Using the Layer 7 graphs

Example Layer 7 graph

Before you begin:

• You must have Read permission for the Monitor menu.

• Refer to Reading Monitor graphs to understand the graphs in detail.

To display the graphs:

• Go to Monitor / Traffic Monitor / > Layer 3/4/7 > Layer 7 > [SPP] [HTTP / DNS / NTP] [Y-Axis view] [Direction] [Reporting Period]. Some Graphs may have additional parameter selection such as [Method].

Layer 7 graphs
Statistic	Description
HTTP Tab
Methods	Displays HTTP Method Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. The following Methods are monitored: [GET \| HEAD \| OPTIONS \| TRACE \| POST \| PUT \| DELETE \| CONNECT] Subgraphs for: [Method] Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for the selected HTTP method. [Method] Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for the selected HTTP method. [Method] Estimated Threshold (pps) - Trend in the HTTP Method Estimated Threshold rate as described above. [Method] Packets Dropped (drops per 5-minutes) - Trend in [Method] packets dropped due to the rate-limiting Threshold and/or GET/Post Flood Mitigation settings in the HTTP Profile assigned to an SPP. Note: Selected Methods can be ACLed per SPP via the HTTP Profile assigned to that SPP. Source IP Validation for GET and POST Floods is available by setting GET and/or POST Flood Mitigation features in the HTTP Profile assigned to this SPP.
Method per Source	Displays HTTP Method per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information: Method per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for any single Source IP. Method per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for any single Source IP. Method per Source Estimated Threshold (pps) - Trend in the HTTP Method Estimated Threshold rate as described above. Method per Source Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Methods per Source Threshold
URLs	Displays HTTP URL Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. URL can be over 4000 characters long, resulting in almost unlimited numbers of URLs. FortiDDoS tracks the top 32,000 URLs but uses a single Threshold learned from Traffic Statistics to rate-limit any URL. URLs are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe URL Drops in the Attack Logs to obtain the hash index under attack. URL <Index> Ingress Max Packet Rate (pps) - Trend in observed URL <Index> ingress maximum rate. URL <Index> Egress Max Packet Rate (pps) - Trend in observed URL <Index> egress maximum rate. URL <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting URL Threshold. URL <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any URL ACLs created in an HTTP Profile assigned to an SPP. Note: Specific URLs may be ACLed via the HTTP Profile assigned to an SPP.
Hosts	Displays HTTP Host Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Hosts but uses a single Threshold learned from Traffic Statistics to rate-limit any Host. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Host Drops in the Attack Logs to obtain the hash index under attack. Host <Index> Ingress Max Packet Rate (pps) - Trend in observed Host <Index> ingress maximum rate. Host <Index> Egress Max Packet Rate (pps) - Trend in observed Host <Index> egress maximum rate. Host <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Host Threshold. Host <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Host ACLs created in an HTTP Profile assigned to an SPP. Note: Specific Hosts may be ACLed via the HTTP Profile assigned to an SPP.
Referers	Displays HTTP Referer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Referers but uses a single Threshold learned from Traffic Statistics to rate-limit any Referer. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Referer Drops in the Attack Logs to obtain the hash index under attack. Referer <Index> Ingress Max Packet Rate (pps) - Trend in observed Referer <Index> ingress maximum rate. Referer <Index> Egress Max Packet Rate (pps) - Trend in observed Referer <Index> egress maximum rate. Referer <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Referer Threshold. Referer <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Referer ACLs created in an HTTP Profile assigned to an SPP. Note: Specific Referer may be ACLed via the HTTP Profile assigned to an SPP.
Cookies	Displays HTTP Cookie Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Cookies but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie. Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Cookie Drops in the Attack Logs to obtain the hash index under attack. Cookie <Index> Ingress Max Packet Rate (pps) - Trend in observed Cookie <Index> ingress maximum rate. Cookie <Index> Egress Max Packet Rate (pps) - Trend in observed Cookie <Index> egress maximum rate. Cookie <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Cookie Threshold. Cookie <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Cookie ACLs created in an HTTP Profile assigned to an SPP Note: Specific Cookies may be ACLed via the HTTP Profile assigned to an SPP.
User Agents	Displays HTTP User Agent Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 User Agents but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie. Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe User Agent Drops in the Attack Logs to obtain the hash index under attack. User Agent <Index> Ingress Max Packet Rate (pps) - Trend in observed User Agent <Index> ingress maximum rate. User Agent <Index> Egress Max Packet Rate (pps) - Trend in observed User Agent <Index> egress maximum rate. User Agent <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting User Agent Threshold. User Agent <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any User Agent ACLs created in an HTTP Profile assigned to an SPP Note: Specific User Agents may be ACLed via the HTTP Profile assigned to an SPP.
DNS Tab
