomalies | Header anomaly | Periodic | Drops due to predefined Layer 4 header rules: Data offset is less than 5 for a TCP packet; EOP (End of packet) is detected before the 20 bytes of TCP header; EOP before the data offset indicated data offset; Length field in TCP window scale option is a value other than 3; Length field in TCP window scale option is a value other than 3: Missing UDP payload; Missing ICMP payload,TCP Option Anomaly based on Option Type; and others. SYN with Payload if SPP Option in TCP Profile is set. |
Service Protection > TCP Profile >Strict Anomalies
Service Protection > TCP Profile > SYN with Payload Service Protection > ICMP Profile > Strict Anomalies
ICMP and TCP Profiles must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4 > Header: Anomaly Detected |
| 2 | 54 | 2054 | ICMP Type/Code denied | ACL | Periodic | Denied by an ICMP Profile TypeCode ACL |
Service Protection > ICMP Profile > ICMP Type Code ACL ICMP
ICMP Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 4 > Aggregate: ICMP Type/Code Denied Drops |
| 2 | 56 | 2056 | SYN Flood from source | Rate Flood | Interrupt |
Effective rate limit for the syn-per-src threshold from a single Source IP has been reached. Source IP address is reported. Note: No SYN Validation is done on SYN per Source Floods. The Source is rate-limited to the Threshold |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN Per Source |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: SYN Per Source
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > SYN per Source |
| 2 | 61 | 2061 | Excessive Concurrent Connections Per Source Flood | Rate Flood | interrupt | Effective rate limit for the concurrent-connections-per-source threshold has been reached. Source IP address is reported. Per-Source Connections are rate-limited to the Threshold. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > Concurrent-Connections-per-Source |
Monitor >Drops Monitor: SPP > Flood Drops > Layer 4: Concurrent Connection per Source
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > Other > Concurrent Connections per Source |
| 2 | 62 | 2062 | SYN per Destination Flood | Rate Flood | interrupt |
Effective rate limit for the SYN per Destination threshold has been reached. Note: 1. Crossing the SYN per Destination Threshold initiates SYN validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking). 2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then alllowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN-per-Destination |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: SYN per Destination
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > SYN per Destination |
| 2 | 63 | 2063 | SYN-ACK Flood (in Asymmetric Mode with allow inbound Synack) | Rate Flood | interrupt | Rate Limit for manual SYN-ACK Scalar Threshold when used in Asymmetric Mode. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN/ACK In Asym Mode |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: SYN/ACK flood in asymmetric mode
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > SYN/ACK |
| 2 | 64 | 2064 | SYN-ACK per Destination Flood | Rate Flood | interrupt | Rate Limit for manual SYN-ACK Per Destination Scalar Threshold when used in Asymmetric Mode. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN/ACK Per Destination In Asym Mode |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 4: SYN/ACK Per Destination flood in asymmetric mode
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 4 > SYN/ACK Per Destination |
| 2 | 82 | 2082 | DNS Query Flood from Source | Rate Flood | Periodic |
Effective rate limit for the DNS-Query-per-Source threshold has been reached. Note: 1. No Source Validation (Anti-Spoofing) is attempted for DNS Query per Source. Queries from Sources are rate-limited to the Threshold. 2. DNS Query per Source Threshold is not set by System Recommendations. A manual Threshold can be added if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS-Query-per-Source |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Query per Source Drop
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS: Query per Source |
| 2 | 83 | 2083 | DNS Packet Track Flood from Source | Rate Flood | Periodic |
Effective rate limit for the DNS-Packet-Track-per-Source (Suspicious Sources) threshold has been reached. Note: 1. No Source Validation (Anti-Spoofing) is attempted for DNS Packet Track per Source (Suspicious Sources). Queries from Sources are rate-limited to the Threshold. 2. DNS Packet Track per Source (Suspicious Sources) Threshold is not set by System Recommendations. A manual Threshold can be added if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Packet Track per Source |
Monitor > Drops Monitor: SPP > Flood Drops > Layer 7 > DNS: Suspicious Sources Drop
