Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.2.3
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Using the Layer 4 graphs

    Using the Layer 4 graphs

    Example Layer 4 graph

    Before you begin:

    • You must have Read permission for the Monitor menu.

    • Refer to Reading Monitor graphs to understand the graphs in detail.

    To display the graphs:
    • Go to Monitor / Traffic Monitor / > Layer 3/4/7 > Layer 4 > [SPP] [Sources / Destinations / Protocols / Other] [Y-Axis view] [Direction] [Reporting Period].

    The follow table summarizes the statistics displayed in each graph.

    Layer 4 graphs

    Statistic

    Description

    SYN Tab

    SYN

    Displays SYN Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • SYN Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for all SYNs into the SPP.
    • SYN Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP.
    • SYN packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN Estimated Threshold rate as described above.
    • SYN packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold.

    Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN mitigation. If source IPs are successfully validated, SYNs may be allowed to exceed the threshold.

    SYN Per Source

    Displays SYN per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • Ingress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed ingress maximum rate of SYN packets from a single source IP.
    • Egress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed egress maximum rate of SYN packets from a single source IP.
    • SYN per Source packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Source Estimated Threshold rate as described above.
    • SYN per Source packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN per Source rate-limiting Threshold.

    Note: SYN Validation is not performed on identified Sources that exceed the SYN per Source rate – Sources are rate-limited to the SYN per Source threshold.

    SYN Per Destination

    Displays SYN per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • SYN per Destination Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for SYNs to protected Destination IPs.
    • SYN per Destination Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP.
    • SYN per Destination packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Destination Estimated Threshold rate as described above.
    • SYN per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold.

    Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN per Destination mitigation. If source IPs are successfully validated, SYN per Destination may be allowed to exceed the threshold.

    SYN/ACK

    Displays SYN/ACK Traffic, Threshold, and per-5-minute Drop information for:

    • SYN/ACK Ingress Max Packet Rate (SYN/ACKs/sec) - Trend in observed ingress SYN/ACK rate for all SYN/ACKs into the SPP.
    • SYN/ACK Egress Max Packet Rate (SYN/ACKs/sec) - Trend in observed egress SYN/ACK rate for all SYN/ACKs into the SPP.
    • SYN/ACK packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK in Asym Mode Threshold

    Note:

    • This graph shows inbound traffic only.
    • This graph is only available if:
      • FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
      • SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars
    • Drop graphs are available only if SYN/ACK in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.

    SYN/ACK Per Destination

    Displays SYN/ACK per Destination Traffic, Threshold, and per-5-minute Drop information for:

    • SYN/ACK per Destination Ingress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed maximum ingress SYN/ACK per Destination rate for any Protected IP in the SPP..
    • SYN/ACK per Destination Egress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed egress SYN/ACK per Destination rate for any Protected IP in the SPP..
    • SYN/ACK per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK per Destination in Asym Mode Threshold

    Note:

    • This graph shows inbound traffic only.
    • This graph is only available if:
      • FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
      • SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars
    • Drop graphs are available only if SYN/ACK per Destination in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK per Destination traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.

    Ports Tab

    TCP

    Displays TCP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • TCP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port. A spike in this graph shows a possible port flood.
    • TCP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port.
    • TCP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold.

    Note:

    • FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored. If you see high ports (>10239) in logs, that means high ports are “talking” to other high ports. This may happen with gaming and FTP, for example. The FTP control port is 21 but the server opens a high port and the client uses a new high port to connect to the server “data” port while the control session stays open. You can also define 128 HTTP Service Ports and 128 SSL Service Ports for any port from 1-65535. More information is available in the Service Protection section.
    • FortiDDoS F-series appliances set ranges and thresholds for ports 0-10239 and a single range and threshold for all ports above 10240. Logs will report on all ports from 0-65535. FortiDDoS F-Series VMs set ranges and thresholds for ports 0-1023 and a single range and threshold for all ports over 1024. Logs will report on all ports from 0-1023 but only report port 1024 for higher ports.

    UDP

    Displays UDP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • UDP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port.
    • UDP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port.
    • UDP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold.

    Note: FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored.

