Using the Layer 4 graphs

Example Layer 4 graph

Before you begin:

• You must have Read permission for the Monitor menu.

• Refer to Reading Monitor graphs to understand the graphs in detail.

To display the graphs:

Go to Monitor / Traffic Monitor / > Layer 3/4/7 > Layer 4 > [SPP] [Sources / Destinations / Protocols / Other] [Y-Axis view] [Direction] [Reporting Period].

The follow table summarizes the statistics displayed in each graph.

Layer 4 graphs
Statistic	Description
SYN Tab
SYN	Displays SYN Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: SYN Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for all SYNs into the SPP. SYN Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP. SYN packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN Estimated Threshold rate as described above. SYN packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold. Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN mitigation. If source IPs are successfully validated, SYNs may be allowed to exceed the threshold.
SYN Per Source	Displays SYN per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: Ingress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed ingress maximum rate of SYN packets from a single source IP. Egress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed egress maximum rate of SYN packets from a single source IP. SYN per Source packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Source Estimated Threshold rate as described above. SYN per Source packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN per Source rate-limiting Threshold. Note: SYN Validation is not performed on identified Sources that exceed the SYN per Source rate – Sources are rate-limited to the SYN per Source threshold.
SYN Per Destination	Displays SYN per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: SYN per Destination Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for SYNs to protected Destination IPs. SYN per Destination Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP. SYN per Destination packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Destination Estimated Threshold rate as described above. SYN per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold. Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN per Destination mitigation. If source IPs are successfully validated, SYN per Destination may be allowed to exceed the threshold.
SYN/ACK	Displays SYN/ACK Traffic, Threshold, and per-5-minute Drop information for: SYN/ACK Ingress Max Packet Rate (SYN/ACKs/sec) - Trend in observed ingress SYN/ACK rate for all SYN/ACKs into the SPP. SYN/ACK Egress Max Packet Rate (SYN/ACKs/sec) - Trend in observed egress SYN/ACK rate for all SYN/ACKs into the SPP. SYN/ACK packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK in Asym Mode Threshold Note: This graph shows inbound traffic only. This graph is only available if: FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment) SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars Drop graphs are available only if SYN/ACK in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.
SYN/ACK Per Destination	Displays SYN/ACK per Destination Traffic, Threshold, and per-5-minute Drop information for: SYN/ACK per Destination Ingress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed maximum ingress SYN/ACK per Destination rate for any Protected IP in the SPP.. SYN/ACK per Destination Egress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed egress SYN/ACK per Destination rate for any Protected IP in the SPP.. SYN/ACK per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK per Destination in Asym Mode Threshold Note: This graph shows inbound traffic only. This graph is only available if: FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment) SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars Drop graphs are available only if SYN/ACK per Destination in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK per Destination traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.
Ports Tab
TCP	Displays TCP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: TCP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port. A spike in this graph shows a possible port flood. TCP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port. TCP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold. Note: FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored. If you see high ports (>10239) in logs, that means high ports are “talking” to other high ports. This may happen with gaming and FTP, for example. The FTP control port is 21 but the server opens a high port and the client uses a new high port to connect to the server “data” port while the control session stays open. You can also define 128 HTTP Service Ports and 128 SSL Service Ports for any port from 1-65535. More information is available in the Service Protection section. FortiDDoS F-series appliances set ranges and thresholds for ports 0-10239 and a single range and threshold for all ports above 10240. Logs will report on all ports from 0-65535. FortiDDoS F-Series VMs set ranges and thresholds for ports 0-1023 and a single range and threshold for all ports over 1024. Logs will report on all ports from 0-1023 but only report port 1024 for higher ports.