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS: DNS Packet Track per Source |
| 2 | 86 | 2086 | Invalid ICMP Type/Code | Header Anomaly | Periodic | Invalid ICMP Type/Code. |
Service Protection > ICMP Profile > ICMP Type Code Anomaly
ICMP Profile must be assigned to an SPP |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 4 > Header: Invalid ICMPv4 Type/Code or Invalid ICMPv6 Type/Code |
| 2 | 87 | 2087 | HTTP Method Flood from source | Rate Flood | Interrupt | Effective rate limit for the HTTP-Method-per-Source threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > HTTP Method Per Source |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > HTTP: Method Per Source
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > HTTP > Method per Source |
| 4 | 0 | 4000 | HTTP Method Flood | Rate Flood | Interrupt | Effective rate limit for a particular HTTP method threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > HTTP Methods |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > HTTP: Method Flood
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > HTTP > Methods (Select Method from drop-down) |
| 4 | 1 | 4001 | Known HTTP Method Anomaly | Header anomaly | Periodic | HTTP Known Method anomaly as defined in an HTTP Profile. |
Service Protection > HTTP Profile > Known Method Anomaly
HTTP Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > L7 > Anomaly Drops > HTTP: Known Method |
| 4 | 2 | 4002 | Invalid HTTP Version Anomaly | Header anomaly | Periodic | Packets dropped due to the HTTP Profile version anomaly option |
Service Protection > HTTP Profile > Version Anomaly
HTTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > L7 > Anomaly Drops > HTTP: Invalid HTTP Version |
| 4 | 3 | 4003 | URL denied | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL
HTTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP> (SPP) > ACL Drops > Layer 7 > HTTP: URL Denied Drops |
| 4 | 4 | 4004 | URL Flood | Rate Flood | Periodic | Effective rate limit for a particular URL threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > URLs |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > HTTP: URL Flood
Monitor >Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > HTTP > URLs |
| 4 | 5 | 4005 | Unknown HTTP Method Anomaly | Header Anomaly | Periodic | HTTP Profile Unknown HTTP Method. |
Service Protection > HTTP Profile > Unknown Method Anomaly
HTTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > HTTP Header: Unknown Method |
| 4 | 6 | 4006 | HTTP L7 Host Flood | Rate Flood | Interrupt | Effective rate limit for a particular Host threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Hosts |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > HTTP: Host Flood
Monitor >Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > HTTP > Hosts |
| 4 | 7 | 4007 | HTTP L7 Host Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL
HTTP Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > HTTP: Host Denied Drops |
| 4 | 8 | 4008 | HTTP L7 Referer Flood | Rate Flood | Interrupt | Effective rate limit for a particular Referer header threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Referers |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > HTTP: Referer Flood
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > HTTP > Referers |
| 4 | 9 | 4009 | HTTP L7 Referer Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL
HTTP Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > HTTP: Referer Denied Drops |
| 4 | 10 | 4010 | HTTP L7 Cookie Flood | Rate Flood | Interrupt | Effective rate limit for a particular Cookie header threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Cookies |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > HTTP: Cookie Flood
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > HTTP > Cookies |
| 4 | 11 | 4011 | HTTP L7 Cookie Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL
HTTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > HTTP: Cookie Denied Drops |
| 4 | 12 | 4012 | HTTP L7 User Agent Flood | Rate Flood | Interrupt | Effective rate limit for a particular User-Agent threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds> User Agents |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > HTTP: User Agent Flood
Monitor >Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > HTTP > User Agents |
| 4 | 13 | 4013 | HTTP L7 User Agent Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL
HTTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP> (SPP) > ACL Drops > Layer 7 > HTTP: User Agent Denied Drops |
| 4 | 37 | 4037 | DNS Fragment Deny | ACL | Periodic | Denied by an DNS Profile DNS fragment option | Service Protection > DNS Profile > DNS Fragment | Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > DNS: Fragment Drop |
