Fortinet black logo

Handbook

Appendix A: DDoS Attack Log Reference

Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:664910
Download PDF

Appendix A: DDoS Attack Log Reference

The following table provides the description of the fields in the Log Reference table.

Fields and description

Field Description
Event code 1 - Layer 3, 2 - Layer 4, 4 - Layer 7
Subcode Internal reference only.

Trap Attack Type

Attack Event identifier included in Attack SNMP Traps sent (instead of Event Name).

Event Name Event Type in the web UI Attack Logs and Graphs, description field in syslog.
Category Filter category in web UI Attack Logs.
Period Interrupt: Rate Flood means the first event is logged within two minutes after the start of an attack and reported every minute thereafter.
Periodic: Events other than Rate Flood means events are logged every 5 minutes.
Note: Source IP address is reported only for drops due to per-source thresholds.

Log reference

Event code

Sub code

SNMP Trap attack type

Event name

Category

Period

Description

Parameter

Graph
1 0 1000 Protocol Flood Rate Flood Interrupt Effective rate limit for the protocol (0-255) has been reached. Protocols are rate-limited at the Threshold. Protocols 6 (TCP) and 17 (UDP) do not normally have Thresholds. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Protocols

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Protocols

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Protocols Tab

1 1 1001 Other Protocols Fragment Flood Rate Flood Interrupt Effective rate limit for fragments in Protocols other than TCP, UDP and DNS has been reached. Fragments are rate-limited at the Threshold. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > OTH Fragment Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Other Fragmented Packets

1

7

1007

Source Table Out of Memory

Anomaly

Periodic

If the system-wide Source IP Address table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
1 8 1008 Source Flood Rate Flood Interrupt Effective rate limit for the most-active-source threshold has been reached. Source IP address is reported. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Source Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Sources Tab > Most Active Source

1 9 1009 Destination Flood Rate Flood Interrupt Effective rate limit for the most-active-destination threshold has been reached. Note: This Threshold is not set by System Recommendations. You may manually add a Threshold if desired. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Destinnation Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Sources Tab > Most Active Destination

1

11

1011

Destination Table Out of Memory

Anomaly

Periodic

If the system-wide Destination IP Address table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
1 14 1014 IP Header checksum error Header anomaly Periodic Invalid IP header checksum. Service Protection > IP Profile > IP Strict Anomalies. IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > IP Header Checksum
1 15 1015 Source IP==dest IP Header anomaly Periodic Identical source and protected IP addresses (LAND attack). Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > Source and Destination Address Match
1 16 1016 Source/dest IP==localhost Header anomaly Periodic Source/destination address is the local host (loopback address spoofing). Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > Source/ Destination as Localhost
1 17 1017 L3 anomalies Header anomaly Periodic

Drops due to predefined Layer 3 rules:

- IP version other than IPv4 or IPv6.

- EOP (End of Packet) before 20 bytes of IPv4 data.

- EOP comes before the length specified by Total Length.

- Reserved Flag set.

- More Frag and Don't Frag Flags set.

- Added Anomaly for DSCP and ECN.

Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3
1 23 1023 TCP Fragment Flood Rate Flood Interrupt

Effective rate limit for the TCP fragment has been reached.

Note: Use with care. Miss-configured clients can result in TCP fragmentation. Unless you are sure there can be no TCP Fragmentation, it is better to use the TCP Fragment Threshold than an ACL.

Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > TCP Fragment

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Fragmented Packets

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > TCP Fragmented Packets

1 24 1024 UDP Fragment Flood Rate Flood Interrupt

Effective rate limit for the UDP fragment has been reached.

Note: Use with care. Miss-configured clients can result in UDP fragmentation. Unless you are sure there can be no UDP Fragmentation, it is better to use the UDP Fragment Threshold than an ACL.

Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > UDP Fragment

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Fragmented Packets

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets: UDP Fragmented Packets

1 54 1054 Other Protocols Fragment denied ACL Periodic

Fragments for Protocols other than TCP, UDP, DNS, denied by an SPP IP Profile Fragment Check setting.

Note: Use with care. Miss-configured clients can result in fragmentation for Protocols like GRE (47) and IPSEC (50). Unless you are sure there can be no Other Protocol Fragmentation, it is better to use the Other Protocol Fragment Threshold than an ACL.

Service Protection > IP Profile > IP Fragment Check > Other Protocol Fragment IP Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets: Other Fragmented Packets blocked

1

59

1059

Denied: Geo-location

ACL

Periodic

Denied packets based on Global Geolocation ACLs

System > Address and Service > Address IPv4: add geolocation country object.

If desired, System > Address and Service > AddressIPv4 Group and add geolocations objects.

Global Protection > Access Control List: add Service objects above to ACL.

Service Protection > (Select SPP): ACL. Create and add Service objects/groups from above

Monitor: DROPS MONITOR > Global: ACL Tab (for Global ACLs)
1 60 1060 Denied: IP address ACL Periodic Denied by Global Blocklist Global Protection > Blocklist > Blocklisted IPv4 Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Address Denied: Denied Address Drops
1 61 1061 Denied: IP Reputation ACL Periodic Denied by the IP Reputation ACL based on IP Profile per SPP.

IP Reputation is an optional subscription which must be current for this ACL to work.

System > FortiGuard. For IP Reputation settings, subscription confirmation.

Service Protection > IP Profile > IP Reputation categories to enable when that IP Profile is assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Address Denied: IP Reputation Denied Drops
1 63 1063 Denied: IP Multicast ACL Periodic Denied by IP profile per SPP. Service Protection > IP Profile > IP Multicast Check IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > IP Multicast Denied Drops
1 64 1064 Denied: Private IP ACL Periodic Denied by IP profile per SPP. Service Protection > IP Profile > IP Private Check IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Private IP Denied Drops
1 71 1071 TCP Fragment denied ACL Periodic

TCP Fragments denied by an SPP IP Profile Fragment Check setting.

Note: Miss-configured clients can send TCP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL.

Service Protection > IP Profile > IP Fragment Check >TCP Fragment IP

Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > TCP Fragmented Packets blocked

1 72 1072 UDP Fragment denied ACL Periodic

UDP Fragments denied by an SPP IP Profile Fragment Check setting.

Note: Miss-configured clients can send UDP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL.

Service Protection > IP Profile > IP Fragment Check > UDP Fragment IP

Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > UDP Fragmented Packets blocked

2 0 2000 SYN Flood Rate Flood Interrupt

Effective rate limit for the SYN Threshold has been reached.

Note:

1. Crossing the SYN Threshold initiates SYN Validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking).

2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then allowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation.

Service Protection > Service Protection Policy > Thresholds > Scalars >: SYN Service Protection > TCP Profile >TCP Packets Validation > SYN Validation.

Note: If SYN Validation is not enabled no SYN validation nor rate limiting is done.

Monitor: DROPS MONITOR > SPP > Select SPP > Flood Drops Tab > Layer 3 > SYN

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN

2

2

2002

Global Rule Deny

ACL

Periodic

Drops from any Global Protection > Access Control List entry

System > Address and Service > Address IPv4: add IPv4, IPv6, Service or Group objects.

Global Protection > Access Control List: add objects above to ACL.

Monitor: DROPS MONITOR > Global: ACL Drops tab: ACL Rule Drops graph: ACL rule drop-down at top-right of graph
2 6 2006 State Anomalies: Foreign packet (Out of State) State anomaly Periodic A foreign packet is a TCP packet that does not belong to any known connections. Tracked when TCP Profile for an SPP has Foreign Packet Validation enabled.

Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation

TCP profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > Select SPP Anomaly Drops Tab > Layer 4 > State
2 7 2007 State Anomalies: Outside window State anomaly Periodic Sequence number of a packet was outside the acceptable window. Tracked when TCP Profile for an SPP has Sequence Validation enabled.

Service Protection > TCP Profile > TCP Packets Validation > Sequence Validation.

TCP profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > Select SPP Anomaly Drops Tab > Layer 4 > State

2

11

2011

Session Table Out of Memory

Anomaly

Periodic

If the system-wide TCP Session table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
2 12 2012 State Anomalies: State transition error State anomaly Periodic State of the TCP packet received was not consistent with the expected state. Tracked when TCP Profile for an SPP has State Transition Validation enabled.

Service Protection > TCP Profile > TCP Packets Validation > State Transition Anomalies Validation

TCP profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > State
2 13 2013 SPP Rule Deny ACL Periodic

SPP-based IPv4, IPv6, Geolocation, Service ACL drops.

Service Protection > Service Protection Policy > Service Protection Policy Rule > ACL

Monitor: DROPS MONITOR > SPP > Select SPP > ACL Drops Tab

2

14

2014

Legitimate IP: Out of memory

Anomaly

Periodic

If the system-wide Legitimate IP table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Legitimate IP table should only be populated during SYN Floods when the source IP has been validated.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
2 16 2016 TCP zombie Flood Rate Flood Interrupt

Effective rate limit for the new-connections Threshold has been reached.

