Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.1 Handbook

SPP

6.3.1
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 603e8323-b78c-11ec-9fd1-fa163e15d75b:980391
Download PDF

SPP

SPP Overview

FortiView SPP displays a summary view of traffic and attacks based on FortiDDoS RRDs data, including source geolocations (when identifiable), attack types, and protocol types.

FortiView SPP provides a list view of all configured SPPs with the following information:

Name

Configured SPP Name. “default” SPP always present

Inbound Operating Mode

Detection or Prevention

Outbound Operating Mode

Detection or Prevention

Passed Traffic

Summary of passed traffic in Packet or bits over a time period, depending on modifier settings below

Blocked Traffic

Dropped Packets or or bits over a time period, depending on modifier settings below

Protection Subnets

Summary of all Protection Subnets configured in this SPP

View icon

Icon to select SPP View mode

You can adjust the display using the following parameters:

  • Time period (1 hour, 1 day, 1 week, or 1 month)
  • Inbound or Outbound Traffic and Drops
  • Bits or Packets Traffic and Drops

Sample SPP list view

SPP Summary View

The SPP Summary View displays a top-level view of SPP information, the SPP traffic chart, and SPP Countries/Attacks/Protocols.

The SPP Summary vView page has 2 global modifiers:

  • Time period (1 hour, 1 day, 1 week, or 1 month)
  • Inbound or Outbound Traffic and Drops

SPP Information

SPP Information panel provides similar SPP summary information as the SPP list view:

  • SPP configured Name
  • SPP Number (system-generated)
  • Inbound Mode (Detection | Prevention)
  • Outbound Mode (Detection | Prevention)
  • Passed Traffic (total for the time period) (Packets | Bits)
  • Blocked Traffic (total for the time period) (Packets | Bits)
  • Protection Subnets – Only 1 subnet appears. The More button displays all configured Protection Subnets.

SPP Information has a single modifier selection for Packets or Bits.

SPP Information

SPP Traffic Chart

The SPP Traffic Chart displays Ingress and Egress traffic based on the global modifiers for Time Period and Direction.

Note: FortiDDoS displays Ingress and Egress traffic differently than most networking products.

  • Inbound Ingress traffic is from the Internet to FortiDDoS. Inbound Egress traffic is from FortiDDoS to your local network.
  • Conversely, Outbound Ingress is from your local network to FortiDDoS and Outbound Egress traffic is from FortiDDoS to the Internet.

This allows instant recognition of dropped packets as the traffic traverses FortiDDoS. In the screenshot below, it is obvious that the orange Egress traffic is lower than the green Ingress traffic. This shows that FortiDDoS dropped attack traffic as it passed through the system / SPP.

On the chart, you can:

• Select Linear or Logarithmic Y-axis views. Logarithmic view allows you to see both Ingress and Egress graphs if there is a very large differential between them.

  • Select Packets (pps) or Bits (bps)
  • Roll the cursor over the graph to reveal a tool tip with precise Ingress/Egress traffic details.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle either Ingress or Egress graphs off or on by selecting the graph icon beside the X-axis labels.

Countries Graph

The Countries graph and table provides geolocation information for the top Source countries of passed (Egress) traffic based on the global page modifiers for Time Period and Direction.

The Countries graph includes the following modifiers:

  • Select Linear or Logarithmic Y-axis views. Logarithmic selection allows a better view if there is a very large differential between the various graph parameters.
  • Select Packets (pps) or Bits (bps)
  • Roll the cursor over the graph to reveal a tool tip with precise traffic details for any point on the graph.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle the various Country sub-graphs off or on by selecting the graph icon beside the X-axis labels.

The Countries table provides a top Countries summary with Passed and Blocked packets (total) and rates (pps).

Caution

The Countries graph/table should not be used exclusively for geolocation ACL decisions. FortiDDoS attempts to geolocate the Source IP of any passed packet. UDP and ICMP packets, for example (and any non-TCP Protocol), cannot be source-validated. Under-threshold packets may still use Spoofed IPs. While the Countries graph is interesting to look at, it has little forensic value.