| 4 | 41 | 4041 | DNS Rcode Flood | Rate Flood | Interrupt | Effective rate limit for the DNS Rcode threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > DNS Rcode |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Response Code Drop
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS > DNS Response Code |
| 4 | 42 | 4042 | DNS Header Anomaly: Invalid Opcode | DNS Anomaly | Periodic | Invalid value in the DNS OpCode field., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Op Code
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Header |
| 4 | 43 | 4043 | DNS Header Anomaly: Illegal Flag Combination | DNS Anomaly | Periodic | Invalid combination in the flags field., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Illegal Flag Combination
DNS Profile must be assigned to SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Header |
| 4 | 44 | 4044 | DNS Header Anomaly: Same Source/ Destination Port | DNS Anomaly | Periodic | DNS Header where Source Port==Destination Port == 53., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > SP,DP Both 53
DNS Profile must be assigned tothe SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Header |
| 4 | 45 | 4045 | DNS Query Anomaly: Query Bit Set | DNS Anomaly | Periodic | (QR) bit set to 1., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit Set
DNS Profile must be assigned to SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Query |
| 4 | 46 | 4046 | DNS Query Anomaly: RA Bit Set | DNS Anomaly | Periodic | recursion allowed (RA) bit set., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > RA Bit Set
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Query |
| 4 | 47 | 4047 | DNS Query Anomaly: Null Query | DNS Anomaly | Periodic | DNS query with count 0., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Null Query
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Query |
| 4 | 48 | 4048 | DNS Query Anomaly: QD Count not One in query | DNS Anomaly | Periodic | Question count not 1., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > DNS Query Anomaly: QD Count not One in query
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Query |
| 4 | 50 | 4050 | DNS Reply Anomaly: Qclass in reply | DNS Anomaly | Periodic | DNS response with QCLASS., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > QCLASS in Reply
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Response |
| 4 | 51 | 4051 | DNS Reply Anomaly: Qtype in reply | DNS Anomaly | Periodic | DNS response with a resource specifying a TYPE ID., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > QType in Reply
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Response |
| 4 | 52 | 4052 | DNS Reply Anomaly: Query bit not set | DNS Anomaly | Periodic | (QR) bit set to 0., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit not Set
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Response |
| 4 | 53 | 4053 | DNS Reply Anomaly: QD count not 1 in response | DNS Anomaly | Periodic | DNS Response where QD count is not 1., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > QDCOUNT not One in Response
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Response |
| 4 | 54 | 4054 | DNS Buffer Overflow Anomaly: Message too long | DNS Anomaly | Periodic | DNS Query or Response message that exceeds the maximum header length., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Message too Long/UDP Message too Long
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Buffer Overflow |
| 4 | 55 | 4055 | DNS Buffer Overflow Anomaly: Name too long | DNS Anomaly | Periodic | DNS name that exceeds 255 characters., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name too Long
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Buffer Overflow |
| 4 | 56 | 4056 | DNS Buffer Overflow Anomaly:Label length too large | DNS Anomaly | Periodic | Query or response with a label that exceeds the maximum length (63)., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Label Length too Large
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Buffer Overflow |
| 4 | 57 | 4057 | DNS Exploit Anomaly: Pointer loop | DNS Anomaly | Periodic | DNS message with a pointer that points beyond the end of data., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Pointer Loop
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Exploit |
| 4 | 58 | 4058 | DNS Exploit Anomaly: Zone Transfer | DNS Anomaly | Periodic | An asynchronous Transfer Full Range (AXFR) request (QTYPE=252)., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Zone transfer
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Exploit |
| 4 | 59 | 4059 | DNS Exploit Anomaly: Class is not IN | DNS Anomaly | Periodic | A query/response in which the question/resource address class is not IN., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Class not IN