UDP	Displays UDP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: UDP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port. UDP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port. UDP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold. Note: FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored.
Other Tab
Concurrent Connections per Source	Displays Concurrent Connections per Source count, Threshold, Estimated Threshold and per-5-minute Drop information for: Maximum Concurrent Connections per Source (count) - Trend in observed count of concurrent connections for the busiest source each second. Estimated Threshold for Concurrent Connections per Source (count) - Trend in the Concurrent Connections per Source Estimated Threshold rate as described above. Concurrent Connections per Source dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.
New Connections	Displays New Connections count, Threshold, Estimated Threshold and per-5-minute Drop information for: Max New Connections Establishment (Connections/sec) – Trend in new connection rate. Estimated Threshold for New Connections Establishment (Connections/sec) - Trend in the New Connections Estimated Threshold rate as described above. New Connections dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.
Non-Spoofed IPs	Displays the number of entries in the global Legitimate IP (LIP) Table. The Legitimate IP table displays the count of Source IP addresses that have been successfully validated by one of the 2 SYN Validation parameters (SYN or SYN per Destination). This table will only be populated during SYN Floods and thus if the graph is showing non-zero numbers there has been a SYN or SYN per Destination Flood in one or more of the SPPs. The legitimate IP address table is maintained and reported as a global count. The graph is identical for all SPPs, when a SYN flood occurs in any SPP.
TCP Sessions	TCP Sessions is an information-only graph that displays counts of the following parameters: Established Connections (count) - Trend in count of entries in the TCP state table that are in the established state (completed three-way handshake). Number of Entries in TCP State Table (count) - rend in count of all entries in the TCP state table, including half-open connections. If the values for the number of entries in the TCP state table are significantly higher than those for Established Connections, it shows a possible SYN flood attack. Note: The TCP Sessions graph is a global count. It will show identical counts for all SPPs. If this graph looks abnormal, check the three SYN graphs for each SPP.
ICMP	Displays traffic and drops information for ICMP Types and Codes. Because there are 255 x 255 (65,536) possible Types and Codes there are 2 additional fields on this graph for Type (0-255) and Code (0-255). When a Type/Code is entered, the system converts this to an index number, which appears in the label of each subgraph. For example Type 8 / Code 0 (ping) is index 2048. Look in Dashboard > Top Attacks: Top Attacked ICMP Type/Codes to see if any Types/Codes are displayed. Enter those in this graph to see the activity. Ingress Max Packet Rate (pps) – Trend in ingress traffic for this Type/Code Egress Max Packet Rate (pps) – Trend in egress traffic for this Type/Code Packets Dropped (drops per 5-minutes) - Packets dropped due to the Type/Code rate-limiting Threshold. Packets Blocked (drops per 5-minutes) – Packets blocked due to an ICMP Type/Code ACL contained in the ICMP Profile assigned to this SPP. Note: ICMP Type/Code graphs are displayed differently for different FortiDDoS F-Series Models Thresholds and Ranges – Appliance and VM Thresholds are set for every Type/Code and ranges are set for: Types/Code indexes from 0-10239 A single range is set for index 10240-65536 Graphs: Appliances display traffic/drops/blocked for all Type Codes to index 65536 VMs display traffic/drops/blocked for Type Codes to index 10239. The peak data rate and drops for any indexes from 10240-65535 are all displayed on the 10240 index graph. The actual Type/Code (133/0, for example, not the index) is displayed in any Attack Log. You may need to review the ICMP Profile, Dashboard > Top Attacks > Top ACL Attacks and/or the Attack Logs to identify which Type/Code graph to show the ACL drops. ICMPv4 uses Layer 3 Protocol 1 while ICMPv6 used Layer 3 Protocol 58. Some ICMP Types/Codes are used on both Protocols and some are unique to one Protocol. The Traffic and Drops graphs show all Type/Codes for any Protocol. The ICMP Profile ACL can select ICMPv4, ICMPv6 or both. As of 2021/03 there are only 113 ICMP Types/Code pairs ratified by IETF and IANA out total the total 65,536 available pairs. Attackers may randomize Types/Codes in an attempt to avoid detection. The ICMP Type Code Anomaly option is available in any ICMP Profile, which automatically drops any Type/Code outside the ratified Types/Codes, without using the rate-limiting Threshold.