DNS Query	Displays DNS Query Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Subgraphs for: UDP Query Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for UDP Queries UDP Query Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Queries. UDP Query Estimated Threshold (pps) - Trend in the UDP Query Method Estimated Threshold rate as described above. TCP Query Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Queries TCP Query Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Queries. TCP Query Estimated Threshold (pps) - Trend in the TCP Query Method Estimated Threshold rate as described above. TCP Query Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Query Threshold Note: When the DNS Query Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done. If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query rates on the graph higher than the Threshold. Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Threshold.
Query Per Source	Displays DNS UDP/TCP Query per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Query per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum DNS Query rate for any single Source IP. Query per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum DNS Query rate for any single Source IP. Query per Source Estimated Threshold (pps) - Trend in the DNS Query Estimated Threshold rate as described above. Query per Source Packets Dropped - Trend in packets dropped due to the rate-limiting DNS Query per Source Threshold Note: If Block Identified Source is disabled in a DNS Profile assigned to an SPP, the Query per Source Threshold will not be tracked nor displayed on the graph.
Suspicious Sources	Displays DNS Packet-Track per Source (Suspicious Sources) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Packet-Track per Source (Suspicious Sources) is based on a machine-learned, heuristics-based score that counts fragmented packets, Response not found in DQRM and/or queries that generate responses with RCODE other than 0, for any Source. Packet-Track per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for any single Source IP. Packet-Track per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for any single Source IP. Packet-Track per Source Estimated Threshold (pps) - Trend in the Estimated Threshold rate as described above. Packet-Track per Source Packets Dropped - Trend in packets dropped due to the rate-limiting Packet-Track per Source Threshold Note: If Block Identified Source in a DNS Profile assigned to an SPP is disabled, the DNS Packet-Track per Source (Suspicious Sources) Threshold will not be tracked nor displayed on the graph.
Question Count	Displays the sum of all Question Count fields in all DNS UDP/TCP Query Packets, Threshold, Estimated Threshold and per-5-minute Drop information. UDP Question Ingress Max Packet Rate (Sum of Question Count per second) - Trend in observed ingress maximum count for UDP Questions UDP Question Egress Max Packet Rate (Sum of Question Count per second) - Trend in observed egress maximum rate for UDP Questions. UDP Question Estimated Threshold (Sum of Question Count per second) - Trend in the UDP Query Method Estimated Threshold rate as described above. TCP Question Ingress Max Packet Rate (Sum of Question Count per second) - Trend in observed ingress maximum rate for TCP Questions TCP Question Egress Max Packet Rate (Sum of Question Count per second) - Trend in observed egress maximum rate for TCP Questions. TCP Question Estimated Threshold (Sum of Question Count per second) - Trend in the TCP Query Method Estimated Threshold rate as described above. TCP Question Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Query Threshold Note: The Qcount field in a DNS Queries allows a maximum entry of 255. This implies that the Client is asking for A-Records from 255 FQDN Names, for example. However, the DNS Response only allows a single Response, so any Qcount number over 1 is invalid and suspicious. The Question Count graphs should match the DNS Query graphs. When the DNS Question Count Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Question Count mitigation will be done. If over-threshold DNS Question Count pass both Source and Query validation, they will be allowed and you may see Question Counts on the graph higher than the Threshold. Drops caused by UDP Question Count Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Question Counts will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Question Count Threshold.
Fragment	Displays the DNS UDP/TCP Query Fragment Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Note: Only the first fragment in a series of fragments provides Layer 4 information to identify the packet as a DNS Fragment. These fragments will be displayed on this graph. Subsequent fragments have only Layer 3 information and will be displayed on Monitor > / Traffic Monitor / > Layer 3 /4/7 > Layer 3 > Other > Fragmented Packet graph UDP Fragment Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Fragments UDP Fragment Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Fragments. UDP Fragment Estimated Threshold (pps) - Trend in the Fragment Estimated Threshold rate as described above. TCP Fragment Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Fragments. TCP Fragment Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Fragments. TCP Fragment Estimated Threshold (pps) - Trend in the TCP Fragment Estimated Threshold rate as described above. TCP Fragment Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Fragment Threshold
QType MX	Displays the DNS UDP/TCP Query Type MX (email) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. UDP Query Type MX Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Query Type MX UDP Query Type MX Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Query Type MX. UDP Query Type MX Estimated Threshold (pps) - Trend in the UDP Query Type MX Estimated Threshold rate as described above. TCP Query Type MX Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type MX. TCP Query Type MX Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type MX. TCP Query Type MX Estimated Threshold (pps) - Trend in the TCP Query Type MX Estimated Threshold rate as described above. TCP Query Type MX Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type MX Threshold Note: When the DNS Query Type MX Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done. If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query Type MX rates on the graph higher than the Threshold. Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Type MX Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Type MX Threshold.