Note: this Threshold is set to maximum by System Recommendations to avoid rate-limiting new connections. You can add a manual Threshold if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > New Connections

Monitor: DROPS MONITOR > SPP > Select SPP > Flood Drops Tab > Layer 4 > Zombie Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Other Tab > New Connections graph

2 17 2017 TCP Port Flood Rate Flood Periodic

Effective rate limit for the port has been reached.

Note: Several TCP Ports like 80, 443 are set to system maximum (no thresholds) by System Recommendations. Other parameters (like the various SYN thresholds and Foreign Packet Validation) mitigate DDoS Floods to these Ports. You can add a Threshold for these ports if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > TCP Ports

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > TCP Ports

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Ports > TCP

2 18 2018 UDP Port Flood Rate Flood Periodic

Effective rate limit for the port has been reached.

Note: No Threshold is set for UDP 53 where DNS mitigations are expected to be used. You can add a Threshold if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > UDP Ports

Monitor: DROPS MONITOR > TRAFFIC MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > UDP Ports

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Ports > UDP

2 19 2019 ICMP Flood Rate Flood Periodic Effective rate limit for the ICMP Type/Code has been reached. Type/Codes will be rate-limited to the Threshold. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > ICMP Types and Codes

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: ICMP Types/Codes subgraph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Other Tab > ICMP

2 20 2020 Foreign Packets (Aggressive Aging and Slow Connections) State anomaly Periodic Foreign (out-of-state) Packets seen after Slow Connection Aggressive Aging (RST to server)

Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation

Service Protection > TCP Profile > TCP Session Settings > Aggressive Aging Feature Control > Slow TCP Connections

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab> Layer 4 > State graph
2 22 2022 Slow Connection: Source Flood Rate Flood Interrupt Slow connection attack detected and “Source blocking for slow connections” enabled. Source IP address is reported. Service Protection > TCP Profile > TCP Slow Connection Protection > Block Sources With Slow TCP Connections Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: Slow Connection subgraph
2 24 2024 TCP checksum error Header anomaly Periodic Invalid TCP checksum.

Service Protection > TCP Profile > Strict Anomalies TCP

Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: TCP Checksum Error subgraph
2 26 2026 ICMP checksum error Header anomaly Periodic Invalid ICMP checksum.

Service Protection > ICMP Profile > ICMP Strict Anomalies

ICMP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: ICMP Checksum Error subgraph
2 27 2027 TCP invalid flag combination Header anomaly Periodic Invalid TCP flag combination. If the urgent flag is set, then the urgent pointer must be non-zero. SYN, FIN or RST is set for fragmented packets, no flags, all flags and others.

Service Protection > TCP Profile > Strict Anomalies

TCP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header : TCP Invalid Flag Combination subgraph
2 28 2028 L4 anomalies Header anomaly Periodic Drops due to predefined Layer 4 header rules: Data offset is less than 5 for a TCP packet; EOP (End of packet) is detected before the 20 bytes of TCP header; EOP before the data offset indicated data offset; Length field in TCP window scale option is a value other than 3; Length field in TCP window scale option is a value other than 3: Missing UDP payload; Missing ICMP payload,TCP Option Anomaly based on Option Type; and others. SYN with Payload if SPP Option in TCP Profile is set.

Service Protection > TCP Profile >Strict Anomalies

Service Protection > TCP Profile > SYN with Payload Service Protection > ICMP Profile > Strict Anomalies

ICMP and TCP Profiles must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: Anomaly Detected subgraph
2 54 2054 ICMP Type/Code denied ACL Periodic Denied by an ICMP Profile TypeCode ACL

Service Protection > ICMP Profile > ICMP Type Code ACL ICMP

ICMP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 4 > Aggregate: ICMP Type/Code Denied Drops subgraph

2 56 2056 SYN Flood from source Rate Flood Interrupt

Effective rate limit for the syn-per-src threshold from a single Source IP has been reached. Source IP address is reported.

Note: No SYN Validation is done on SYN per Source Floods. The Source is rate-limited to the Threshold

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN Per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: SYN Per Source subgraph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN per Source

2 61 2061 Excessive Concurrent Connections Per Source Flood Rate Flood Interrupt Effective rate limit for the concurrent-connections-per-source threshold has been reached. Source IP address is reported. Per-Source Connections are rate-limited to the Threshold. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > Concurrent-Connections-per-Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > Concurrent Connection per Source

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 >Other Tab > Concurrent Connections per Source

2 62 2062 SYN per Destination Flood Rate Flood Interrupt

Effective rate limit for the SYN per Destination threshold has been reached.

Note:

1. Crossing the SYN per Destination Threshold initiates SYN validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking).

2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then alllowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN-per-Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN per Destination

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN per Destination

2 63 2063 SYN/ACK flood in asymmetric mode Rate Flood Interrupt Drops caused by SYN-ACK over Threshold rate (in asymmetric mode only) Global Deployment > Deployment: Asymmetric Mode AND Asymmetric Mode Allow Inbound Synack SYN-ACK-per-Destination Threshold is set manually via Service Protection > Service Protection Policy (Select SPP) > Select Threshold tab: Select Scalars from drop-down: Create New or Select SYN-ACK-per-Destination.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN/ACK Flood

Monitor: TRAFFIC MONITOR > Layer3/4/7 > (Select SPP) > Layer 4 > SYN > SYN-ACK graph

2 64 2064 SYN/ACK Per Destination flood in asymmetric mode Rate Flood Interrupt Drops caused by SYN-ACK-per-Destination over Threshold rate (in asymmetric mode only) Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN/ACK Per Destination In Asymmetric Mode Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN/ACK per Destination Flood Monitor: TRAFFIC MONITOR > Layer3/4/7 > (Select SPP) > Layer 4 > SYN > scroll to SYN-ACK-per-Destination graph
2 82 2082 DNS Query Flood from Source Rate Flood Periodic

Effective rate limit for the DNS-Query-per-Source threshold has been reached.

Note:

1. No Source Validation (Anti-Spoofing) is attempted for DNS Query per Source. Queries from Sources are rate-limited to the Threshold.

2. DNS Query per Source Threshold is not set by System Recommendations. A manual Threshold can be added if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS-Query-per-Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Query per Source

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS > Query per Source

2 83 2083 DNS Packet Track Flood from Source Rate Flood Periodic

Effective rate limit for the DNS-Packet-Track-per-Source (Suspicious Sources) threshold has been reached.

Note:

1. No Source Validation (Anti-Spoofing) is attempted for DNS Packet Track per Source (Suspicious Sources). Queries from Sources are rate-limited to the Threshold.

2. DNS Packet Track per Source (Suspicious Sources) Threshold is not set by System Recommendations. A manual Threshold can be added if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Packet Track per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Suspicious Sources

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS > DNS Packet Track per Source

2 86 2086 Invalid ICMP Type/Code Header Anomaly Periodic Invalid ICMP Type/Code.

Service Protection > ICMP Profile > ICMP Type Code Anomaly

ICMP Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header > Invalid ICMPv4 Type/Code or Invalid ICMPv6 Type/Code
2 87 2087 HTTP Method Flood from source Rate Flood Interrupt Effective rate limit for the HTTP-Method-per-Source threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > HTTP Method Per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Method Per Source

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Method per Source

2

88

2088

GRE Header checksum error

Header Anomaly

Periodic

Packet with GRE Header checksum error detected and dropped

Global > GRE Tunnel Endpoints must be configured.

Service Protection > IP Profile> IP Strict Anomalies

Monitor: SPP (select SPP) > Anomaly Drops tab > Layer 3
4 0 4000 HTTP Method Flood Rate Flood Interrupt Effective rate limit for a particular HTTP method threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > HTTP Methods

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Method Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Methods (Select Method from drop-down)

4 1 4001 Known HTTP Method Anomaly Header anomaly Periodic HTTP Known Method anomaly as defined in an HTTP Profile.

Service Protection > HTTP Profile > Known Method Anomaly

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 >Anomaly Drops Tab > HTTP > Known Method
4 2 4002 Invalid HTTP Version Anomaly Header anomaly Periodic Packets dropped due to the HTTP Profile version anomaly option

Service Protection > HTTP Profile > Version Anomaly

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Invalid HTTP Version
4 3 4003 URL denied ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > URL Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > URL: Packets Blocked

4 4 4004 URL Flood Rate Flood Periodic Effective rate limit for a particular URL threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > URLs

Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Flood Drops Tab > HTTP > URL Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > URLs

4 5 4005 Unknown HTTP Method Anomaly Header Anomaly Periodic HTTP Profile Unknown HTTP Method.