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Exploit |
| 4 | 60 | 4060 | DNS Exploit Anomaly: Empty UDP message | DNS Anomaly | Periodic | UDP DNS Query has no data., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Empty UDP
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Exploit |
| 4 | 61 | 4061 | DNS Exploit Anomaly: Message ends prematurely | DNS Anomaly | Periodic | DNS message ends before proper EOP info., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Message Ends Prematurely
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Exploit |
| 4 | 62 | 4062 | DNS Exploit Anomaly: TCP Buffer Underflow | DNS Anomaly | Periodic | A query/response with less than two bytes of data specified in the two-byte prefix field., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Buffer Underflow
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Exploit |
| 4 | 63 | 4063 | DNS Info Anomaly:DNS type all used | DNS Anomaly | Periodic | DNS request with request type set to ALL (QTYPE=255)., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Info Anomaly enable
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Info |
| 4 | 64 | 4064 | DNS Data Anomaly: Invalid type class | DNS Anomaly | Periodic | A query/response with TYPE or CLASS reserved values., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Class Type
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Data |
| 4 | 65 | 4065 | DNS Data Anomaly: Extraneous data | DNS Anomaly | Periodic | A query/response with excess data., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Extraneous Data
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Data |
| 4 | 66 | 4066 | DNS Data Anomaly: TTL too long | DNS Anomaly | Periodic |
TTL value is greater than 7 days, selected in DNS Profile. Note: Some services (Yahoo Mail for example) have TTLs longer than 7 days. This Anomaly should remain disabled. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > TTL too Long
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Data |
| 4 | 67 | 4067 | DNS Data Anomaly: Name length too short | DNS Anomaly | Periodic | A query/response with a null DNS name or lacking a TLD, selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name Length too Short
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DNS: Data |
| 4 | 68 | 4068 | DNS UDP Unsolicited Response | Rate Flood | Periodic | UDP Drops due to a response with no matching query, selected in DNS Profile. |
Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries (DQRM).
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Unsolicited DNS Response Drops |
| 4 | 69 | 4069 | DNS TCP Unsolicited Response | Rate Flood | Periodic | TCP Drops due to a response with no matching query, selected in DNS Profile. |
Service Protection > DNS Profile > DNS Feature Controls >Match Response With Queries (DQRM).
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: Unsolicited DNS Response Drops |
| 4 | 71 | 4071 | DNS DQRM Out of Memory | Internal | Periodic | An issue with DQRM table internal logic or memory. Contact Fortinet. | None. Internal Table issue. Report to Fortinet. | Monitor > Drops Monitor: SPP> (SPP) > Out of Memory Drops > Layer 7 > DNS: Out of Memory Drops |
| 4 | 72 | 4072 | DNS UDP Response same direction | Rate Flood | Periodic | Drops due to UDP DNS Response sent to port 53. |
Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM)
DNS Profile must be assigned to the SPP. |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Unsolicited DNS Response Drops |
| 4 | 73 | 4073 | DNS TCP Response same direction | Rate Flood | Periodic | Drops due to TCP DNS Response sent to port 53 | Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM) DNS Profile must be assigned to the SPP. | Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Unsolicited DNS Response Drops |
| 4 | 74 | 4074 | DNS LQ: UDP Query Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS QG88:G94uery Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP
Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood (LQ)
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: LQ Drops |
| 4 | 75 | 4075 | DNS LQ: UDP Question Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS Question Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS > Question Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: LQ Drops |
| 4 | 76 | 4076 | DNS LQ: UDP Qtype All Flood | Rate Flood | Periodic | UDP drops due to LQ check during UDP Qtype All (ANY/*) Flood, selected in DNS Profile. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP
Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)
DNS Profile must be assigned to SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: LQ Drops |