QType All	Displays the DNS UDP/TCP Query Type ALL (ANY/) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. UDP Query Type ALL Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Query Type ALL UDP Query Type ALL Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Query Type ALL. UDP Query Type ALL Estimated Threshold (pps) - Trend in the UDP Query Type ALL Estimated Threshold rate as described above. TCP Query Type ALL Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type ALL. TCP Query Type ALL Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type ALL. TCP Query Type ALL Estimated Threshold (pps) - Trend in the TCP Query Type ALL Estimated Threshold rate as described above. TCP Query Type ALL Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type ALL Threshold Note:* When the DNS Query Type ALL Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done. If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query Type ALL rates on the graph higher than the Threshold. Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Type ALL Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Type ALL Threshold.
QType Zone Transfer	Displays the DNS TCP Query Type Zone Transfer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. TCP Query Type Zone Transfer Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type Zone Transfer. TCP Query Zone Transfer Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type Zone Transfer. TCP Query Zone Transfer Estimated Threshold (pps) - Trend in the TCP Query Type ALL Estimated Threshold rate as described above. TCP Query Zone Transfer Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type Zone Transfer Threshold Note: Zone Transfer requests must be TCP. If attackers use UDP, the UDP Query Thresholds and mitigations will apply.
DNS Response Code	Displays the DNS Response Code Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. DNS Responses contain a Response Code indicating information about the Response. The field allows 15 different Response Codes but many are unassigned, not implemented or rarely used. The most-used Response Codes are 0=Good Response \| 1=Query Format Error \| 2=Server Failure \| 3=NxDomain \| 5=Refused \| The DNS Response Code graph contains an additional selection field to enter the Response Code of interest from 0-15. DNS Rcode [0-15] Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for DNS Rcode [0-15] DNS Rcode [0-15] Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for DNS Rcode [0-15] DNS Rcode [0-15] Ingress Drops (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting DNS Rcode [0-15] Threshold
NTP Tab
Request	Displays NTP Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Request Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Requests NTP Request Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Requests. NTP Requests Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Request Threshold
Response	Displays NTP Response Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Response Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Responses. NTP Response Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Responses. NTP Responses Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Response Threshold.
Broadcast	Displays NTP Broadcast Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Broadcast packet Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Broadcast packets. NTP Broadcast packet Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Broadcast packets. NTP Broadcast packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Broadcast packet Threshold
Response Per Destination	Displays NTP Response per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Response per Destination Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Response per Destination packets to any single protected Destination IP address. NTP Response per Destination Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Response per Destination packets to any single protected Destination IP address. NTP Response per Destination packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Response per Destination Threshold.
DTLS Tab
DTLS	Displays DTLS Traffic, Threshold and per-5-minute Drop information for: Client Hello per Source Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Client Hello packets from any single Source IP address. Client Hello per Source Egress Max Packet Rate (pps) - Trend in maximum observed egress Client Hello packets from any single Source IP address. Client Hello per Source packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Client Hello per Source Threshold Server Hello per Source Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Server Hello packets from any single Source IP address. Server Hello per Source Egress Max Packet Rate (pps) - Trend in maximum observed egress Server Hello packets from any single Source IP address. Server Hello per Source packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Server Hello per Source Threshold Server Hello per Destination Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Server Hello packets to any single protected destination IP address. Server Hello per Destination Egress Max Packet Rate (pps) - Trend in maximum observed egress Server Hello packets to any single protected destination IP address. Server Hello per Destination packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Server Hello per Destination Threshold Note: Drops will not appear unless Thresholds for the following are manually set in Service Protection Policy > Thresholds > Scalars: Client Hello per Source Server Hello per Source Server Hello per Destination Use these traffic graphs to determine peak inbound egress traffic over time, and multiply by 2x to create the manual threshold.