Layer 4 graphs
Statistic	Description
SYN Tab
SYN	Displays SYN Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: SYN Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for all SYNs into the SPP. SYN Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP. SYN packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN Estimated Threshold rate as described above. SYN packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold. Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN mitigation. If source IPs are successfully validated, SYNs may be allowed to exceed the threshold.
SYN Per Source	Displays SYN per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: Ingress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed ingress maximum rate of SYN packets from a single source IP. Egress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed egress maximum rate of SYN packets from a single source IP. SYN per Source packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Source Estimated Threshold rate as described above. SYN per Source packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN per Source rate-limiting Threshold. Note: SYN Validation is not performed on identified Sources that exceed the SYN per Source rate – Sources are rate-limited to the SYN per Source threshold.
SYN Per Destination	Displays SYN per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: SYN per Destination Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for SYNs to protected Destination IPs. SYN per Destination Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP. SYN per Destination packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Destination Estimated Threshold rate as described above. SYN per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold. Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN per Destination mitigation. If source IPs are successfully validated, SYN per Destination may be allowed to exceed the threshold.
SYN/ACK	Displays SYN/ACK Traffic, Threshold, and per-5-minute Drop information for: SYN/ACK Ingress Max Packet Rate (SYN/ACKs/sec) - Trend in observed ingress SYN/ACK rate for all SYN/ACKs into the SPP. SYN/ACK Egress Max Packet Rate (SYN/ACKs/sec) - Trend in observed egress SYN/ACK rate for all SYN/ACKs into the SPP. SYN/ACK packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK in Asym Mode Threshold Note: This graph shows inbound traffic only. This graph is only available if: FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment) SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars Drop graphs are available only if SYN/ACK in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.
SYN/ACK Per Destination	Displays SYN/ACK per Destination Traffic, Threshold, and per-5-minute Drop information for: SYN/ACK per Destination Ingress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed maximum ingress SYN/ACK per Destination rate for any Protected IP in the SPP.. SYN/ACK per Destination Egress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed egress SYN/ACK per Destination rate for any Protected IP in the SPP.. SYN/ACK per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK per Destination in Asym Mode Threshold Note: This graph shows inbound traffic only. This graph is only available if: FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment) SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars Drop graphs are available only if SYN/ACK per Destination in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK per Destination traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.
Ports Tab
TCP	Displays TCP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: TCP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port. A spike in this graph shows a possible port flood. TCP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port. TCP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold. Note: FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored. If you see high ports (>10239) in logs, that means high ports are “talking” to other high ports. This may happen with gaming and FTP, for example. The FTP control port is 21 but the server opens a high port and the client uses a new high port to connect to the server “data” port while the control session stays open. You can also define 128 HTTP Service Ports and 128 SSL Service Ports for any port from 1-65535. More information is available in the Service Protection section. FortiDDoS F-series appliances set ranges and thresholds for ports 0-10239 and a single range and threshold for all ports above 10240. Logs will report on all ports from 0-65535. FortiDDoS F-Series VMs set ranges and thresholds for ports 0-1023 and a single range and threshold for all ports over 1024. Logs will report on all ports from 0-1023 but only report port 1024 for higher ports.
UDP	Displays UDP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for: UDP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port. UDP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port. UDP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold. Note: FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored.
Other Tab
Concurrent Connections per Source	Displays Concurrent Connections per Source count, Threshold, Estimated Threshold and per-5-minute Drop information for: Maximum Concurrent Connections per Source (count) - Trend in observed count of concurrent connections for the busiest source each second. Estimated Threshold for Concurrent Connections per Source (count) - Trend in the Concurrent Connections per Source Estimated Threshold rate as described above. Concurrent Connections per Source dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.
New Connections	Displays New Connections count, Threshold, Estimated Threshold and per-5-minute Drop information for: Max New Connections Establishment (Connections/sec) – Trend in new connection rate. Estimated Threshold for New Connections Establishment (Connections/sec) - Trend in the New Connections Estimated Threshold rate as described above. New Connections dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.
Non-Spoofed IPs	Displays the number of entries in the global Legitimate IP (LIP) Table. The Legitimate IP table displays the count of Source IP addresses that have been successfully validated by one of the 2 SYN Validation parameters (SYN or SYN per Destination). This table will only be populated during SYN Floods and thus if the graph is showing non-zero numbers there has been a SYN or SYN per Destination Flood in one or more of the SPPs. The legitimate IP address table is maintained and reported as a global count. The graph is identical for all SPPs, when a SYN flood occurs in any SPP.
TCP Sessions	TCP Sessions is an information-only graph that displays counts of the following parameters: Established Connections (count) - Trend in count of entries in the TCP state table that are in the established state (completed three-way handshake). Number of Entries in TCP State Table (count) - rend in count of all entries in the TCP state table, including half-open connections. If the values for the number of entries in the TCP state table are significantly higher than those for Established Connections, it shows a possible SYN flood attack. Note: The TCP Sessions graph is a global count. It will show identical counts for all SPPs. If this graph looks abnormal, check the three SYN graphs for each SPP.
ICMP	Displays traffic and drops information for ICMP Types and Codes. Because there are 255 x 255 (65,536) possible Types and Codes there are 2 additional fields on this graph for Type (0-255) and Code (0-255). When a Type/Code is entered, the system converts this to an index number, which appears in the label of each subgraph. For example Type 8 / Code 0 (ping) is index 2048. Look in Dashboard > Top Attacks: Top Attacked ICMP Type/Codes to see if any Types/Codes are displayed. Enter those in this graph to see the activity. Ingress Max Packet Rate (pps) – Trend in ingress traffic for this Type/Code Egress Max Packet Rate (pps) – Trend in egress traffic for this Type/Code Packets Dropped (drops per 5-minutes) - Packets dropped due to the Type/Code rate-limiting Threshold. Packets Blocked (drops per 5-minutes) – Packets blocked due to an ICMP Type/Code ACL contained in the ICMP Profile assigned to this SPP. Note: ICMP Type/Code graphs are displayed differently for different FortiDDoS F-Series Models Thresholds and Ranges – Appliance and VM Thresholds are set for every Type/Code and ranges are set for: Types/Code indexes from 0-10239 A single range is set for index 10240-65536 Graphs: Appliances display traffic/drops/blocked for all Type Codes to index 65536 VMs display traffic/drops/blocked for Type Codes to index 10239. The peak data rate and drops for any indexes from 10240-65535 are all displayed on the 10240 index graph. The actual Type/Code (133/0, for example, not the index) is displayed in any Attack Log. You may need to review the ICMP Profile, Dashboard > Top Attacks > Top ACL Attacks and/or the Attack Logs to identify which Type/Code graph to show the ACL drops. ICMPv4 uses Layer 3 Protocol 1 while ICMPv6 used Layer 3 Protocol 58. Some ICMP Types/Codes are used on both Protocols and some are unique to one Protocol. The Traffic and Drops graphs show all Type/Codes for any Protocol. The ICMP Profile ACL can select ICMPv4, ICMPv6 or both. As of 2021/03 there are only 113 ICMP Types/Code pairs ratified by IETF and IANA out total the total 65,536 available pairs. Attackers may randomize Types/Codes in an attempt to avoid detection. The ICMP Type Code Anomaly option is available in any ICMP Profile, which automatically drops any Type/Code outside the ratified Types/Codes, without using the rate-limiting Threshold.