| 4 | 78 | 4078 | DNS LQ: UDP Qtype MX Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: LQ Drops |
| 4 | 80 | 4080 | DNS LQ: UDP Query Flood due to Negative Response | Rate Flood | Periodic | UDP drops due to LQ check during Flood. |
Service Protection > Service Protection Policy > Service Protection Policy Rule > Scalars > DNS UDP Query
Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)
DNS Profile must be assigned to SPP. |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: LQ Drops |
| 4 | 81 | 4081 | DNS TTL: UDP Query Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Query Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS QueryUDP
Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP
DNS Profile must be assigned to the SPP. |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: TTL Drops |
| 4 | 82 | 4082 | DNS TTL: UDP Question Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP
Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: TTL Drops |
| 4 | 83 | 4083 | DNS TTL: UDP Qtype All Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Qtype ALL (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP
Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: TTL Drops |
| 4 | 85 | 4085 | DNS TTL: UDP Qtype MX Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Validate TTL For Queries From The Same IP
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: TTL Drops |
| 4 | 87 | 4087 | DNS Spoofed IP: UDP Query Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Query Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS UDP Query
Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 88 | 4088 | DNS Spoofed IP: UDP Question Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Question Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP
Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 89 | 4089 | DNS Spoofed IP: UDP Qtype All Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Qtype All (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSAll UDP
Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 91 | 4091 | DNS Spoofed IP: UDP Qtype MX Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Qtype MXFlood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 93 | 4093 | DNS Spoofed IP: UDP Query Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Query Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS UDP Query
Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 94 | 4094 | DNS Spoofed IP: UDP Question Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNSQuestion Count UDP
Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 95 | 4095 | DNS Spoofed IP: UDP Qtype All Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Qtype All (ANT/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNSAll UDP
Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 96 | 4096 | DNS Spoofed IP: UDP Qtype Zone Transfer Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Qtype Zone Transfer Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNSQuery UDP
Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 97 | 4097 | DNS Spoofed IP: UDP Qtype MX Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 99 | 4099 | DNS Cache: UDP Query Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Query Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query
Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 100 | 4100 | DNS Cache: UDP Question Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNA Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP
Service Protection > DNS Profile > DNS Feature Controls >Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 101 | 4101 | DNS Cache: UDP Qtype All Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Qtype All (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSAll UDP
Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 103 | 4103 | DNS Cache: UDP Qtype MX Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 105 | 4105 | DNS Cache: UDP Query Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was not served from the cache during a UDP DNS Query Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query
Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 106 | 4106 | DNS Cache: UDP Question Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was not served from the cache during a UDP DNS Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSQuestion Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 107 | 4107 | DNS Cache: UDP Qtype All Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query dropss because the response was not served from the cache during a UDP DNS Qtype All (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSAll UDP
Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 109 | 4109 | DNS Cache: UDP Qtype MX Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query dropss because the response was not served from the cache during a UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP
Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood
DNS Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Cache Drops |
| 4 | 111 | 4111 | DNS TCP Query Flood | Rate Flood | Interrupt | Effective rate limit for the dns-query threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query TCP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: TCP Query Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS > DNS Query: TCP Query Dropped |
| 4 | 112 | 4112 | DNS TCP Question Flood | Rate Flood | Interrupt | Effective rate limit for the dns-question-count threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >> Scalars > DNS Question Count TCP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: TCP Question Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS > Question Count: TCP Question Dropped |
| 4 | 113 | 4113 | DNS TCP Fragment Flood | Rate Flood | Interrupt | Effective rate limit for the dns-fragment threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Fragment TCP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Fragment Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS > Fragment: TCP Fragment Dropped |
| 4 | 114 | 4114 | DNS TCP Zone Transfer Flood | Rate Flood | Interrupt | Effective rate limit for the dns-zone-xfer threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Zone Transfer TCP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: TCP Zone Transfer Drops Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS > Qtype Zone Transfer: TCP Zone Transfer Dropped |
| 4 | 115 | 4115 | DNS TCP MX Flood | Rate Flood | Interrupt | Effective rate limit for the dns-mx threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS MX Count TCP |
Monitor >Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: TCP MX Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS > Qtype MX: TCP MX Dropped |
| 4 | 116 | 4116 | DNS TCP All Flood | Rate Flood | Interrupt | Effective rate limit for the dns-all threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS All TCP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: TCP ALL Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DNS > Qtype All: TCP All Dropped |
| 4 | 117 | 4117 | DNS UDP Unexpected Query before Response | Rate Flood | Periodic | UDP Drops due to DQRM duplicate query check (more then 3 identical Queries (Source, XID) per second |
Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Unexpected Query Drops |
| 4 | 118 | 4118 | DNS TCP Unexpected Query before Response | Rate Flood | Periodic | TCP Drops due to DQRM duplicate query check. |
Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DNS: Unexpected Query Drops |
| 4 | 120 | 4120 | DNS Query Blocked (Blocklisted Domains) | ACL | Periodic | DNS Query or Response ACL Drops due to Blocklisted Domains and Domain Reputation |
Global Protection > Blocklist > Blocklisted Domains |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > DNS: Query Blocked Drops |
| 4 | 121 | 4121 | DNS Resource Record Type Deny | ACL | Periodic | DNS Query ACL drops due to Resource Record ACL |
Service Protection > DNS Profile > DNS Feature Controls > DNS Resource Record Type ACL
DNS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > DNS: DNS Resource Record Type Drops |
| 4 | 122 | 4122 | DNS Query Anomaly: UDP Session Reuse | Anomaly | Periodic | DNS UDP Query reuse session within one second | Service Protection > DNS Profile | Monitor > Drops Monitor: SPP > (SPP) > Layer 7 > Anomaly Drops > DNS: Query |
| 4 | 123 | 4123 | DNS Query Blocked (Domain Reputation) | ACL | Periodic | DNS Query or Response ACL Drops due toDomain Reputation |
System > FortiGuard
Service Protection > DNS Profile > DNS Feature Controls > Domain Reputation |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > DNS: Query Blocked (Domain Reputation) |
| 4 | 201 | 4201 | HTTP Header Range Present Anomaly | Header anomaly | Periodic | Drops due to packets with a header range request. |
Service Protection > HTTP Profile > Drop Range Header
HTTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > HTTP: Range Present |
| 4 | 203 | 4203 | Incomplete HTTP Request | Header anomaly | Periodic | Drops due to HTTP requests that do not end in the correct end-of-packet information. |
Service Protection > HTTP Profile > Incomplete Request Action = Drop or Aggressive Aging
HTTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > HTTP: Incomplete HTTP Request |
| 4 | 204 | 4204 | SSL Renegotiation | Anomaly | Periodic | Drop due to SSL/TLS Renegotiation Check |
Service Protection > SSL/TLS Profile > Renegotiation Check