Layer 7 graphs
Statistic	Description
HTTP Tab
Methods	Displays HTTP Method Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. The following Methods are monitored: [GET \| HEAD \| OPTIONS \| TRACE \| POST \| PUT \| DELETE \| CONNECT] Subgraphs for: [Method] Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for the selected HTTP method. [Method] Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for the selected HTTP method. [Method] Estimated Threshold (pps) - Trend in the HTTP Method Estimated Threshold rate as described above. [Method] Packets Dropped (drops per 5-minutes) - Trend in [Method] packets dropped due to the rate-limiting Threshold and/or GET/Post Flood Mitigation settings in the HTTP Profile assigned to an SPP. Note: Selected Methods can be ACLed per SPP via the HTTP Profile assigned to that SPP. Source IP Validation for GET and POST Floods is available by setting GET and/or POST Flood Mitigation features in the HTTP Profile assigned to this SPP.
Method per Source	Displays HTTP Method per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information: Method per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for any single Source IP. Method per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for any single Source IP. Method per Source Estimated Threshold (pps) - Trend in the HTTP Method Estimated Threshold rate as described above. Method per Source Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Methods per Source Threshold
URLs	Displays HTTP URL Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. URL can be over 4000 characters long, resulting in almost unlimited numbers of URLs. FortiDDoS tracks the top 32,000 URLs but uses a single Threshold learned from Traffic Statistics to rate-limit any URL. URLs are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe URL Drops in the Attack Logs to obtain the hash index under attack. URL <Index> Ingress Max Packet Rate (pps) - Trend in observed URL <Index> ingress maximum rate. URL <Index> Egress Max Packet Rate (pps) - Trend in observed URL <Index> egress maximum rate. URL <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting URL Threshold. URL <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any URL ACLs created in an HTTP Profile assigned to an SPP. Note: Specific URLs may be ACLed via the HTTP Profile assigned to an SPP.
Hosts	Displays HTTP Host Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Hosts but uses a single Threshold learned from Traffic Statistics to rate-limit any Host. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Host Drops in the Attack Logs to obtain the hash index under attack. Host <Index> Ingress Max Packet Rate (pps) - Trend in observed Host <Index> ingress maximum rate. Host <Index> Egress Max Packet Rate (pps) - Trend in observed Host <Index> egress maximum rate. Host <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Host Threshold. Host <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Host ACLs created in an HTTP Profile assigned to an SPP. Note: Specific Hosts may be ACLed via the HTTP Profile assigned to an SPP.
Referers	Displays HTTP Referer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Referers but uses a single Threshold learned from Traffic Statistics to rate-limit any Referer. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Referer Drops in the Attack Logs to obtain the hash index under attack. Referer <Index> Ingress Max Packet Rate (pps) - Trend in observed Referer <Index> ingress maximum rate. Referer <Index> Egress Max Packet Rate (pps) - Trend in observed Referer <Index> egress maximum rate. Referer <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Referer Threshold. Referer <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Referer ACLs created in an HTTP Profile assigned to an SPP. Note: Specific Referer may be ACLed via the HTTP Profile assigned to an SPP.
Cookies	Displays HTTP Cookie Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Cookies but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie. Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Cookie Drops in the Attack Logs to obtain the hash index under attack. Cookie <Index> Ingress Max Packet Rate (pps) - Trend in observed Cookie <Index> ingress maximum rate. Cookie <Index> Egress Max Packet Rate (pps) - Trend in observed Cookie <Index> egress maximum rate. Cookie <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Cookie Threshold. Cookie <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Cookie ACLs created in an HTTP Profile assigned to an SPP Note: Specific Cookies may be ACLed via the HTTP Profile assigned to an SPP.
User Agents	Displays HTTP User Agent Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 User Agents but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie. Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe User Agent Drops in the Attack Logs to obtain the hash index under attack. User Agent <Index> Ingress Max Packet Rate (pps) - Trend in observed User Agent <Index> ingress maximum rate. User Agent <Index> Egress Max Packet Rate (pps) - Trend in observed User Agent <Index> egress maximum rate. User Agent <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting User Agent Threshold. User Agent <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any User Agent ACLs created in an HTTP Profile assigned to an SPP Note: Specific User Agents may be ACLed via the HTTP Profile assigned to an SPP.
DNS Tab
DNS Query	Displays DNS Query Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Subgraphs for: UDP Query Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for UDP Queries UDP Query Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Queries. UDP Query Estimated Threshold (pps) - Trend in the UDP Query Method Estimated Threshold rate as described above. TCP Query Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Queries TCP Query Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Queries. TCP Query Estimated Threshold (pps) - Trend in the TCP Query Method Estimated Threshold rate as described above. TCP Query Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Query Threshold Note: When the DNS Query Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done. If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query rates on the graph higher than the Threshold. Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Threshold.
Query Per Source	Displays DNS UDP/TCP Query per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Query per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum DNS Query rate for any single Source IP. Query per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum DNS Query rate for any single Source IP. Query per Source Estimated Threshold (pps) - Trend in the DNS Query Estimated Threshold rate as described above. Query per Source Packets Dropped - Trend in packets dropped due to the rate-limiting DNS Query per Source Threshold Note: If Block Identified Source is disabled in a DNS Profile assigned to an SPP, the Query per Source Threshold will not be tracked nor displayed on the graph.
Suspicious Sources	Displays DNS Packet-Track per Source (Suspicious Sources) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Packet-Track per Source (Suspicious Sources) is based on a machine-learned, heuristics-based score that counts fragmented packets, Response not found in DQRM and/or queries that generate responses with RCODE other than 0, for any Source. Packet-Track per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for any single Source IP. Packet-Track per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for any single Source IP. Packet-Track per Source Estimated Threshold (pps) - Trend in the Estimated Threshold rate as described above. Packet-Track per Source Packets Dropped - Trend in packets dropped due to the rate-limiting Packet-Track per Source Threshold Note: If Block Identified Source in a DNS Profile assigned to an SPP is disabled, the DNS Packet-Track per Source (Suspicious Sources) Threshold will not be tracked nor displayed on the graph.