Service Protection > HTTP Profile > Unknown Method Anomaly

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Unknown Method
4 6 4006 HTTP L7 Host Flood Rate Flood Interrupt Effective rate limit for a particular Host threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Hosts

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Host Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Hosts

4 7 4007 HTTP L7 Host Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > Host Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Hosts: Packets Blocked

4 8 4008 HTTP L7 Referer Flood Rate Flood Interrupt Effective rate limit for a particular Referer header threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Referers

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Referer Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Referers

4 9 4009 HTTP L7 Referer Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > HTTP > Layer 7 > Referer Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Referers: Packets Blocked

4 10 4010 HTTP L7 Cookie Flood Rate Flood Interrupt Effective rate limit for a particular Cookie header threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Cookies

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Cookie Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Cookies

4 11 4011 HTTP L7 Cookie Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > Cookie Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Cookies: Packets Blocked

4 12 4012 HTTP L7 User Agent Flood Rate Flood Interrupt Effective rate limit for a particular User-Agent threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > User Agents

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > User Agent Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > User Agents

4 13 4013 HTTP L7 User Agent Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > User Agent Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > User Agents: Packets Blocked

4 37 4037 DNS Fragment Deny ACL Periodic Denied by an DNS Profile DNS fragment option Service Protection > DNS Profile > DNS Fragment Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > DNS > Frag Drops
4 41 4041 DNS Rcode Flood Rate Flood Interrupt Effective rate limit for the DNS Rcode threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > DNS Rcode

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Response Code Drop

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Response Code

4 42 4042 DNS Header Anomaly: Invalid Opcode DNS Anomaly Periodic Invalid value in the DNS OpCode field., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Op Code

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header
4 43 4043 DNS Header Anomaly: Illegal Flag Combination DNS Anomaly Periodic Invalid combination in the flags field., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Illegal Flag Combination

DNS Profile must be assigned to SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header
4 44 4044 DNS Header Anomaly: Same Source/ Destination Port DNS Anomaly Periodic DNS Header where Source Port==Destination Port == 53., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > SP,DP Both 53

DNS Profile must be assigned tothe SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header
4 45 4045 DNS Query Anomaly: Query Bit Set DNS Anomaly Periodic (QR) bit set to 1., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit Set

DNS Profile must be assigned to SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 46 4046 DNS Query Anomaly: RA Bit Set DNS Anomaly Periodic Recursion allowed (RA) bit set., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > RA Bit Set

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 47 4047 DNS Query Anomaly: Null Query DNS Anomaly Periodic DNS query with count 0., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Null Query

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 48 4048 DNS Query Anomaly: QD Count not One in query DNS Anomaly Periodic Question count not 1., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > DNS Query Anomaly: QD Count not One in query

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 50 4050 DNS Reply Anomaly: Qclass in reply DNS Anomaly Periodic DNS response with QCLASS., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > QCLASS in Reply

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 51 4051 DNS Reply Anomaly: Qtype in reply DNS Anomaly Periodic DNS response with a resource specifying a TYPE ID., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > QType in Reply

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 52 4052 DNS Reply Anomaly: Query bit not set DNS Anomaly Periodic (QR) bit set to 0., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit not Set

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 53 4053 DNS Reply Anomaly: QD count not 1 in response DNS Anomaly Periodic DNS Response where QD count is not 1., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > QDCOUNT not One in Response

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 54 4054 DNS Buffer Overflow Anomaly: Message too long DNS Anomaly Periodic DNS Query or Response message that exceeds the maximum header length., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Message too Long/UDP Message too Long

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow
4 55 4055 DNS Buffer Overflow Anomaly: Name too long DNS Anomaly Periodic DNS name that exceeds 255 characters., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name too Long

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow
4 56 4056 DNS Buffer Overflow Anomaly: Label length too large DNS Anomaly Periodic Query or response with a label that exceeds the maximum length (63)., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Label Length too Large

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow
4 57 4057 DNS Exploit Anomaly: Pointer loop DNS Anomaly Periodic DNS message with a pointer that points beyond the end of data., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Pointer Loop

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 58 4058 DNS Exploit Anomaly: Zone Transfer DNS Anomaly Periodic An asynchronous Transfer Full Range (AXFR) request (QTYPE=252)., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Zone transfer

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Anomaly Drops Tab > DNS > Exploit
4 59 4059 DNS Exploit Anomaly: Class is not IN DNS Anomaly Periodic A query/response in which the question/resource address class is not IN., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Class not IN

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 60 4060 DNS Exploit Anomaly: Empty UDP message DNS Anomaly Periodic UDP DNS Query has no data., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Empty UDP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 61 4061 DNS Exploit Anomaly: Message ends prematurely DNS Anomaly Periodic DNS message ends before proper EOP info., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Message Ends Prematurely

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 62 4062 DNS Exploit Anomaly: TCP Buffer Underflow DNS Anomaly Periodic A query/response with less than two bytes of data specified in the two-byte prefix field., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Buffer Underflow

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 63 4063 DNS Info Anomaly: DNS type all used DNS Anomaly Periodic DNS request with request type set to ALL (QTYPE=255)., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Info Anomaly enable

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Info
4 64 4064 DNS Data Anomaly: Invalid type class DNS Anomaly Periodic A query/response with TYPE or CLASS reserved values., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Class Type

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 65 4065 DNS Data Anomaly: Extraneous data DNS Anomaly Periodic A query/response with excess data., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Extraneous Data

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 66 4066 DNS Data Anomaly: TTL too long DNS Anomaly Periodic

TTL value is greater than 7 days, selected in DNS Profile.

Note: Some services (Yahoo Mail for example) have TTLs longer than 7 days. This Anomaly should remain disabled.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > TTL too Long

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 67 4067 DNS Data Anomaly: Name length too short DNS Anomaly Periodic A query/response with a null DNS name or lacking a TLD, selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name Length too Short

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 68 4068 DNS UDP Unsolicited Response Rate Flood Periodic UDP Drops due to a response with no matching query, selected in DNS Profile.

Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries (DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Unsolicited DNS Response Drops
4 69 4069 DNS TCP Unsolicited Response Rate Flood Periodic TCP Drops due to a response with no matching query, selected in DNS Profile.

Service Protection > DNS Profile > DNS Feature Controls >Match Response With Queries (DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Unsolicited DNS Response Drops
4 71 4071 DNS DQRM Out of Memory Internal Periodic An issue with DQRM table internal logic or memory. Contact Fortinet. None. Internal Table issue. Report to Fortinet. Monitor: DROPS MONITOR > SPP > (Select SPP) > Out of Memory Drops Tab > Layer 7 > DNS
4 72 4072 DNS UDP Response same direction Rate Flood Periodic Drops due to UDP DNS Response sent to port 53.

Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unsolicited DNS Response Drops
4 73 4073 DNS TCP Response same direction Rate Flood Periodic Drops due to TCP DNS Response sent to port 53

Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unsolicited DNS Response Drops
4 74 4074 DNS LQ: UDP Query Flood Rate Flood Periodic Drops due to LQ check during UDP DNS QG88:G94uery Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood (LQ)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 75 4075 DNS LQ: UDP Question Flood Rate Flood Periodic Drops due to LQ check during UDP DNS Question Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS > Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 76 4076 DNS LQ: UDP Qtype All Flood Rate Flood Periodic UDP drops due to LQ check during UDP Qtype All (ANY/*) Flood, selected in DNS Profile.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)

DNS Profile must be assigned to SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 78 4078 DNS LQ: UDP Qtype MX Flood Rate Flood Periodic Drops due to LQ check during UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 81 4081 DNS TTL: UDP Query Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Query Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 82 4082 DNS TTL: UDP Question Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 83 4083 DNS TTL: UDP Qtype All Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Qtype ALL (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 85 4085 DNS TTL: UDP Qtype MX Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 87 4087 DNS Spoofed IP: UDP Query Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Query Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 88 4088 DNS Spoofed IP: UDP Question Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Question Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 89 4089 DNS Spoofed IP: UDP Qtype All Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Qtype All (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 91 4091 DNS Spoofed IP: UDP Qtype MX Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Qtype MXFlood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 93 4093 DNS Spoofed IP: UDP Query Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Query Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 94 4094 DNS Spoofed IP: UDP Question Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 95 4095 DNS Spoofed IP: UDP Qtype All Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Qtype All (ANT/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 96 4096 DNS Spoofed IP: UDP Qtype Zone Transfer Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Qtype Zone Transfer Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Query UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 97 4097 DNS Spoofed IP: UDP Qtype MX Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 99 4099 DNS Cache: UDP Query Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNS Query Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 100 4100 DNS Cache: UDP Question Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNA Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 101 4101 DNS Cache: UDP Qtype All Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNS Qtype All (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 103 4103 DNS Cache: UDP Qtype MX Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 105 4105 DNS Cache: UDP Query Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query drops because the response was not served from the cache during a UDP DNS Query Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 106 4106 DNS Cache: UDP Question Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query drops because the response was not served from the cache during a UDP DNS Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 107 4107 DNS Cache: UDP Qtype All Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query drops because the response was not served from the cache during a UDP DNS Qtype All (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 109 4109 DNS Cache: UDP Qtype MX Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query dropss because the response was not served from the cache during a UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 111 4111 DNS TCP Query Flood Rate Flood Interrupt Effective rate limit for the dns-query threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Query Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Query TCP Query

4 112 4112 DNS TCP Question Flood Rate Flood Interrupt Effective rate limit for the dns-question-count threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >> Scalars > DNS Question Count TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Question Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Question Count: TCP Question

4 113 4113 DNS TCP Fragment Flood Rate Flood Interrupt Effective rate limit for the dns-fragment threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Fragment TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Fragment Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > Fragment: TCP Fragment

4 114 4114 DNS TCP Zone Transfer Flood Rate Flood Interrupt Effective rate limit for the dns-zone-xfer threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Zone Transfer TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Zone Transfer Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > QType Zone Transfer: TCP Zone Transfer

4 115 4115 DNS TCP MX Flood Rate Flood Interrupt Effective rate limit for the dns-mx threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS MX Count TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP MX Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > QType MX: TCP MX

4 116 4116 DNS TCP All Flood Rate Flood Interrupt Effective rate limit for the dns-all threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS All TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP ALL Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > Qtype All: TCP All

4 117 4117 DNS UDP Unexpected Query before Response Rate Flood Periodic UDP Drops due to DQRM duplicate query check (more then 3 identical Queries (Source, XID) per second

Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unexpected Query Drops
4 118 4118 DNS TCP Unexpected Query before Response Rate Flood Periodic TCP Drops due to DQRM duplicate query check.

Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unexpected Query Drops
4 121 4121 DNS Resource Record Type Deny ACL Periodic DNS Query ACL drops due to Resource Record ACL

Service Protection > DNS Profile > DNS Feature Controls > DNS Resource Record Type ACL

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > DNS > DNS Resource Record Type Drops
4 122 4122 DNS Query Anomaly: UDP Session Reuse Anomaly Periodic DNS UDP Query reuse session within one second Service Protection > DNS Profile Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Anomaly Drops Tab > DNS > Query
4 123 4123 DNS Query Blocked (Domain Reputation) ACL Periodic Drops from matching to FortiGuard Domain Reputation list

Service Protection > DNS Profile > Create new / Edit existing: DNS Feature Controls: Domain Reputation

System > FortiGuard: Domain Reputation Subscription and settings

Monitor: DROPS MONITOR > SPP > (Select SPP) > SPP (select SPP) > ACL Drops tab > Layer 7: DNS graph
4 201 4201 HTTP Header Range Present Anomaly Header anomaly Periodic Drops due to packets with a header range request.

Service Protection > HTTP Profile > Drop Range Header

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Range Present
4 203 4203 Incomplete HTTP Request Header anomaly Periodic Drops due to HTTP requests that do not end in the correct end-of-packet information.

Service Protection > HTTP Profile > Incomplete Request Action = Drop or Aggressive Aging

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Incomplete HTTP Request
4 204 4204 SSL Renegotiation Anomaly Periodic Drop due to SSL/TLS Renegotiation Check

Service Protection > SSL/TLS Profile > Renegotiation Check

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Renegotiation
4 205 4205 NTP Request Flood Rate Flood Interrupt Rate Threshold for NTP Requests has been exceeded. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Request Flood

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Request Flood Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Request

4 206 4206 NTP Response Flood Rate Flood Interrupt Rate Threshold for NTP Responses has been exceeded. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Flood

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Response Flood Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Response

4 207 4207 NTP Broadcast Flood Rate Flood Interrupt Rate Threshold for NTP Broadcasts has been exceeded. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Broadcast Flood

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Broadcast Flood Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Broadcast

4 208 4208 NTP Reflection ACL ACL Periodic Drops due to NTP Reflection Deny option. Blocks NTP Mode 6 (varlist) and Mode 7 (monlist) Queries or Responses.

Service Protection > NTP Profile > Reflection Deny

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > NTP > NTP Reflection ACL Drops
4 209 4209 NTP Version Anomaly NTP Header Anomaly Periodic NTP Version and Modes must match currently ratified versions (Version =1-4 and Mode >0 if Version =1).

Service Protection > NTP Profile > Version Anomaly Check

NTP Profile must be assigned to the SPP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 210 4210 NTP Stratum Anomaly NTP Header Anomaly Periodic Stratum must be 1-16 (17-255 are invalid). If Stratum >2, Reference ID cannot be null/empty.

Service Protection > NTP Profile > Stratum Anomaly Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 211 4211 NTP Data Length Anomaly NTP Header Anomaly Periodic Enforces minimum and maximum data lengths defined in NTP Versions 1-4)

Service Protection > NTP Profile > Data Length Anomaly Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 212 4212 NTP Control Header Anomaly NTP Header Anomaly Periodic Examines Control Header for 10 different Anomalies and drops if seen.

Service Protection > NTP Profile > Control Header Anomalies Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 213 4213 NTP Duplicate Request Before Response Anomaly Periodic Drops identical requests in a few seconds before a reply (mini-Flood).

Service Protection > NTP Profile > Retransmission Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 214 4214 NTP Unsolicited Response Rate Flood treated like Anomaly Periodic Drops Responses where the Query was not recorded in NTP Response Matching (NRM) table. Use ONLY with symmetric traffic or asymmetric traffic where both links traverse FortiDDoS.

Service Protection > NTP Profile > Unsolicited Response Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 215 4215 NTP State Anomalies: Sequence mismatch State Anomaly Periodic Drops Queries where Sequence number is incorrect. Normally only used when hosting NTP Servers

Service Protection > NTP Profile > Sequence Mismatch Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 218 4218 NTP State Anomalies: Mode Mismatch State Anomaly Periodic Client Query/Server Response Modes do not match 1/2 or 3/4. If NTP Reflection ACL not enabled, then also checks or not matching Modes 6/6 or 7/7. Anything other than the above mode pairs is dropped as mismatched.

Service Protection > NTP Profile > Mode Mismatch Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 219 4219 NTP Response Per Destination Rate Flood Interrupt Rate Threshold for NTP Responses Per Destination has been exceeded. This indicates a reflected NTP Response Flood towards a single destination. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Per Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Response Per Destination Flood Drop

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Response per Destination

4 224 4224 SSL/TLS Protocol Anomaly Anomaly Periodic Drop due to SSL/TLS profile's Protocol Anomaly check

Service Protection > SSL/TLS Profile > Protocol Anomaly

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Protocol
4 225 4225 SSL/TLS Version Anomaly Anomaly Periodic Drop due to SSL/TLS profile's Version Anomaly check

Service Protection > SSL/TLS Profile > Version Anomaly

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Version
4 226 4226 SSL/TLS Cipher Anomaly Anomaly Periodic Drop due to SSL/TLS Profile Cipher Anomaly check

Service Protection > SSL/TLS Profile > Cipher Anomaly

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Cipher
4 227 4227 SSL/TLS Incomplete Request Anomaly Anomaly Periodic Drop due to SSL/TLS profile's Block Incomplete Request check

Service Protection > SSL/TLS Profile > Block Incomplete Request

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Incomplete Request
4 228 4228 SSL/TLS Incomplete Request: Source Flood Rate Flood Interrupt Drop due to SSL/TLS profile's Block Source With Incomplete Request

Service Protection > SSL/TLS Profile > Block Source With Incomplete Request

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > SSL > SSL/TLS Incomplete Request Source Flood
4 232 4232 DTLS Client Hello Flood from Source Rate flood Interrupt Drops due to DTLS Client Hello per Source Scalar Threshold Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars, Edit of Create new DTLS Client Hello per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS

4 233 4233 DTLS Server Hello Per Source Flood Rate flood Interrupt Effective rate limit for the DTLS Server Hello Per Source threshold has been reached Service Protection > Service Protection Policy > Thresholds > Scalars: DTLS Server Hello Per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS

4 234 4234 DTLS Server Hello Flood per Destination Rate flood Interrupt Drops due to DTLS Server Hello per Destinationn Scalar Threshold Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DTLS Server Hello per Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS

4 235 4235 DTLS State Anomalies: DTLS negotiation without verification Anomaly Periodic Drops from DTLS Protocol Check - incorrect DTLS Client/Server handshake (no Client Verification message).

Service Protection > DTLS Profile > Protocol Check (use with symmetric traffic only)

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DTLS graph
4 236 4236 DTLS Reflection ACL ACL Periodic Drops from Server Hello messages when no Client Hello was sent.

Service Protection > DTLS Profile > Reflection Deny (use with symmetric traffic only)

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DTLS graph

4

240

4240

DNS UDP Query Blocked (Blocklisted Domains)

ACL

Periodic

DNS UDP Query or Response ACL Drops due to Blocklisted Domains, FQDN File Blocklist/Allowlist and FQDN List.

Service Protection > DNS Profile: DNS Feature Controls:

  • FQDN Control List Type

  • FQDN Files and

  • FQDN List

Monitor: DROPS MONITOR > SPP > (Select SPP) > Layer 7> ACL Drops Tab: DNS graph

4

241

4241

DNS TCP Query Blocked (Blocklisted Domains)

ACL

Periodic

DNS TCP Query or Response ACL Drops due to Blocklisted Domains, Domain Reputation, FQDN File Blocklist/Allowlist and FQDN List.