Attack Graph

The Attacks graph and table provides top Attack (drops) information based on the global page modifiers for Time Period and Direction.

The Attacks graph includes the following modifiers:

  • Select Linear or Logarithmic Y-axis views. Logarithmic selection allows a better view if there is a very large differential between the various graph parameters.
  • Select Packets (dropped) or Bits (dropped)
  • Roll the cursor over the graph to reveal a tool tip with precise drop details for any point on the graph.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle the various Drop sub-graphs off or on by selecting the graph icon beside the X-axis labels.

The Attacks table shows the following information for the global time-period selected:

  • Total Blocked traffic (bits/packets)

Note: The attacks shown and listed may be different for Packets and Bits. SYN Floods use 64 Byte packets while DNS Reflection Floods often use 1500 Byte packets. Thus a DNS Reflection flood may be in the top “Bits” list while a SYN Flood may be in the top “Packets” list.

Protocols Graph

The Protocols graph and table provides top Protocols information based on the global page modifiers for Time Period and Direction. Protocols graphs shows “allowed” or Egress traffic only.

The Protocols graph includes the following modifiers:

  • Select Linear or Logarithmic Y-axis views. Logarithmic selection allows a better view of Egress graphs if there is a very large differential between the various graph parameters.
  • Select Packets or Bits
  • Roll the cursor over the graph to reveal a tool tip with precise Protocol egress traffic details.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle the various Protocol sub-graphs off or on by selecting the graph icon beside the X-axis labels.

The Protocols table shows the following information for the global time-period selected:

  • Total passed traffic (bits/ packets)
  • Peak pass rate (bps/pps)
  • Total blocked traffic (bits/ packets)
  • Peak blocked rate (bps/pps)

Note: The Protocols shown and listed may be different for Packets and Bits depending on the packet sizes seen.

Previous
Next

SPP

SPP Overview

FortiView SPP displays a summary view of traffic and attacks based on FortiDDoS RRDs data, including source geolocations (when identifiable), attack types, and protocol types.

FortiView SPP provides a list view of all configured SPPs with the following information:

Name

Configured SPP Name. “default” SPP always present

Inbound Operating Mode

Detection or Prevention

Outbound Operating Mode

Detection or Prevention

Passed Traffic

Summary of passed traffic in Packet or bits over a time period, depending on modifier settings below

Blocked Traffic

Dropped Packets or or bits over a time period, depending on modifier settings below

Protection Subnets

Summary of all Protection Subnets configured in this SPP

View icon

Icon to select SPP View mode

You can adjust the display using the following parameters:

  • Time period (1 hour, 1 day, 1 week, or 1 month)
  • Inbound or Outbound Traffic and Drops
  • Bits or Packets Traffic and Drops

Sample SPP list view

SPP Summary View

The SPP Summary View displays a top-level view of SPP information, the SPP traffic chart, and SPP Countries/Attacks/Protocols.

The SPP Summary vView page has 2 global modifiers:

  • Time period (1 hour, 1 day, 1 week, or 1 month)
  • Inbound or Outbound Traffic and Drops

SPP Information

SPP Information panel provides similar SPP summary information as the SPP list view:

  • SPP configured Name
  • SPP Number (system-generated)
  • Inbound Mode (Detection | Prevention)
  • Outbound Mode (Detection | Prevention)
  • Passed Traffic (total for the time period) (Packets | Bits)
  • Blocked Traffic (total for the time period) (Packets | Bits)
  • Protection Subnets – Only 1 subnet appears. The More button displays all configured Protection Subnets.

SPP Information has a single modifier selection for Packets or Bits.

SPP Information

SPP Traffic Chart

The SPP Traffic Chart displays Ingress and Egress traffic based on the global modifiers for Time Period and Direction.