    Other Tab

    Concurrent Connections per Source

    Displays Concurrent Connections per Source count, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • Maximum Concurrent Connections per Source (count) - Trend in observed count of concurrent connections for the busiest source each second.
    • Estimated Threshold for Concurrent Connections per Source (count) - Trend in the Concurrent Connections per Source Estimated Threshold rate as described above.
    • Concurrent Connections per Source dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.

    New Connections

    Displays New Connections count, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • Max New Connections Establishment (Connections/sec) – Trend in new connection rate.
    • Estimated Threshold for New Connections Establishment (Connections/sec) - Trend in the New Connections Estimated Threshold rate as described above.
    • New Connections dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.

    Non-Spoofed IPs

    Displays the number of entries in the global Legitimate IP (LIP) Table. The Legitimate IP table displays the count of Source IP addresses that have been successfully validated by one of the 2 SYN Validation parameters (SYN or SYN per Destination). This table will only be populated during SYN Floods and thus if the graph is showing non-zero numbers there has been a SYN or SYN per Destination Flood in one or more of the SPPs.

    The legitimate IP address table is maintained and reported as a global count. The graph is identical for all SPPs, when a SYN flood occurs in any SPP.

    TCP Sessions

    TCP Sessions is an information-only graph that displays counts of the following parameters:

    • Established Connections (count) - Trend in count of entries in the TCP state table that are in the established state (completed three-way handshake).
    • Number of Entries in TCP State Table (count) - rend in count of all entries in the TCP state table, including half-open connections. If the values for the number of entries in the TCP state table are significantly higher than those for Established Connections, it shows a possible SYN flood attack.

    Note: The TCP Sessions graph is a global count. It will show identical counts for all SPPs. If this graph looks abnormal, check the three SYN graphs for each SPP.

    ICMP

    Displays traffic and drops information for ICMP Types and Codes. Because there are 255 x 255 (65,536) possible Types and Codes there are 2 additional fields on this graph for Type (0-255) and Code (0-255). When a Type/Code is entered, the system converts this to an index number, which appears in the label of each subgraph. For example Type 8 / Code 0 (ping) is index 2048.

    Look in Dashboard > Top Attacks: Top Attacked ICMP Type/Codes to see if any Types/Codes are displayed. Enter those in this graph to see the activity.

    • Ingress Max Packet Rate (pps) – Trend in ingress traffic for this Type/Code
    • Egress Max Packet Rate (pps) – Trend in egress traffic for this Type/Code
    • Packets Dropped (drops per 5-minutes) - Packets dropped due to the Type/Code rate-limiting Threshold.
    • Packets Blocked (drops per 5-minutes) – Packets blocked due to an ICMP Type/Code ACL contained in the ICMP Profile assigned to this SPP.

    Note:

    • ICMP Type/Code graphs are displayed differently for different FortiDDoS F-Series Models
      • Thresholds and Ranges – Appliance and VM Thresholds are set for every Type/Code and ranges are set for:
        • Types/Code indexes from 0-10239
        • A single range is set for index 10240-65536
      • Graphs:
        • Appliances display traffic/drops/blocked for all Type Codes to index 65536
        • VMs display traffic/drops/blocked for Type Codes to index 10239. The peak data rate and drops for any indexes from 10240-65535 are all displayed on the 10240 index graph. The actual Type/Code (133/0, for example, not the index) is displayed in any Attack Log.
    • You may need to review the ICMP Profile, Dashboard > Top Attacks > Top ACL Attacks and/or the Attack Logs to identify which Type/Code graph to show the ACL drops.
    • ICMPv4 uses Layer 3 Protocol 1 while ICMPv6 used Layer 3 Protocol 58. Some ICMP Types/Codes are used on both Protocols and some are unique to one Protocol. The Traffic and Drops graphs show all Type/Codes for any Protocol. The ICMP Profile ACL can select ICMPv4, ICMPv6 or both.
    • As of 2021/03 there are only 113 ICMP Types/Code pairs ratified by IETF and IANA out total the total 65,536 available pairs. Attackers may randomize Types/Codes in an attempt to avoid detection. The ICMP Type Code Anomaly option is available in any ICMP Profile, which automatically drops any Type/Code outside the ratified Types/Codes, without using the rate-limiting Threshold.
    Previous
    Next

    Using the Layer 4 graphs

    Using the Layer 4 graphs

    Example Layer 4 graph

    Before you begin:

    • You must have Read permission for the Monitor menu.