Service Protection > DNS Profile: DNS Feature Controls:

  • FQDN Control List Type

  • FQDN Files and

  • FQDN List

Monitor: DROPS MONITOR > SPP > (Select SPP) > Layer 7: ACL Drops Tab: DNS graph

4

242

4242

DNSSEC UDP Asymmetric Response Source Flood

Rate Flood

Interrupt

Drops due to DNSSEC Response UDP Asymmetric Source Scalar Threshold.

Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Source Scalar Threshold

(DNSSEC Response per Source for asymmetric traffic)

Monitor: DROPS MONITOR: SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode)

4

243

4243

DNSSEC UDP Asymmetric Response Flood

Rate Flood

Interrupt

Drops due to DNSSEC Response UDP Asymmetric Scalar Threshold.

Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Scalar Threshold

(DNSSEC aggregate Responses for asymmetric traffic)

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode)

4

244

4244

DNSSEC UDP Asymmetric Response Destination Flood

Rate Flood

Interrupt

Drops due to DNSSEC Response UDP Destination Asymmetric Scalar Threshold.

Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Destination Scalar Threshold

(DNSSEC Response per Destination for asymmetric traffic)

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode)

4

245

4245

DNS UDP Header Anomaly: Missing Header

Anomaly

Periodic

Drops due to packet to/from UDP Port 53 with no DNS header information.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Header Anomaly: Incomplete DNS

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

246

4246

DNS TCP Header Anomaly: Missing Header

Anomaly

Periodic

Drops due to packet to/from TCP Port 53 with no DNS header information.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Header Anomaly: Incomplete DNS

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

247

4247

DNS UDP Data Anomaly - EDNS0 Multi Option Error

Anomaly

Periodic

UDP Drops due to DNS Profile: Data Anomaly: Multiple OPT RR enabled.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Data Anomaly: Multiple OPT RR

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

248

4248

DNS TCP Data Anomaly - EDNS0 Multi Option Error

Anomaly

Periodic

TCP Drops due to DNS Profile: Data Anomaly: Multiple OPT RR enabled.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Data Anomaly: Multiple OPT RR

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

251

4251

DNSSEC UDP Unsolicited Response

Flood

Interrupt

UDP DNSSEC Drops due to a response with no matching query.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: DNSSEC Require Response After Query

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

4

252

4252

DNSSEC Deny

ACL

Periodic

Drops due to Forbid DNSSEC feature option.

Service Protection > DNS Profile: DNS Feature Controls: Forbid DNSSEC

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DNS graph

4

285

4253

DNS Fragment Deny

ACL

Periodic

Drops due to DNS Fragment feature option.

Service Protection > DNS Profile: DNS Feature Controls: DNS Fragment

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DNS graph

DDoS Attack log Directionality for TCP

Setup Traffic Direction Source Destination Source Port Destination Port Attack Log Direction Protected IP
SYN Outbound Inside Outside High Low Outbound Inside
ACK Inbound Outside Inside Low High Outbound Inside
SYN Inbound Outside Inside High Low Inbound Inside
ACK Outbound Inside Outside Low High Inbound Inside
SYN Outbound Inside Outside High High Outbound Inside
ACK Inbound Outside Inside High High Outbound Inside
SYN Inbound Outside Inside High High Inbound Inside
ACK Outbound Inside Outside High High Inbound Inside
SYN Outbound Inside Outside Low Low Outbound Inside
ACK Inbound Outside Inside Low Low Outbound Inside
SYN Inbound Outside Inside Low Low Inbound Inside
ACK Outbound Inside Outside Low Low Inbound Inside

DDoS Attack log Directionality for UDP

Traffic Direction Source Destination Source Port Destination Port Attack Log Direction Protected IP
Outbound Inside Outside High Low Outbound Inside
Inbound Outside Inside Low High Inbound Inside
Inbound Outside Inside High Low Inbound Inside
Outbound Inside Outside Low High Outbound Inside
Outbound Inside Outside High High Outbound Inside
Inbound Outside Inside High High Inbound Inside

Appendix A: DDoS Attack Log Reference

The following table provides the description of the fields in the Log Reference table.

Fields and description

Field Description
Event code 1 - Layer 3, 2 - Layer 4, 4 - Layer 7
Subcode Internal reference only.

Trap Attack Type

Attack Event identifier included in Attack SNMP Traps sent (instead of Event Name).

Event Name Event Type in the web UI Attack Logs and Graphs, description field in syslog.
Category Filter category in web UI Attack Logs.
Period Interrupt: Rate Flood means the first event is logged within two minutes after the start of an attack and reported every minute thereafter.
Periodic: Events other than Rate Flood means events are logged every 5 minutes.
Note: Source IP address is reported only for drops due to per-source thresholds.

Log reference

Event code

Sub code

SNMP Trap attack type

Event name

Category

Period

Description

Parameter

Graph
1 0 1000 Protocol Flood Rate Flood Interrupt Effective rate limit for the protocol (0-255) has been reached. Protocols are rate-limited at the Threshold. Protocols 6 (TCP) and 17 (UDP) do not normally have Thresholds. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Protocols

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Protocols

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Protocols Tab

1 1 1001 Other Protocols Fragment Flood Rate Flood Interrupt Effective rate limit for fragments in Protocols other than TCP, UDP and DNS has been reached. Fragments are rate-limited at the Threshold. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > OTH Fragment Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Other Fragmented Packets

1

7

1007

Source Table Out of Memory

Anomaly

Periodic

If the system-wide Source IP Address table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
1 8 1008 Source Flood Rate Flood Interrupt Effective rate limit for the most-active-source threshold has been reached. Source IP address is reported. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Source Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Sources Tab > Most Active Source

1 9 1009 Destination Flood Rate Flood Interrupt Effective rate limit for the most-active-destination threshold has been reached. Note: This Threshold is not set by System Recommendations. You may manually add a Threshold if desired. Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Destinnation Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Sources Tab > Most Active Destination

1

11

1011

Destination Table Out of Memory

Anomaly

Periodic

If the system-wide Destination IP Address table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
1 14 1014 IP Header checksum error Header anomaly Periodic Invalid IP header checksum. Service Protection > IP Profile > IP Strict Anomalies. IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > IP Header Checksum
1 15 1015 Source IP==dest IP Header anomaly Periodic Identical source and protected IP addresses (LAND attack). Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > Source and Destination Address Match
1 16 1016 Source/dest IP==localhost Header anomaly Periodic Source/destination address is the local host (loopback address spoofing). Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > Source/ Destination as Localhost
1 17 1017 L3 anomalies Header anomaly Periodic

Drops due to predefined Layer 3 rules:

- IP version other than IPv4 or IPv6.

- EOP (End of Packet) before 20 bytes of IPv4 data.

- EOP comes before the length specified by Total Length.

- Reserved Flag set.

- More Frag and Don't Frag Flags set.

- Added Anomaly for DSCP and ECN.

Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3
1 23 1023 TCP Fragment Flood Rate Flood Interrupt

Effective rate limit for the TCP fragment has been reached.

Note: Use with care. Miss-configured clients can result in TCP fragmentation. Unless you are sure there can be no TCP Fragmentation, it is better to use the TCP Fragment Threshold than an ACL.

Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > TCP Fragment

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Fragmented Packets

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > TCP Fragmented Packets

1 24 1024 UDP Fragment Flood Rate Flood Interrupt

Effective rate limit for the UDP fragment has been reached.

Note: Use with care. Miss-configured clients can result in UDP fragmentation. Unless you are sure there can be no UDP Fragmentation, it is better to use the UDP Fragment Threshold than an ACL.

Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > UDP Fragment

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Fragmented Packets

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets: UDP Fragmented Packets

1 54 1054 Other Protocols Fragment denied ACL Periodic

Fragments for Protocols other than TCP, UDP, DNS, denied by an SPP IP Profile Fragment Check setting.

Note: Use with care. Miss-configured clients can result in fragmentation for Protocols like GRE (47) and IPSEC (50). Unless you are sure there can be no Other Protocol Fragmentation, it is better to use the Other Protocol Fragment Threshold than an ACL.

Service Protection > IP Profile > IP Fragment Check > Other Protocol Fragment IP Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets: Other Fragmented Packets blocked

1

59

1059

Denied: Geo-location

ACL

Periodic

Denied packets based on Global Geolocation ACLs

System > Address and Service > Address IPv4: add geolocation country object.

If desired, System > Address and Service > AddressIPv4 Group and add geolocations objects.

Global Protection > Access Control List: add Service objects above to ACL.

Service Protection > (Select SPP): ACL. Create and add Service objects/groups from above

Monitor: DROPS MONITOR > Global: ACL Tab (for Global ACLs)
1 60 1060 Denied: IP address ACL Periodic Denied by Global Blocklist Global Protection > Blocklist > Blocklisted IPv4 Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Address Denied: Denied Address Drops
1 61 1061 Denied: IP Reputation ACL Periodic Denied by the IP Reputation ACL based on IP Profile per SPP.