Question Count	Displays the sum of all Question Count fields in all DNS UDP/TCP Query Packets, Threshold, Estimated Threshold and per-5-minute Drop information. UDP Question Ingress Max Packet Rate (Sum of Question Count per second) - Trend in observed ingress maximum count for UDP Questions UDP Question Egress Max Packet Rate (Sum of Question Count per second) - Trend in observed egress maximum rate for UDP Questions. UDP Question Estimated Threshold (Sum of Question Count per second) - Trend in the UDP Query Method Estimated Threshold rate as described above. TCP Question Ingress Max Packet Rate (Sum of Question Count per second) - Trend in observed ingress maximum rate for TCP Questions TCP Question Egress Max Packet Rate (Sum of Question Count per second) - Trend in observed egress maximum rate for TCP Questions. TCP Question Estimated Threshold (Sum of Question Count per second) - Trend in the TCP Query Method Estimated Threshold rate as described above. TCP Question Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Query Threshold Note: The Qcount field in a DNS Queries allows a maximum entry of 255. This implies that the Client is asking for A-Records from 255 FQDN Names, for example. However, the DNS Response only allows a single Response, so any Qcount number over 1 is invalid and suspicious. The Question Count graphs should match the DNS Query graphs. When the DNS Question Count Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Question Count mitigation will be done. If over-threshold DNS Question Count pass both Source and Query validation, they will be allowed and you may see Question Counts on the graph higher than the Threshold. Drops caused by UDP Question Count Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Question Counts will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Question Count Threshold.
Fragment	Displays the DNS UDP/TCP Query Fragment Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Note: Only the first fragment in a series of fragments provides Layer 4 information to identify the packet as a DNS Fragment. These fragments will be displayed on this graph. Subsequent fragments have only Layer 3 information and will be displayed on Monitor > / Traffic Monitor / > Layer 3 /4/7 > Layer 3 > Other > Fragmented Packet graph UDP Fragment Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Fragments UDP Fragment Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Fragments. UDP Fragment Estimated Threshold (pps) - Trend in the Fragment Estimated Threshold rate as described above. TCP Fragment Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Fragments. TCP Fragment Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Fragments. TCP Fragment Estimated Threshold (pps) - Trend in the TCP Fragment Estimated Threshold rate as described above. TCP Fragment Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Fragment Threshold
QType MX	Displays the DNS UDP/TCP Query Type MX (email) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. UDP Query Type MX Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Query Type MX UDP Query Type MX Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Query Type MX. UDP Query Type MX Estimated Threshold (pps) - Trend in the UDP Query Type MX Estimated Threshold rate as described above. TCP Query Type MX Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type MX. TCP Query Type MX Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type MX. TCP Query Type MX Estimated Threshold (pps) - Trend in the TCP Query Type MX Estimated Threshold rate as described above. TCP Query Type MX Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type MX Threshold Note: When the DNS Query Type MX Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done. If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query Type MX rates on the graph higher than the Threshold. Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Type MX Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Type MX Threshold.
QType All	Displays the DNS UDP/TCP Query Type ALL (ANY/) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. UDP Query Type ALL Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Query Type ALL UDP Query Type ALL Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Query Type ALL. UDP Query Type ALL Estimated Threshold (pps) - Trend in the UDP Query Type ALL Estimated Threshold rate as described above. TCP Query Type ALL Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type ALL. TCP Query Type ALL Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type ALL. TCP Query Type ALL Estimated Threshold (pps) - Trend in the TCP Query Type ALL Estimated Threshold rate as described above. TCP Query Type ALL Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type ALL Threshold Note:* When the DNS Query Type ALL Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done. If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query Type ALL rates on the graph higher than the Threshold. Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph TCP Type ALL Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Type ALL Threshold.
QType Zone Transfer	Displays the DNS TCP Query Type Zone Transfer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. TCP Query Type Zone Transfer Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type Zone Transfer. TCP Query Zone Transfer Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type Zone Transfer. TCP Query Zone Transfer Estimated Threshold (pps) - Trend in the TCP Query Type ALL Estimated Threshold rate as described above. TCP Query Zone Transfer Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type Zone Transfer Threshold Note: Zone Transfer requests must be TCP. If attackers use UDP, the UDP Query Thresholds and mitigations will apply.
DNS Response Code	Displays the DNS Response Code Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. DNS Responses contain a Response Code indicating information about the Response. The field allows 15 different Response Codes but many are unassigned, not implemented or rarely used. The most-used Response Codes are 0=Good Response \| 1=Query Format Error \| 2=Server Failure \| 3=NxDomain \| 5=Refused \| The DNS Response Code graph contains an additional selection field to enter the Response Code of interest from 0-15. DNS Rcode [0-15] Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for DNS Rcode [0-15] DNS Rcode [0-15] Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for DNS Rcode [0-15] DNS Rcode [0-15] Ingress Drops (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting DNS Rcode [0-15] Threshold
NTP Tab
Request	Displays NTP Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Request Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Requests NTP Request Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Requests. NTP Requests Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Request Threshold
Response	Displays NTP Response Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Response Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Responses. NTP Response Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Responses. NTP Responses Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Response Threshold.
Broadcast	Displays NTP Broadcast Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Broadcast packet Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Broadcast packets. NTP Broadcast packet Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Broadcast packets. NTP Broadcast packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Broadcast packet Threshold
Response Per Destination	Displays NTP Response per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: NTP Response per Destination Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Response per Destination packets to any single protected Destination IP address. NTP Response per Destination Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Response per Destination packets to any single protected Destination IP address. NTP Response per Destination packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Response per Destination Threshold.
DTLS Tab
DTLS	Displays DTLS Traffic, Threshold and per-5-minute Drop information for: Client Hello per Source Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Client Hello packets from any single Source IP address. Client Hello per Source Egress Max Packet Rate (pps) - Trend in maximum observed egress Client Hello packets from any single Source IP address. Client Hello per Source packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Client Hello per Source Threshold Server Hello per Source Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Server Hello packets from any single Source IP address. Server Hello per Source Egress Max Packet Rate (pps) - Trend in maximum observed egress Server Hello packets from any single Source IP address. Server Hello per Source packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Server Hello per Source Threshold Server Hello per Destination Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Server Hello packets to any single protected destination IP address. Server Hello per Destination Egress Max Packet Rate (pps) - Trend in maximum observed egress Server Hello packets to any single protected destination IP address. Server Hello per Destination packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Server Hello per Destination Threshold Note: Drops will not appear unless Thresholds for the following are manually set in Service Protection Policy > Thresholds > Scalars: Client Hello per Source Server Hello per Source Server Hello per Destination Use these traffic graphs to determine peak inbound egress traffic over time, and multiply by 2x to create the manual threshold.