    • Refer to Reading Monitor graphs to understand the graphs in detail.

    To display the graphs:
    • Go to Monitor / Traffic Monitor / > Layer 3/4/7 > Layer 4 > [SPP] [Sources / Destinations / Protocols / Other] [Y-Axis view] [Direction] [Reporting Period].

    The follow table summarizes the statistics displayed in each graph.

    Layer 4 graphs

    Statistic

    Description

    SYN Tab

    SYN

    Displays SYN Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • SYN Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for all SYNs into the SPP.
    • SYN Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP.
    • SYN packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN Estimated Threshold rate as described above.
    • SYN packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold.

    Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN mitigation. If source IPs are successfully validated, SYNs may be allowed to exceed the threshold.

    SYN Per Source

    Displays SYN per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • Ingress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed ingress maximum rate of SYN packets from a single source IP.
    • Egress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed egress maximum rate of SYN packets from a single source IP.
    • SYN per Source packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Source Estimated Threshold rate as described above.
    • SYN per Source packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN per Source rate-limiting Threshold.

    Note: SYN Validation is not performed on identified Sources that exceed the SYN per Source rate – Sources are rate-limited to the SYN per Source threshold.

    SYN Per Destination

    Displays SYN per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • SYN per Destination Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for SYNs to protected Destination IPs.
    • SYN per Destination Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP.
    • SYN per Destination packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Destination Estimated Threshold rate as described above.
    • SYN per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold.

    Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN per Destination mitigation. If source IPs are successfully validated, SYN per Destination may be allowed to exceed the threshold.

    SYN/ACK

    Displays SYN/ACK Traffic, Threshold, and per-5-minute Drop information for:

    • SYN/ACK Ingress Max Packet Rate (SYN/ACKs/sec) - Trend in observed ingress SYN/ACK rate for all SYN/ACKs into the SPP.
    • SYN/ACK Egress Max Packet Rate (SYN/ACKs/sec) - Trend in observed egress SYN/ACK rate for all SYN/ACKs into the SPP.
    • SYN/ACK packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK in Asym Mode Threshold

    Note:

    • This graph shows inbound traffic only.
    • This graph is only available if:
      • FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
      • SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars
    • Drop graphs are available only if SYN/ACK in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.

    SYN/ACK Per Destination

    Displays SYN/ACK per Destination Traffic, Threshold, and per-5-minute Drop information for:

    • SYN/ACK per Destination Ingress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed maximum ingress SYN/ACK per Destination rate for any Protected IP in the SPP..
    • SYN/ACK per Destination Egress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed egress SYN/ACK per Destination rate for any Protected IP in the SPP..
    • SYN/ACK per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK per Destination in Asym Mode Threshold

    Note:

    • This graph shows inbound traffic only.
    • This graph is only available if:
      • FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
      • SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars
    • Drop graphs are available only if SYN/ACK per Destination in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK per Destination traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.

    Ports Tab

    TCP

    Displays TCP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • TCP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port. A spike in this graph shows a possible port flood.
    • TCP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port.
    • TCP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold.

    Note:

    • FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored. If you see high ports (>10239) in logs, that means high ports are “talking” to other high ports. This may happen with gaming and FTP, for example. The FTP control port is 21 but the server opens a high port and the client uses a new high port to connect to the server “data” port while the control session stays open. You can also define 128 HTTP Service Ports and 128 SSL Service Ports for any port from 1-65535. More information is available in the Service Protection section.
    • FortiDDoS F-series appliances set ranges and thresholds for ports 0-10239 and a single range and threshold for all ports above 10240. Logs will report on all ports from 0-65535. FortiDDoS F-Series VMs set ranges and thresholds for ports 0-1023 and a single range and threshold for all ports over 1024. Logs will report on all ports from 0-1023 but only report port 1024 for higher ports.

    UDP

    Displays UDP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • UDP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port.
    • UDP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port.
    • UDP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold.

    Note: FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored.