SSL/TLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > SSL: SSL Renegotiation |
| 4 | 205 | 4205 | NTP Request Flood | Rate Flood | Interrupt | Rate Threshold for NTP Requests has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Request Flood |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > NTP: Request Flood Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > NTP > Request: NTP Request Flood Drops |
| 4 | 206 | 4206 | NTP Response Flood | Rate Flood | Interrupt | Rate Threshold for NTP Responses has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Flood |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > NTP: Response Flood Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > NTP > Response NTP Response Flood Drops |
| 4 | 207 | 4207 | NTP Broadcast Flood | Rate Flood | Interrupt | Rate Threshold for NTP Broadcasts has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Broadcast Flood |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > NTP: Broadcast Flood Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > NTP > Broadcast: NTP Broadcast Flood Drops |
| 4 | 208 | 4208 | NTP Reflection ACL | ACL | Periodic | Drops due to NTP Reflection Deny option. Blocks NTP Mode 6 (varlist) and Mode 7 (monlist) Queries or Responses. |
Service Protection > NTP Profile > Reflection Deny
NTP Profile must be assigned to the SPP |
Monitor >Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > NTP: NTP Reflection ACL Drops |
| 4 | 209 | 4209 | NTP Version Anomaly | NTP Header Anomaly | Periodic | NTP Version and Modes must match currently ratified versions (Version =1-4 and Mode >0 if Version =1). |
Service Protection > NTP Profile > Version Anomaly Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: Header |
| 4 | 210 | 4210 | NTP Stratum Anomaly | NTP Header Anomaly | Periodic | Stratum must be 1-16 (17-255 are invalid). If Stratum >2, Reference ID cannot be null/empty. |
Service Protection > NTP Profile > Stratum Anomaly Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: Header |
| 4 | 211 | 4211 | NTP Data Length Anomaly | NTP Header Anomaly | Periodic | Enforces minimum and maximum data lengths defined in NTP Versions 1-4) |
Service Protection > NTP Profile > Data Length Anomaly Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: Header |
| 4 | 212 | 4212 | NTP Control Header Anomaly | NTP Header Anomaly | Periodic | Examines Control Header for 10 different Anomalies and drops if seen. |
Service Protection > NTP Profile > Control Header Anomalies Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: Header |
| 4 | 213 | 4213 | NTP Duplicate Request Before Response | Anomaly | Periodic | Drops identical requests in a few seconds before a reply (mini-Flood). |
Service Protection > NTP Profile > Retransmission Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: State |
| 4 | 214 | 4214 | NTP Unsolicited Response | Rate Flood treated like Anomaly | Periodic | Drops Responses where the Query was not recorded in NTP Response Matching (NRM)table. Use ONLY with symmetric traffic or asymmetric traffic where both links traverse FortiDDoS. |
Service Protection > NTP Profile > Unsolicited Response Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: State |
| 4 | 215 | 4215 | NTP State Anomalies: Sequence mismatch | State Anomaly | Periodic | Drops Queries where Sequence number is incorrect. Normally only used when hosting NTP Servers |
Service Protection > NTP Profile > Sequence Mismatch Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: State |
| 4 | 218 | 4218 | NTP State Anomalies: Mode Mismatch | State Anomaly | Periodic | Client Query/Server Response Modes do not match 1/2 or 3/4. If NTP Reflection ACL not enabled, then also checks or not matching Modes 6/6 or 7/7. Anything other than the above mode pairs is dropped as mismatched. |
Service Protection > NTP Profile > Mode Mismatch Check
NTP Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > NTP: State |
| 4 | 219 | 4219 | NTP Response Per Destination | Rate Flood | Interrupt | Rate Threshold for NTP Responses Per Destination has been exceeded. This indicates a reflected NTP Response Flood towards a single destination. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Per Destination |
Monitor > Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > NTP: Response per Destination Flood Drops
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > NTP > Response Per Destination Response/Destination Flood Drops |
| 4 | 224 | 4224 | SSL/TLS Protocol Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Protocol Anomaly check |
Service Protection > SSL/TLS Profile > Protocol Anomaly
SSL/TLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > SSL: SSL Protocol |
| 4 | 225 | 4225 | SSL/TLS Version Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Version Anomaly check |