Layer 7 graphs

Statistic

Description

HTTP Tab

Methods

Subgraphs for:

[Method] Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for the selected HTTP method.
[Method] Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for the selected HTTP method.
[Method] Estimated Threshold (pps) - Trend in the HTTP Method Estimated Threshold rate as described above.
[Method] Packets Dropped (drops per 5-minutes) - Trend in [Method] packets dropped due to the rate-limiting Threshold and/or GET/Post Flood Mitigation settings in the HTTP Profile assigned to an SPP.

Note:

Selected Methods can be ACLed per SPP via the HTTP Profile assigned to that SPP.
Source IP Validation for GET and POST Floods is available by setting GET and/or POST Flood Mitigation features in the HTTP Profile assigned to this SPP.

Method per Source

Displays HTTP Method per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information:

Method per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for any single Source IP.
Method per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for any single Source IP.
Method per Source Estimated Threshold (pps) - Trend in the HTTP Method Estimated Threshold rate as described above.
Method per Source Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Methods per Source Threshold

URLs

Displays HTTP URL Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. URL can be over 4000 characters long, resulting in almost unlimited numbers of URLs. FortiDDoS tracks the top 32,000 URLs but uses a single Threshold learned from Traffic Statistics to rate-limit any URL. URLs are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe URL Drops in the Attack Logs to obtain the hash index under attack.

URL <Index> Ingress Max Packet Rate (pps) - Trend in observed URL <Index> ingress maximum rate.
URL <Index> Egress Max Packet Rate (pps) - Trend in observed URL <Index> egress maximum rate.
URL <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting URL Threshold.
URL <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any URL ACLs created in an HTTP Profile assigned to an SPP.

Note: Specific URLs may be ACLed via the HTTP Profile assigned to an SPP.

Hosts

Displays HTTP Host Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Hosts but uses a single Threshold learned from Traffic Statistics to rate-limit any Host. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Host Drops in the Attack Logs to obtain the hash index under attack.

Host <Index> Ingress Max Packet Rate (pps) - Trend in observed Host <Index> ingress maximum rate.
Host <Index> Egress Max Packet Rate (pps) - Trend in observed Host <Index> egress maximum rate.
Host <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Host Threshold.
Host <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Host ACLs created in an HTTP Profile assigned to an SPP.

Note: Specific Hosts may be ACLed via the HTTP Profile assigned to an SPP.

Referers

Displays HTTP Referer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Referers but uses a single Threshold learned from Traffic Statistics to rate-limit any Referer. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Referer Drops in the Attack Logs to obtain the hash index under attack.

Referer <Index> Ingress Max Packet Rate (pps) - Trend in observed Referer <Index> ingress maximum rate.
Referer <Index> Egress Max Packet Rate (pps) - Trend in observed Referer <Index> egress maximum rate.
Referer <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Referer Threshold.
Referer <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Referer ACLs created in an HTTP Profile assigned to an SPP.

Note: Specific Referer may be ACLed via the HTTP Profile assigned to an SPP.

Displays HTTP Cookie Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Cookies but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie. Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Cookie Drops in the Attack Logs to obtain the hash index under attack.

Cookie <Index> Ingress Max Packet Rate (pps) - Trend in observed Cookie <Index> ingress maximum rate.
Cookie <Index> Egress Max Packet Rate (pps) - Trend in observed Cookie <Index> egress maximum rate.
Cookie <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Cookie Threshold.
Cookie <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any Cookie ACLs created in an HTTP Profile assigned to an SPP

Note: Specific Cookies may be ACLed via the HTTP Profile assigned to an SPP.

User Agents

Displays HTTP User Agent Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 User Agents but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie.

Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe User Agent Drops in the Attack Logs to obtain the hash index under attack.

User Agent <Index> Ingress Max Packet Rate (pps) - Trend in observed User Agent <Index> ingress maximum rate.
User Agent <Index> Egress Max Packet Rate (pps) - Trend in observed User Agent <Index> egress maximum rate.
User Agent <Index> Packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting User Agent Threshold.
User Agent <Index> Packets Blocked (drops per 5-minutes) - Trend in packets dropped due to any User Agent ACLs created in an HTTP Profile assigned to an SPP

Note: Specific User Agents may be ACLed via the HTTP Profile assigned to an SPP.