IP Reputation is an optional subscription which must be current for this ACL to work.

System > FortiGuard. For IP Reputation settings, subscription confirmation.

Service Protection > IP Profile > IP Reputation categories to enable when that IP Profile is assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Address Denied: IP Reputation Denied Drops
1 63 1063 Denied: IP Multicast ACL Periodic Denied by IP profile per SPP. Service Protection > IP Profile > IP Multicast Check IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > IP Multicast Denied Drops
1 64 1064 Denied: Private IP ACL Periodic Denied by IP profile per SPP. Service Protection > IP Profile > IP Private Check IP Profile must be assigned to an SPP. Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Private IP Denied Drops
1 71 1071 TCP Fragment denied ACL Periodic

TCP Fragments denied by an SPP IP Profile Fragment Check setting.

Note: Miss-configured clients can send TCP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL.

Service Protection > IP Profile > IP Fragment Check >TCP Fragment IP

Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > TCP Fragmented Packets blocked

1 72 1072 UDP Fragment denied ACL Periodic

UDP Fragments denied by an SPP IP Profile Fragment Check setting.

Note: Miss-configured clients can send UDP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL.

Service Protection > IP Profile > IP Fragment Check > UDP Fragment IP

Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > UDP Fragmented Packets blocked

2 0 2000 SYN Flood Rate Flood Interrupt

Effective rate limit for the SYN Threshold has been reached.

Note:

1. Crossing the SYN Threshold initiates SYN Validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking).

2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then allowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation.

Service Protection > Service Protection Policy > Thresholds > Scalars >: SYN Service Protection > TCP Profile >TCP Packets Validation > SYN Validation.

Note: If SYN Validation is not enabled no SYN validation nor rate limiting is done.

Monitor: DROPS MONITOR > SPP > Select SPP > Flood Drops Tab > Layer 3 > SYN

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN

2

2

2002

Global Rule Deny

ACL

Periodic

Drops from any Global Protection > Access Control List entry

System > Address and Service > Address IPv4: add IPv4, IPv6, Service or Group objects.

Global Protection > Access Control List: add objects above to ACL.

Monitor: DROPS MONITOR > Global: ACL Drops tab: ACL Rule Drops graph: ACL rule drop-down at top-right of graph
2 6 2006 State Anomalies: Foreign packet (Out of State) State anomaly Periodic A foreign packet is a TCP packet that does not belong to any known connections. Tracked when TCP Profile for an SPP has Foreign Packet Validation enabled.

Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation

TCP profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > Select SPP Anomaly Drops Tab > Layer 4 > State
2 7 2007 State Anomalies: Outside window State anomaly Periodic Sequence number of a packet was outside the acceptable window. Tracked when TCP Profile for an SPP has Sequence Validation enabled.

Service Protection > TCP Profile > TCP Packets Validation > Sequence Validation.

TCP profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > Select SPP Anomaly Drops Tab > Layer 4 > State

2

11

2011

Session Table Out of Memory

Anomaly

Periodic

If the system-wide TCP Session table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
2 12 2012 State Anomalies: State transition error State anomaly Periodic State of the TCP packet received was not consistent with the expected state. Tracked when TCP Profile for an SPP has State Transition Validation enabled.

Service Protection > TCP Profile > TCP Packets Validation > State Transition Anomalies Validation

TCP profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > State
2 13 2013 SPP Rule Deny ACL Periodic

SPP-based IPv4, IPv6, Geolocation, Service ACL drops.

Service Protection > Service Protection Policy > Service Protection Policy Rule > ACL

Monitor: DROPS MONITOR > SPP > Select SPP > ACL Drops Tab

2

14

2014

Legitimate IP: Out of memory

Anomaly

Periodic

If the system-wide Legitimate IP table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops.

Legitimate IP table should only be populated during SYN Floods when the source IP has been validated.

Global Protection > Settings > Out of Memory Mode: Drop | Bypass

None
2 16 2016 TCP zombie Flood Rate Flood Interrupt

Effective rate limit for the new-connections Threshold has been reached.

Note: this Threshold is set to maximum by System Recommendations to avoid rate-limiting new connections. You can add a manual Threshold if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > New Connections

Monitor: DROPS MONITOR > SPP > Select SPP > Flood Drops Tab > Layer 4 > Zombie Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Other Tab > New Connections graph

2 17 2017 TCP Port Flood Rate Flood Periodic

Effective rate limit for the port has been reached.

Note: Several TCP Ports like 80, 443 are set to system maximum (no thresholds) by System Recommendations. Other parameters (like the various SYN thresholds and Foreign Packet Validation) mitigate DDoS Floods to these Ports. You can add a Threshold for these ports if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > TCP Ports

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > TCP Ports

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Ports > TCP

2 18 2018 UDP Port Flood Rate Flood Periodic

Effective rate limit for the port has been reached.

Note: No Threshold is set for UDP 53 where DNS mitigations are expected to be used. You can add a Threshold if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > UDP Ports

Monitor: DROPS MONITOR > TRAFFIC MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > UDP Ports

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Ports > UDP

2 19 2019 ICMP Flood Rate Flood Periodic Effective rate limit for the ICMP Type/Code has been reached. Type/Codes will be rate-limited to the Threshold. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > ICMP Types and Codes

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: ICMP Types/Codes subgraph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Other Tab > ICMP

2 20 2020 Foreign Packets (Aggressive Aging and Slow Connections) State anomaly Periodic Foreign (out-of-state) Packets seen after Slow Connection Aggressive Aging (RST to server)

Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation

Service Protection > TCP Profile > TCP Session Settings > Aggressive Aging Feature Control > Slow TCP Connections

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab> Layer 4 > State graph
2 22 2022 Slow Connection: Source Flood Rate Flood Interrupt Slow connection attack detected and “Source blocking for slow connections” enabled. Source IP address is reported. Service Protection > TCP Profile > TCP Slow Connection Protection > Block Sources With Slow TCP Connections Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: Slow Connection subgraph
2 24 2024 TCP checksum error Header anomaly Periodic Invalid TCP checksum.

Service Protection > TCP Profile > Strict Anomalies TCP

Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: TCP Checksum Error subgraph
2 26 2026 ICMP checksum error Header anomaly Periodic Invalid ICMP checksum.

Service Protection > ICMP Profile > ICMP Strict Anomalies

ICMP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: ICMP Checksum Error subgraph
2 27 2027 TCP invalid flag combination Header anomaly Periodic Invalid TCP flag combination. If the urgent flag is set, then the urgent pointer must be non-zero. SYN, FIN or RST is set for fragmented packets, no flags, all flags and others.

Service Protection > TCP Profile > Strict Anomalies

TCP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header : TCP Invalid Flag Combination subgraph
2 28 2028 L4 anomalies Header anomaly Periodic Drops due to predefined Layer 4 header rules: Data offset is less than 5 for a TCP packet; EOP (End of packet) is detected before the 20 bytes of TCP header; EOP before the data offset indicated data offset; Length field in TCP window scale option is a value other than 3; Length field in TCP window scale option is a value other than 3: Missing UDP payload; Missing ICMP payload,TCP Option Anomaly based on Option Type; and others. SYN with Payload if SPP Option in TCP Profile is set.

Service Protection > TCP Profile >Strict Anomalies

Service Protection > TCP Profile > SYN with Payload Service Protection > ICMP Profile > Strict Anomalies

ICMP and TCP Profiles must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: Anomaly Detected subgraph
2 54 2054 ICMP Type/Code denied ACL Periodic Denied by an ICMP Profile TypeCode ACL

Service Protection > ICMP Profile > ICMP Type Code ACL ICMP

ICMP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 4 > Aggregate: ICMP Type/Code Denied Drops subgraph

2 56 2056 SYN Flood from source Rate Flood Interrupt

Effective rate limit for the syn-per-src threshold from a single Source IP has been reached. Source IP address is reported.

Note: No SYN Validation is done on SYN per Source Floods. The Source is rate-limited to the Threshold

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN Per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: SYN Per Source subgraph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN per Source

2 61 2061 Excessive Concurrent Connections Per Source Flood Rate Flood Interrupt Effective rate limit for the concurrent-connections-per-source threshold has been reached. Source IP address is reported. Per-Source Connections are rate-limited to the Threshold. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > Concurrent-Connections-per-Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > Concurrent Connection per Source

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 >Other Tab > Concurrent Connections per Source

2 62 2062 SYN per Destination Flood Rate Flood Interrupt

Effective rate limit for the SYN per Destination threshold has been reached.

Note:

1. Crossing the SYN per Destination Threshold initiates SYN validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking).