Layer 4 graphs

Statistic

Description

SYN Tab

SYN

Displays SYN Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

SYN Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for all SYNs into the SPP.
SYN Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP.
SYN packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN Estimated Threshold rate as described above.
SYN packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold.

Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN mitigation. If source IPs are successfully validated, SYNs may be allowed to exceed the threshold.

SYN Per Source

Displays SYN per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

Ingress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed ingress maximum rate of SYN packets from a single source IP.
Egress SYN per Source Max Packet Rate (SYNs/sec) - Trend in observed egress maximum rate of SYN packets from a single source IP.
SYN per Source packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Source Estimated Threshold rate as described above.
SYN per Source packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN per Source rate-limiting Threshold.

Note: SYN Validation is not performed on identified Sources that exceed the SYN per Source rate – Sources are rate-limited to the SYN per Source threshold.

SYN Per Destination

Displays SYN per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

SYN per Destination Ingress Max Packet Rate (SYNs/sec) - Trend in observed ingress SYN rate for SYNs to protected Destination IPs.
SYN per Destination Egress Max Packet Rate (SYNs/sec) - Trend in observed egress SYN rate for all SYNs into the SPP.
SYN per Destination packet rate Estimated Threshold (SYNs/sec) - Trend in the SYN per Destination Estimated Threshold rate as described above.
SYN per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN Validation triggered by the SYN Threshold /Estimated Threshold.