Service Protection > SSL/TLS Profile > Version Anomaly
SSL/TLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > SSL: SSL Version |
| 4 | 226 | 4226 | SSL/TLS Cipher Anomaly | Anomaly | Periodic | Drop due to SSL/TLS Profile Cipher Anomaly check |
Service Protection > SSL/TLS Profile > Cipher Anomaly
SSL/TLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > SSL: SSL Cipher |
| 4 | 227 | 4227 | SSL/TLS Incomplete Request Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Block Incomplete Request check |
Service Protection > SSL/TLS Profile > Block Incomplete Request
SSL/TLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > SSL: SSL Incomplete Request |
| 4 | 228 | 4228 | SSL/TLS Incomplete Request: Source Flood | Rate Flood | Interrupt | Drop due to SSL/TLS profile's Block Source With Incomplete Request |
Service Protection > SSL/TLS Profile > Block Source With Incomplete Request
SSL/TLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP> (SPP) > Flood Drops > Layer 7 > SSL: SSL/TLS Incomplete Request Source Flood |
| 4 | 232 | 4232 | DTLS Client Hello Per Source Flood | Rate flood | Interrupt | Effective rate limit for the DTLS Client Hello threshold has been reached | Service Protection > Service Protection Policy > Thresholds > Scalars: DTLS Client Hello Per Source |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 > DTLS: Client Hello Flood From Source
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DTLS> Client Hello Per Source Flood Drops |
| 4 | 233 | 4233 | DTLS Server Hello Per Source Flood | Rate flood | Interrupt | Effective rate limit for the DTLS Server Hello Per Source threshold has been reached | Service Protection > Service Protection Policy > Thresholds > Scalars: DTLS Server Hello Per Source |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 < DTLS: Server Hello Flood from Source
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DTLS: Server Helllo Per Source Flood Drops |
| 4 | 234 | 4234 | DTLS Server Hello Per Destination Flood | Rate flood | Interrupt | Effective rate limit for the DTLS Server Hello per Destination threshold has been reached | Service Protection > Service Protection Policy > Thresholds > Scalars: DTLS Server Hello Per Destination |
Monitor > Drops Monitor: SPP > (SPP) > Flood Drops > Layer 7 < DTLS: Server Hello Flood per Destination
Monitor > Traffic Monitor: Layer 3/4/7 > (SPP) > Layer 7 > DTLS: Server Helllo Per Destination Flood Drops |
| 4 | 235 | 4235 | DTLS State Anomalies: DTLS negotiation without verification | Anomaly | Periodic | Server messages are dropped if seen before Client Verify message. Client messages are dropped before Client Hello. |
Service Protection > DTLS Profile > Protocol Check
DTLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > Anomaly Drops > Layer 7 > DTLS > State Anomalies |
| 4 | 236 | 4236 | DTLS Reflection ACL | ACL | Periodic | Drop any server messages if Client Hello not seen first. |
Service Protection > DTLS Profile > Reflection Deny
DTLS Profile must be assigned to the SPP |
Monitor > Drops Monitor: SPP > (SPP) > ACL Drops > Layer 7 > DTLS > DTLS Reflection ACL Drops |
DDoS Attack log Directionality for TCP
| Setup | Traffic Direction | Source | Destination | Source Port | Destination Port | Attack Log Direction | Protected IP |
|---|---|---|---|---|---|---|---|
| SYN | Outbound | Inside | Outside | High | Low | Outbound | Inside |
| ACK | Inbound | Outside | Inside | Low | High | Outbound | Inside |
| SYN | Inbound | Outside | Inside | High | Low | Inbound | Inside |
| ACK | Outbound | Inside | Outside | Low | High | Inbound | Inside |
| SYN | Outbound | Inside | Outside | High | High | Outbound | Inside |
| ACK | Inbound | Outside | Inside | High | High | Outbound | Inside |
| SYN | Inbound | Outside | Inside | High | High | Inbound | Inside |
| ACK | Outbound | Inside | Outside | High | High | Inbound | Inside |
| SYN | Outbound | Inside | Outside | Low | Low | Outbound | Inside |
| ACK | Inbound | Outside | Inside | Low | Low | Outbound | Inside |
| SYN | Inbound | Outside | Inside | Low | Low | Inbound | Inside |
| ACK | Outbound | Inside | Outside | Low | Low | Inbound | Inside |
DDoS Attack log Directionality for UDP
| Traffic Direction | Source | Destination | Source Port | Destination Port | Attack Log Direction | Protected IP |
|---|---|---|---|---|---|---|
| Outbound | Inside | Outside | High | Low | Outbound | Inside |
| Inbound | Outside | Inside | Low | High | Inbound | Inside |
| Inbound | Outside | Inside | High | Low | Inbound | Inside |
| Outbound | Inside | Outside | Low | High | Outbound | Inside |
| Outbound | Inside | Outside | High | High | Outbound | Inside |
| Inbound | Outside | Inside | High | High | Inbound | Inside |