2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then alllowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN-per-Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN per Destination

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN per Destination

2 63 2063 SYN/ACK flood in asymmetric mode Rate Flood Interrupt Drops caused by SYN-ACK over Threshold rate (in asymmetric mode only) Global Deployment > Deployment: Asymmetric Mode AND Asymmetric Mode Allow Inbound Synack SYN-ACK-per-Destination Threshold is set manually via Service Protection > Service Protection Policy (Select SPP) > Select Threshold tab: Select Scalars from drop-down: Create New or Select SYN-ACK-per-Destination.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN/ACK Flood

Monitor: TRAFFIC MONITOR > Layer3/4/7 > (Select SPP) > Layer 4 > SYN > SYN-ACK graph

2 64 2064 SYN/ACK Per Destination flood in asymmetric mode Rate Flood Interrupt Drops caused by SYN-ACK-per-Destination over Threshold rate (in asymmetric mode only) Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN/ACK Per Destination In Asymmetric Mode Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN/ACK per Destination Flood Monitor: TRAFFIC MONITOR > Layer3/4/7 > (Select SPP) > Layer 4 > SYN > scroll to SYN-ACK-per-Destination graph
2 82 2082 DNS Query Flood from Source Rate Flood Periodic

Effective rate limit for the DNS-Query-per-Source threshold has been reached.

Note:

1. No Source Validation (Anti-Spoofing) is attempted for DNS Query per Source. Queries from Sources are rate-limited to the Threshold.

2. DNS Query per Source Threshold is not set by System Recommendations. A manual Threshold can be added if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS-Query-per-Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Query per Source

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS > Query per Source

2 83 2083 DNS Packet Track Flood from Source Rate Flood Periodic

Effective rate limit for the DNS-Packet-Track-per-Source (Suspicious Sources) threshold has been reached.

Note:

1. No Source Validation (Anti-Spoofing) is attempted for DNS Packet Track per Source (Suspicious Sources). Queries from Sources are rate-limited to the Threshold.

2. DNS Packet Track per Source (Suspicious Sources) Threshold is not set by System Recommendations. A manual Threshold can be added if desired.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Packet Track per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Suspicious Sources

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS > DNS Packet Track per Source

2 86 2086 Invalid ICMP Type/Code Header Anomaly Periodic Invalid ICMP Type/Code.

Service Protection > ICMP Profile > ICMP Type Code Anomaly

ICMP Profile must be assigned to an SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header > Invalid ICMPv4 Type/Code or Invalid ICMPv6 Type/Code
2 87 2087 HTTP Method Flood from source Rate Flood Interrupt Effective rate limit for the HTTP-Method-per-Source threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > HTTP Method Per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Method Per Source

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Method per Source

2

88

2088

GRE Header checksum error

Header Anomaly

Periodic

Packet with GRE Header checksum error detected and dropped

Global > GRE Tunnel Endpoints must be configured.

Service Protection > IP Profile> IP Strict Anomalies

Monitor: SPP (select SPP) > Anomaly Drops tab > Layer 3
4 0 4000 HTTP Method Flood Rate Flood Interrupt Effective rate limit for a particular HTTP method threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > HTTP Methods

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Method Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Methods (Select Method from drop-down)

4 1 4001 Known HTTP Method Anomaly Header anomaly Periodic HTTP Known Method anomaly as defined in an HTTP Profile.

Service Protection > HTTP Profile > Known Method Anomaly

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 >Anomaly Drops Tab > HTTP > Known Method
4 2 4002 Invalid HTTP Version Anomaly Header anomaly Periodic Packets dropped due to the HTTP Profile version anomaly option

Service Protection > HTTP Profile > Version Anomaly

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Invalid HTTP Version
4 3 4003 URL denied ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > URL Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > URL: Packets Blocked

4 4 4004 URL Flood Rate Flood Periodic Effective rate limit for a particular URL threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > URLs

Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Flood Drops Tab > HTTP > URL Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > URLs

4 5 4005 Unknown HTTP Method Anomaly Header Anomaly Periodic HTTP Profile Unknown HTTP Method.

Service Protection > HTTP Profile > Unknown Method Anomaly

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Unknown Method
4 6 4006 HTTP L7 Host Flood Rate Flood Interrupt Effective rate limit for a particular Host threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Hosts

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Host Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Hosts

4 7 4007 HTTP L7 Host Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > Host Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Hosts: Packets Blocked

4 8 4008 HTTP L7 Referer Flood Rate Flood Interrupt Effective rate limit for a particular Referer header threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Referers

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Referer Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Referers

4 9 4009 HTTP L7 Referer Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > HTTP > Layer 7 > Referer Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Referers: Packets Blocked

4 10 4010 HTTP L7 Cookie Flood Rate Flood Interrupt Effective rate limit for a particular Cookie header threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Cookies

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Cookie Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Cookies

4 11 4011 HTTP L7 Cookie Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > Cookie Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Cookies: Packets Blocked

4 12 4012 HTTP L7 User Agent Flood Rate Flood Interrupt Effective rate limit for a particular User-Agent threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > User Agents

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > User Agent Flood

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > User Agents

4 13 4013 HTTP L7 User Agent Deny ACL Periodic Denied by an HTTP Profile ACL rule.

Service Protection > HTTP Profile > HTTP Param ACL

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > User Agent Denied Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > User Agents: Packets Blocked

4 37 4037 DNS Fragment Deny ACL Periodic Denied by an DNS Profile DNS fragment option Service Protection > DNS Profile > DNS Fragment Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > DNS > Frag Drops
4 41 4041 DNS Rcode Flood Rate Flood Interrupt Effective rate limit for the DNS Rcode threshold has been reached. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > DNS Rcode

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Response Code Drop

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Response Code

4 42 4042 DNS Header Anomaly: Invalid Opcode DNS Anomaly Periodic Invalid value in the DNS OpCode field., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Op Code

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header
4 43 4043 DNS Header Anomaly: Illegal Flag Combination DNS Anomaly Periodic Invalid combination in the flags field., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Illegal Flag Combination

DNS Profile must be assigned to SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header
4 44 4044 DNS Header Anomaly: Same Source/ Destination Port DNS Anomaly Periodic DNS Header where Source Port==Destination Port == 53., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > SP,DP Both 53

DNS Profile must be assigned tothe SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header
4 45 4045 DNS Query Anomaly: Query Bit Set DNS Anomaly Periodic (QR) bit set to 1., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit Set

DNS Profile must be assigned to SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 46 4046 DNS Query Anomaly: RA Bit Set DNS Anomaly Periodic Recursion allowed (RA) bit set., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > RA Bit Set

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 47 4047 DNS Query Anomaly: Null Query DNS Anomaly Periodic DNS query with count 0., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Null Query

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 48 4048 DNS Query Anomaly: QD Count not One in query DNS Anomaly Periodic Question count not 1., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > DNS Query Anomaly: QD Count not One in query

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query
4 50 4050 DNS Reply Anomaly: Qclass in reply DNS Anomaly Periodic DNS response with QCLASS., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > QCLASS in Reply

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 51 4051 DNS Reply Anomaly: Qtype in reply DNS Anomaly Periodic DNS response with a resource specifying a TYPE ID., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > QType in Reply

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 52 4052 DNS Reply Anomaly: Query bit not set DNS Anomaly Periodic (QR) bit set to 0., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit not Set

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 53 4053 DNS Reply Anomaly: QD count not 1 in response DNS Anomaly Periodic DNS Response where QD count is not 1., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > QDCOUNT not One in Response

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response
4 54 4054 DNS Buffer Overflow Anomaly: Message too long DNS Anomaly Periodic DNS Query or Response message that exceeds the maximum header length., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Message too Long/UDP Message too Long

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow
4 55 4055 DNS Buffer Overflow Anomaly: Name too long DNS Anomaly Periodic DNS name that exceeds 255 characters., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name too Long

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow
4 56 4056 DNS Buffer Overflow Anomaly: Label length too large DNS Anomaly Periodic Query or response with a label that exceeds the maximum length (63)., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Label Length too Large

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow
4 57 4057 DNS Exploit Anomaly: Pointer loop DNS Anomaly Periodic DNS message with a pointer that points beyond the end of data., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Pointer Loop

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 58 4058 DNS Exploit Anomaly: Zone Transfer DNS Anomaly Periodic An asynchronous Transfer Full Range (AXFR) request (QTYPE=252)., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Zone transfer

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Anomaly Drops Tab > DNS > Exploit
4 59 4059 DNS Exploit Anomaly: Class is not IN DNS Anomaly Periodic A query/response in which the question/resource address class is not IN., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Class not IN

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 60 4060 DNS Exploit Anomaly: Empty UDP message DNS Anomaly Periodic UDP DNS Query has no data., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Empty UDP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 61 4061 DNS Exploit Anomaly: Message ends prematurely DNS Anomaly Periodic DNS message ends before proper EOP info., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Message Ends Prematurely

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 62 4062 DNS Exploit Anomaly: TCP Buffer Underflow DNS Anomaly Periodic A query/response with less than two bytes of data specified in the two-byte prefix field., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Buffer Underflow

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit
4 63 4063 DNS Info Anomaly: DNS type all used DNS Anomaly Periodic DNS request with request type set to ALL (QTYPE=255)., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Info Anomaly enable

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Info
4 64 4064 DNS Data Anomaly: Invalid type class DNS Anomaly Periodic A query/response with TYPE or CLASS reserved values., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Class Type

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 65 4065 DNS Data Anomaly: Extraneous data DNS Anomaly Periodic A query/response with excess data., selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Extraneous Data

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 66 4066 DNS Data Anomaly: TTL too long DNS Anomaly Periodic

TTL value is greater than 7 days, selected in DNS Profile.