Note: SYN Validation option in the TCP Profile assigned to this SPP must be enabled for any SYN per Destination mitigation. If source IPs are successfully validated, SYN per Destination may be allowed to exceed the threshold.

SYN/ACK

Displays SYN/ACK Traffic, Threshold, and per-5-minute Drop information for:

SYN/ACK Ingress Max Packet Rate (SYN/ACKs/sec) - Trend in observed ingress SYN/ACK rate for all SYN/ACKs into the SPP.
SYN/ACK Egress Max Packet Rate (SYN/ACKs/sec) - Trend in observed egress SYN/ACK rate for all SYN/ACKs into the SPP.
SYN/ACK packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK in Asym Mode Threshold

Note:

This graph shows inbound traffic only.
This graph is only available if:
- FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
- SYN/ACK in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars
Drop graphs are available only if SYN/ACK in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.

SYN/ACK Per Destination

Displays SYN/ACK per Destination Traffic, Threshold, and per-5-minute Drop information for:

SYN/ACK per Destination Ingress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed maximum ingress SYN/ACK per Destination rate for any Protected IP in the SPP..
SYN/ACK per Destination Egress Max Packet Rate (SYN/ACKs/Destination/sec) - Trend in observed egress SYN/ACK per Destination rate for any Protected IP in the SPP..
SYN/ACK per Destination packets dropped (Packets/5-Minute Period) - Trend in drops due to the SYN/ACK per Destination in Asym Mode Threshold

Note:

This graph shows inbound traffic only.
This graph is only available if:
- FortiDDoS is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled (Global Protection > Deployment)
- SYN/ACK per Destination in Asym Mode Threshold is manually set per Service Protection Policy > Thresholds > Scalars
Drop graphs are available only if SYN/ACK per Destination in Asym Mode Threshold is manually set. Use this traffic graph to determine peak inbound egress SYN/ACK per Destination traffic over time, and multiply by 2x to create the manual threshold. The Threshold is for inbound traffic only.

Ports Tab

TCP

Displays TCP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

TCP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port. A spike in this graph shows a possible port flood.
TCP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port.
TCP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold.

Note:

FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored. If you see high ports (>10239) in logs, that means high ports are “talking” to other high ports. This may happen with gaming and FTP, for example. The FTP control port is 21 but the server opens a high port and the client uses a new high port to connect to the server “data” port while the control session stays open. You can also define 128 HTTP Service Ports and 128 SSL Service Ports for any port from 1-65535. More information is available in the Service Protection section.
FortiDDoS F-series appliances set ranges and thresholds for ports 0-10239 and a single range and threshold for all ports above 10240. Logs will report on all ports from 0-65535. FortiDDoS F-Series VMs set ranges and thresholds for ports 0-1023 and a single range and threshold for all ports over 1024. Logs will report on all ports from 0-1023 but only report port 1024 for higher ports.

UDP

Displays UDP Port Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:

UDP <Port> Ingress Max Packet Rate (packets/sec) - Trend in observed ingress maximum packet rate to the specified port.
UDP <Port> Egress Max Packet Rate - Packets/sec - Trend in observed egress maximum packet rate to the specified port.
UDP <Port> Packets Dropped - Packets/ Packets/5-Minute Period - Trend in packets dropped due to the rate-limiting Threshold.

Note: FortiDDoS is primarily interested in protecting TCP “service” ports. Traditionally “service” ports have been the well-known ports below port 1024. As applications expanded, many ports over 1024 are used for well-known services such as MSSQL (1433) or RDP (3389). FortiDDoS treats all TCP ports under 10,000 as “service” ports. When a client connects to a service port all the inbound traffic to that port and outbound traffic from that port is associated with the port and the ephemeral client port is ignored.

Other Tab

Concurrent Connections per Source

Displays Concurrent Connections per Source count, Threshold, Estimated Threshold and per-5-minute Drop information for:

Maximum Concurrent Connections per Source (count) - Trend in observed count of concurrent connections for the busiest source each second.
Estimated Threshold for Concurrent Connections per Source (count) - Trend in the Concurrent Connections per Source Estimated Threshold rate as described above.
Concurrent Connections per Source dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.