Note: FortiDDoS displays Ingress and Egress traffic differently than most networking products.

  • Inbound Ingress traffic is from the Internet to FortiDDoS. Inbound Egress traffic is from FortiDDoS to your local network.
  • Conversely, Outbound Ingress is from your local network to FortiDDoS and Outbound Egress traffic is from FortiDDoS to the Internet.

This allows instant recognition of dropped packets as the traffic traverses FortiDDoS. In the screenshot below, it is obvious that the orange Egress traffic is lower than the green Ingress traffic. This shows that FortiDDoS dropped attack traffic as it passed through the system / SPP.

On the chart, you can:

• Select Linear or Logarithmic Y-axis views. Logarithmic view allows you to see both Ingress and Egress graphs if there is a very large differential between them.

  • Select Packets (pps) or Bits (bps)
  • Roll the cursor over the graph to reveal a tool tip with precise Ingress/Egress traffic details.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle either Ingress or Egress graphs off or on by selecting the graph icon beside the X-axis labels.

Countries Graph

The Countries graph and table provides geolocation information for the top Source countries of passed (Egress) traffic based on the global page modifiers for Time Period and Direction.

The Countries graph includes the following modifiers:

  • Select Linear or Logarithmic Y-axis views. Logarithmic selection allows a better view if there is a very large differential between the various graph parameters.
  • Select Packets (pps) or Bits (bps)
  • Roll the cursor over the graph to reveal a tool tip with precise traffic details for any point on the graph.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle the various Country sub-graphs off or on by selecting the graph icon beside the X-axis labels.

The Countries table provides a top Countries summary with Passed and Blocked packets (total) and rates (pps).

Caution

The Countries graph/table should not be used exclusively for geolocation ACL decisions. FortiDDoS attempts to geolocate the Source IP of any passed packet. UDP and ICMP packets, for example (and any non-TCP Protocol), cannot be source-validated. Under-threshold packets may still use Spoofed IPs. While the Countries graph is interesting to look at, it has little forensic value.

Attack Graph

The Attacks graph and table provides top Attack (drops) information based on the global page modifiers for Time Period and Direction.

The Attacks graph includes the following modifiers:

  • Select Linear or Logarithmic Y-axis views. Logarithmic selection allows a better view if there is a very large differential between the various graph parameters.
  • Select Packets (dropped) or Bits (dropped)
  • Roll the cursor over the graph to reveal a tool tip with precise drop details for any point on the graph.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle the various Drop sub-graphs off or on by selecting the graph icon beside the X-axis labels.

The Attacks table shows the following information for the global time-period selected:

  • Total Blocked traffic (bits/packets)

Note: The attacks shown and listed may be different for Packets and Bits. SYN Floods use 64 Byte packets while DNS Reflection Floods often use 1500 Byte packets. Thus a DNS Reflection flood may be in the top “Bits” list while a SYN Flood may be in the top “Packets” list.

Protocols Graph

The Protocols graph and table provides top Protocols information based on the global page modifiers for Time Period and Direction. Protocols graphs shows “allowed” or Egress traffic only.

The Protocols graph includes the following modifiers:

  • Select Linear or Logarithmic Y-axis views. Logarithmic selection allows a better view of Egress graphs if there is a very large differential between the various graph parameters.
  • Select Packets or Bits
  • Roll the cursor over the graph to reveal a tool tip with precise Protocol egress traffic details.
  • Refresh the graph. Most FortiDDoS graphs do not auto-refresh
  • Toggle the various Protocol sub-graphs off or on by selecting the graph icon beside the X-axis labels.

The Protocols table shows the following information for the global time-period selected:

  • Total passed traffic (bits/ packets)
  • Peak pass rate (bps/pps)
  • Total blocked traffic (bits/ packets)
  • Peak blocked rate (bps/pps)

Note: The Protocols shown and listed may be different for Packets and Bits depending on the packet sizes seen.

Previous
Next