DNS Tab

DNS Query

Displays DNS Query Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.

Subgraphs for:

UDP Query Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for UDP Queries
UDP Query Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Queries.
UDP Query Estimated Threshold (pps) - Trend in the UDP Query Method Estimated Threshold rate as described above.
TCP Query Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Queries
TCP Query Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Queries.
TCP Query Estimated Threshold (pps) - Trend in the TCP Query Method Estimated Threshold rate as described above.
TCP Query Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Query Threshold

Note:

When the DNS Query Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done.
If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query rates on the graph higher than the Threshold.
Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph
TCP Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Threshold.

Query Per Source

Displays DNS UDP/TCP Query per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.

Query per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum DNS Query rate for any single Source IP.
Query per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum DNS Query rate for any single Source IP.
Query per Source Estimated Threshold (pps) - Trend in the DNS Query Estimated Threshold rate as described above.
Query per Source Packets Dropped - Trend in packets dropped due to the rate-limiting DNS Query per Source Threshold

Note: If Block Identified Source is disabled in a DNS Profile assigned to an SPP, the Query per Source Threshold will not be tracked nor displayed on the graph.

Suspicious Sources

Displays DNS Packet-Track per Source (Suspicious Sources) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.

Packet-Track per Source (Suspicious Sources) is based on a machine-learned, heuristics-based score that counts fragmented packets, Response not found in DQRM and/or queries that generate responses with RCODE other than 0, for any Source.

Packet-Track per Source Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for any single Source IP.
Packet-Track per Source Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for any single Source IP.
Packet-Track per Source Estimated Threshold (pps) - Trend in the Estimated Threshold rate as described above.
Packet-Track per Source Packets Dropped - Trend in packets dropped due to the rate-limiting Packet-Track per Source Threshold

Note: If Block Identified Source in a DNS Profile assigned to an SPP is disabled, the DNS Packet-Track per Source (Suspicious Sources) Threshold will not be tracked nor displayed on the graph.

Question Count

Displays the sum of all Question Count fields in all DNS UDP/TCP Query Packets, Threshold, Estimated Threshold and per-5-minute Drop information.

UDP Question Ingress Max Packet Rate (Sum of Question Count per second) - Trend in observed ingress maximum count for UDP Questions
UDP Question Egress Max Packet Rate (Sum of Question Count per second) - Trend in observed egress maximum rate for UDP Questions.
UDP Question Estimated Threshold (Sum of Question Count per second) - Trend in the UDP Query Method Estimated Threshold rate as described above.
TCP Question Ingress Max Packet Rate (Sum of Question Count per second) - Trend in observed ingress maximum rate for TCP Questions
TCP Question Egress Max Packet Rate (Sum of Question Count per second) - Trend in observed egress maximum rate for TCP Questions.
TCP Question Estimated Threshold (Sum of Question Count per second) - Trend in the TCP Query Method Estimated Threshold rate as described above.
TCP Question Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Query Threshold

Note:

The Qcount field in a DNS Queries allows a maximum entry of 255. This implies that the Client is asking for A-Records from 255 FQDN Names, for example. However, the DNS Response only allows a single Response, so any Qcount number over 1 is invalid and suspicious. The Question Count graphs should match the DNS Query graphs.
When the DNS Question Count Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Question Count mitigation will be done.
If over-threshold DNS Question Count pass both Source and Query validation, they will be allowed and you may see Question Counts on the graph higher than the Threshold.
Drops caused by UDP Question Count Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph
TCP Question Counts will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Question Count Threshold.

Fragment

Displays the DNS UDP/TCP Query Fragment Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.

Note: Only the first fragment in a series of fragments provides Layer 4 information to identify the packet as a DNS Fragment. These fragments will be displayed on this graph. Subsequent fragments have only Layer 3 information and will be displayed on Monitor > / Traffic Monitor / > Layer 3 /4/7 > Layer 3 > Other > Fragmented Packet graph

UDP Fragment Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Fragments
UDP Fragment Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Fragments.
UDP Fragment Estimated Threshold (pps) - Trend in the Fragment Estimated Threshold rate as described above.
TCP Fragment Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Fragments.
TCP Fragment Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Fragments.
TCP Fragment Estimated Threshold (pps) - Trend in the TCP Fragment Estimated Threshold rate as described above.
TCP Fragment Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting TCP Fragment Threshold

QType MX

Displays the DNS UDP/TCP Query Type MX (email) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.

UDP Query Type MX Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Query Type MX
UDP Query Type MX Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Query Type MX.
UDP Query Type MX Estimated Threshold (pps) - Trend in the UDP Query Type MX Estimated Threshold rate as described above.
TCP Query Type MX Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type MX.
TCP Query Type MX Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type MX.
TCP Query Type MX Estimated Threshold (pps) - Trend in the TCP Query Type MX Estimated Threshold rate as described above.
TCP Query Type MX Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type MX Threshold

Note:

When the DNS Query Type MX Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done.
If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query Type MX rates on the graph higher than the Threshold.
Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph
TCP Type MX Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Type MX Threshold.