New Connections

Displays New Connections count, Threshold, Estimated Threshold and per-5-minute Drop information for:

Max New Connections Establishment (Connections/sec) – Trend in new connection rate.
Estimated Threshold for New Connections Establishment (Connections/sec) - Trend in the New Connections Estimated Threshold rate as described above.
New Connections dropped (count per 5-minutes) - Trend in Connections dropped due to the rate-limiting Threshold.

Non-Spoofed IPs

Displays the number of entries in the global Legitimate IP (LIP) Table. The Legitimate IP table displays the count of Source IP addresses that have been successfully validated by one of the 2 SYN Validation parameters (SYN or SYN per Destination). This table will only be populated during SYN Floods and thus if the graph is showing non-zero numbers there has been a SYN or SYN per Destination Flood in one or more of the SPPs.

The legitimate IP address table is maintained and reported as a global count. The graph is identical for all SPPs, when a SYN flood occurs in any SPP.

TCP Sessions

TCP Sessions is an information-only graph that displays counts of the following parameters:

Established Connections (count) - Trend in count of entries in the TCP state table that are in the established state (completed three-way handshake).
Number of Entries in TCP State Table (count) - rend in count of all entries in the TCP state table, including half-open connections. If the values for the number of entries in the TCP state table are significantly higher than those for Established Connections, it shows a possible SYN flood attack.

Note: The TCP Sessions graph is a global count. It will show identical counts for all SPPs. If this graph looks abnormal, check the three SYN graphs for each SPP.

ICMP

Displays traffic and drops information for ICMP Types and Codes. Because there are 255 x 255 (65,536) possible Types and Codes there are 2 additional fields on this graph for Type (0-255) and Code (0-255). When a Type/Code is entered, the system converts this to an index number, which appears in the label of each subgraph. For example Type 8 / Code 0 (ping) is index 2048.

Look in Dashboard > Top Attacks: Top Attacked ICMP Type/Codes to see if any Types/Codes are displayed. Enter those in this graph to see the activity.

Ingress Max Packet Rate (pps) – Trend in ingress traffic for this Type/Code
Egress Max Packet Rate (pps) – Trend in egress traffic for this Type/Code
Packets Dropped (drops per 5-minutes) - Packets dropped due to the Type/Code rate-limiting Threshold.
Packets Blocked (drops per 5-minutes) – Packets blocked due to an ICMP Type/Code ACL contained in the ICMP Profile assigned to this SPP.

Note:

ICMP Type/Code graphs are displayed differently for different FortiDDoS F-Series Models
- Thresholds and Ranges – Appliance and VM Thresholds are set for every Type/Code and ranges are set for:
  - Types/Code indexes from 0-10239
  - A single range is set for index 10240-65536
- Graphs:
  - Appliances display traffic/drops/blocked for all Type Codes to index 65536
  - VMs display traffic/drops/blocked for Type Codes to index 10239. The peak data rate and drops for any indexes from 10240-65535 are all displayed on the 10240 index graph. The actual Type/Code (133/0, for example, not the index) is displayed in any Attack Log.
You may need to review the ICMP Profile, Dashboard > Top Attacks > Top ACL Attacks and/or the Attack Logs to identify which Type/Code graph to show the ACL drops.
ICMPv4 uses Layer 3 Protocol 1 while ICMPv6 used Layer 3 Protocol 58. Some ICMP Types/Codes are used on both Protocols and some are unique to one Protocol. The Traffic and Drops graphs show all Type/Codes for any Protocol. The ICMP Profile ACL can select ICMPv4, ICMPv6 or both.
As of 2021/03 there are only 113 ICMP Types/Code pairs ratified by IETF and IANA out total the total 65,536 available pairs. Attackers may randomize Types/Codes in an attempt to avoid detection. The ICMP Type Code Anomaly option is available in any ICMP Profile, which automatically drops any Type/Code outside the ratified Types/Codes, without using the rate-limiting Threshold.

Handbook

Using the Layer 4 graphs