    Other Tab

    Concurrent Connections per Source

    Displays Concurrent Connections per Source count, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • Maximum Concurrent Connections per Source (count) - Trend in observed count of concurrent connections for the busiest source each second.
    • Estimated Threshold for Concurrent Connections per Source (count) - Trend in the Concurrent Connections per Source Estimated Threshold rate as described above.
    • Concurrent Connections per Source dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.

    New Connections

    Displays New Connections count, Threshold, Estimated Threshold and per-5-minute Drop information for:

    • Max New Connections Establishment (Connections/sec) – Trend in new connection rate.
    • Estimated Threshold for New Connections Establishment (Connections/sec) - Trend in the New Connections Estimated Threshold rate as described above.
    • New Connections dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.

    Non-Spoofed IPs

    Displays the number of entries in the global Legitimate IP (LIP) Table. The Legitimate IP table displays the count of Source IP addresses that have been successfully validated by one of the 2 SYN Validation parameters (SYN or SYN per Destination). This table will only be populated during SYN Floods and thus if the graph is showing non-zero numbers there has been a SYN or SYN per Destination Flood in one or more of the SPPs.

    The legitimate IP address table is maintained and reported as a global count. The graph is identical for all SPPs, when a SYN flood occurs in any SPP.

    TCP Sessions

    TCP Sessions is an information-only graph that displays counts of the following parameters:

    • Established Connections (count) - Trend in count of entries in the TCP state table that are in the established state (completed three-way handshake).
    • Number of Entries in TCP State Table (count) - rend in count of all entries in the TCP state table, including half-open connections. If the values for the number of entries in the TCP state table are significantly higher than those for Established Connections, it shows a possible SYN flood attack.

    Note: The TCP Sessions graph is a global count. It will show identical counts for all SPPs. If this graph looks abnormal, check the three SYN graphs for each SPP.

    ICMP

    Displays traffic and drops information for ICMP Types and Codes. Because there are 255 x 255 (65,536) possible Types and Codes there are 2 additional fields on this graph for Type (0-255) and Code (0-255). When a Type/Code is entered, the system converts this to an index number, which appears in the label of each subgraph. For example Type 8 / Code 0 (ping) is index 2048.

    Look in Dashboard > Top Attacks: Top Attacked ICMP Type/Codes to see if any Types/Codes are displayed. Enter those in this graph to see the activity.

    • Ingress Max Packet Rate (pps) – Trend in ingress traffic for this Type/Code
    • Egress Max Packet Rate (pps) – Trend in egress traffic for this Type/Code
    • Packets Dropped (drops per 5-minutes) - Packets dropped due to the Type/Code rate-limiting Threshold.
    • Packets Blocked (drops per 5-minutes) – Packets blocked due to an ICMP Type/Code ACL contained in the ICMP Profile assigned to this SPP.

    Note:

    • ICMP Type/Code graphs are displayed differently for different FortiDDoS F-Series Models
      • Thresholds and Ranges – Appliance and VM Thresholds are set for every Type/Code and ranges are set for:
        • Types/Code indexes from 0-10239
        • A single range is set for index 10240-65536
      • Graphs:
        • Appliances display traffic/drops/blocked for all Type Codes to index 65536
        • VMs display traffic/drops/blocked for Type Codes to index 10239. The peak data rate and drops for any indexes from 10240-65535 are all displayed on the 10240 index graph. The actual Type/Code (133/0, for example, not the index) is displayed in any Attack Log.
    • You may need to review the ICMP Profile, Dashboard > Top Attacks > Top ACL Attacks and/or the Attack Logs to identify which Type/Code graph to show the ACL drops.
    • ICMPv4 uses Layer 3 Protocol 1 while ICMPv6 used Layer 3 Protocol 58. Some ICMP Types/Codes are used on both Protocols and some are unique to one Protocol. The Traffic and Drops graphs show all Type/Codes for any Protocol. The ICMP Profile ACL can select ICMPv4, ICMPv6 or both.
    • As of 2021/03 there are only 113 ICMP Types/Code pairs ratified by IETF and IANA out total the total 65,536 available pairs. Attackers may randomize Types/Codes in an attempt to avoid detection. The ICMP Type Code Anomaly option is available in any ICMP Profile, which automatically drops any Type/Code outside the ratified Types/Codes, without using the rate-limiting Threshold.
    Previous
    Next