QType All

Displays the DNS UDP/TCP Query Type ALL (ANY/*) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.

UDP Query Type ALL Ingress Max Packet Rate (pps) - Trend in observed ingress maximum count for UDP Query Type ALL
UDP Query Type ALL Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for UDP Query Type ALL.
UDP Query Type ALL Estimated Threshold (pps) - Trend in the UDP Query Type ALL Estimated Threshold rate as described above.
TCP Query Type ALL Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type ALL.
TCP Query Type ALL Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type ALL.
TCP Query Type ALL Estimated Threshold (pps) - Trend in the TCP Query Type ALL Estimated Threshold rate as described above.
TCP Query Type ALL Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type ALL Threshold

Note:

When the DNS Query Type ALL Threshold is crossed, the system begins DNS Source and Query (payload) validation. If DNS Anti-spoofing and Validations options are not enabled in a DNS Profile assigned to an SPP, no DNS Query mitigation will be done.
If over-threshold DNS Queries pass both Source and Query validation, they will be allowed and you may see Query Type ALL rates on the graph higher than the Threshold.
Drops caused by UDP Query Validations are displayed in Monitor > Drops Monitor > Flood Drops > Layer 7 > DNS graph
TCP Type ALL Queries will be Source validated with Layer 4 SYN validations and will then be rate-limited (no Query validation) by the independent TCP Query Type ALL Threshold.

QType Zone Transfer

Displays the DNS TCP Query Type Zone Transfer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.

TCP Query Type Zone Transfer Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for TCP Query Type Zone Transfer.
TCP Query Zone Transfer Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for TCP Query Type Zone Transfer.
TCP Query Zone Transfer Estimated Threshold (pps) - Trend in the TCP Query Type ALL Estimated Threshold rate as described above.
TCP Query Zone Transfer Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Query Type Zone Transfer Threshold

Note: Zone Transfer requests must be TCP. If attackers use UDP, the UDP Query Thresholds and mitigations will apply.

DNS Response Code

Displays the DNS Response Code Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. DNS Responses contain a Response Code indicating information about the Response. The field allows 15 different Response Codes but many are unassigned, not implemented or rarely used. The most-used Response Codes are 0=Good Response | 1=Query Format Error | 2=Server Failure | 3=NxDomain | 5=Refused |

The DNS Response Code graph contains an additional selection field to enter the Response Code of interest from 0-15.

DNS Rcode [0-15] Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for DNS Rcode [0-15]
DNS Rcode [0-15] Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for DNS Rcode [0-15]
DNS Rcode [0-15] Ingress Drops (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting DNS Rcode [0-15] Threshold

NTP Tab

Request

Displays NTP Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

NTP Request Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Requests
NTP Request Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Requests.
NTP Requests Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Request Threshold

Response

Displays NTP Response Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

NTP Response Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Responses.
NTP Response Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Responses.
NTP Responses Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Response Threshold.

Broadcast

Displays NTP Broadcast Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

NTP Broadcast packet Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Broadcast packets.
NTP Broadcast packet Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Broadcast packets.
NTP Broadcast packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Broadcast packet Threshold

Response Per Destination

Displays NTP Response per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

NTP Response per Destination Ingress Max Packet Rate (pps) - Trend in observed ingress maximum rate for NTP Response per Destination packets to any single protected Destination IP address.
NTP Response per Destination Egress Max Packet Rate (pps) - Trend in observed egress maximum rate for NTP Response per Destination packets to any single protected Destination IP address.
NTP Response per Destination packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting NTP Response per Destination Threshold.

DTLS Tab

DTLS

Displays DTLS Traffic, Threshold and per-5-minute Drop information for:

Client Hello per Source Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Client Hello packets from any single Source IP address.
Client Hello per Source Egress Max Packet Rate (pps) - Trend in maximum observed egress Client Hello packets from any single Source IP address.
Client Hello per Source packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Client Hello per Source Threshold
Server Hello per Source Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Server Hello packets from any single Source IP address.
Server Hello per Source Egress Max Packet Rate (pps) - Trend in maximum observed egress Server Hello packets from any single Source IP address.
Server Hello per Source packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Server Hello per Source Threshold
Server Hello per Destination Ingress Max Packet Rate (pps) - Trend in maximum observed ingress Server Hello packets to any single protected destination IP address.
Server Hello per Destination Egress Max Packet Rate (pps) - Trend in maximum observed egress Server Hello packets to any single protected destination IP address.
Server Hello per Destination packets Dropped (drops per 5-minutes) - Trend in packets dropped due to the rate-limiting Server Hello per Destination Threshold

Note: Drops will not appear unless Thresholds for the following are manually set in Service Protection Policy > Thresholds > Scalars:

Client Hello per Source
Server Hello per Source
Server Hello per Destination

Use these traffic graphs to determine peak inbound egress traffic over time, and multiply by 2x to create the manual threshold.

Handbook

Using the Layer 7 graphs