Note: Some services (Yahoo Mail for example) have TTLs longer than 7 days. This Anomaly should remain disabled.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > TTL too Long

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 67 4067 DNS Data Anomaly: Name length too short DNS Anomaly Periodic A query/response with a null DNS name or lacking a TLD, selected in DNS Profile.

Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name Length too Short

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data
4 68 4068 DNS UDP Unsolicited Response Rate Flood Periodic UDP Drops due to a response with no matching query, selected in DNS Profile.

Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries (DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Unsolicited DNS Response Drops
4 69 4069 DNS TCP Unsolicited Response Rate Flood Periodic TCP Drops due to a response with no matching query, selected in DNS Profile.

Service Protection > DNS Profile > DNS Feature Controls >Match Response With Queries (DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Unsolicited DNS Response Drops
4 71 4071 DNS DQRM Out of Memory Internal Periodic An issue with DQRM table internal logic or memory. Contact Fortinet. None. Internal Table issue. Report to Fortinet. Monitor: DROPS MONITOR > SPP > (Select SPP) > Out of Memory Drops Tab > Layer 7 > DNS
4 72 4072 DNS UDP Response same direction Rate Flood Periodic Drops due to UDP DNS Response sent to port 53.

Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unsolicited DNS Response Drops
4 73 4073 DNS TCP Response same direction Rate Flood Periodic Drops due to TCP DNS Response sent to port 53

Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unsolicited DNS Response Drops
4 74 4074 DNS LQ: UDP Query Flood Rate Flood Periodic Drops due to LQ check during UDP DNS QG88:G94uery Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood (LQ)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 75 4075 DNS LQ: UDP Question Flood Rate Flood Periodic Drops due to LQ check during UDP DNS Question Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS > Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 76 4076 DNS LQ: UDP Qtype All Flood Rate Flood Periodic UDP drops due to LQ check during UDP Qtype All (ANY/*) Flood, selected in DNS Profile.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)

DNS Profile must be assigned to SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 78 4078 DNS LQ: UDP Qtype MX Flood Rate Flood Periodic Drops due to LQ check during UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ)

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops
4 81 4081 DNS TTL: UDP Query Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Query Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 82 4082 DNS TTL: UDP Question Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 83 4083 DNS TTL: UDP Qtype All Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Qtype ALL (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 85 4085 DNS TTL: UDP Qtype MX Flood Rate Flood Periodic Drops due to TTL check during UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Validate TTL For Queries From The Same IP

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops
4 87 4087 DNS Spoofed IP: UDP Query Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Query Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 88 4088 DNS Spoofed IP: UDP Question Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Question Flood

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 89 4089 DNS Spoofed IP: UDP Qtype All Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Qtype All (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 91 4091 DNS Spoofed IP: UDP Qtype MX Flood drop during TC=1 check Rate Flood Periodic Drops due to TC=1 antispoofing check during UDP DNS Qtype MXFlood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 93 4093 DNS Spoofed IP: UDP Query Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Query Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 94 4094 DNS Spoofed IP: UDP Question Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 95 4095 DNS Spoofed IP: UDP Qtype All Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Qtype All (ANT/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 96 4096 DNS Spoofed IP: UDP Qtype Zone Transfer Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP DNS Qtype Zone Transfer Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Query UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 97 4097 DNS Spoofed IP: UDP Qtype MX Flood Drop during Retransmission Check Rate Flood Periodic Drops due to Retransmission antispoofing check during UDP Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops
4 99 4099 DNS Cache: UDP Query Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNS Query Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 100 4100 DNS Cache: UDP Question Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNA Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls >Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 101 4101 DNS Cache: UDP Qtype All Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNS Qtype All (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 103 4103 DNS Cache: UDP Qtype MX Flood Drop Due To Response From Cache Rate Flood Periodic DNS Query drops because the response was served from the cache during a UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 105 4105 DNS Cache: UDP Query Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query drops because the response was not served from the cache during a UDP DNS Query Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 106 4106 DNS Cache: UDP Question Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query drops because the response was not served from the cache during a UDP DNS Question Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 107 4107 DNS Cache: UDP Qtype All Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query drops because the response was not served from the cache during a UDP DNS Qtype All (ANY/*) Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 109 4109 DNS Cache: UDP Qtype MX Flood Drop Due To No Response From Cache Rate Flood Periodic DNS Query dropss because the response was not served from the cache during a UDP DNS Qtype MX Flood.

Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP

and

Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops
4 111 4111 DNS TCP Query Flood Rate Flood Interrupt Effective rate limit for the dns-query threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Query Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Query TCP Query

4 112 4112 DNS TCP Question Flood Rate Flood Interrupt Effective rate limit for the dns-question-count threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >> Scalars > DNS Question Count TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Question Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Question Count: TCP Question

4 113 4113 DNS TCP Fragment Flood Rate Flood Interrupt Effective rate limit for the dns-fragment threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Fragment TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Fragment Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > Fragment: TCP Fragment

4 114 4114 DNS TCP Zone Transfer Flood Rate Flood Interrupt Effective rate limit for the dns-zone-xfer threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Zone Transfer TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Zone Transfer Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > QType Zone Transfer: TCP Zone Transfer

4 115 4115 DNS TCP MX Flood Rate Flood Interrupt Effective rate limit for the dns-mx threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS MX Count TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP MX Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > QType MX: TCP MX

4 116 4116 DNS TCP All Flood Rate Flood Interrupt Effective rate limit for the dns-all threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS All TCP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP ALL Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > Qtype All: TCP All

4 117 4117 DNS UDP Unexpected Query before Response Rate Flood Periodic UDP Drops due to DQRM duplicate query check (more then 3 identical Queries (Source, XID) per second

Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unexpected Query Drops
4 118 4118 DNS TCP Unexpected Query before Response Rate Flood Periodic TCP Drops due to DQRM duplicate query check.

Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unexpected Query Drops
4 121 4121 DNS Resource Record Type Deny ACL Periodic DNS Query ACL drops due to Resource Record ACL

Service Protection > DNS Profile > DNS Feature Controls > DNS Resource Record Type ACL

DNS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > DNS > DNS Resource Record Type Drops
4 122 4122 DNS Query Anomaly: UDP Session Reuse Anomaly Periodic DNS UDP Query reuse session within one second Service Protection > DNS Profile Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Anomaly Drops Tab > DNS > Query
4 123 4123 DNS Query Blocked (Domain Reputation) ACL Periodic Drops from matching to FortiGuard Domain Reputation list

Service Protection > DNS Profile > Create new / Edit existing: DNS Feature Controls: Domain Reputation

System > FortiGuard: Domain Reputation Subscription and settings

Monitor: DROPS MONITOR > SPP > (Select SPP) > SPP (select SPP) > ACL Drops tab > Layer 7: DNS graph
4 201 4201 HTTP Header Range Present Anomaly Header anomaly Periodic Drops due to packets with a header range request.

Service Protection > HTTP Profile > Drop Range Header

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Range Present
4 203 4203 Incomplete HTTP Request Header anomaly Periodic Drops due to HTTP requests that do not end in the correct end-of-packet information.

Service Protection > HTTP Profile > Incomplete Request Action = Drop or Aggressive Aging

HTTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Incomplete HTTP Request
4 204 4204 SSL Renegotiation Anomaly Periodic Drop due to SSL/TLS Renegotiation Check

Service Protection > SSL/TLS Profile > Renegotiation Check

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Renegotiation
4 205 4205 NTP Request Flood Rate Flood Interrupt Rate Threshold for NTP Requests has been exceeded. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Request Flood

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Request Flood Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Request

4 206 4206 NTP Response Flood Rate Flood Interrupt Rate Threshold for NTP Responses has been exceeded. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Flood

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Response Flood Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Response

4 207 4207 NTP Broadcast Flood Rate Flood Interrupt Rate Threshold for NTP Broadcasts has been exceeded. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Broadcast Flood

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Broadcast Flood Drops

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Broadcast

4 208 4208 NTP Reflection ACL ACL Periodic Drops due to NTP Reflection Deny option. Blocks NTP Mode 6 (varlist) and Mode 7 (monlist) Queries or Responses.

Service Protection > NTP Profile > Reflection Deny

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > NTP > NTP Reflection ACL Drops
4 209 4209 NTP Version Anomaly NTP Header Anomaly Periodic NTP Version and Modes must match currently ratified versions (Version =1-4 and Mode >0 if Version =1).

Service Protection > NTP Profile > Version Anomaly Check

NTP Profile must be assigned to the SPP

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 210 4210 NTP Stratum Anomaly NTP Header Anomaly Periodic Stratum must be 1-16 (17-255 are invalid). If Stratum >2, Reference ID cannot be null/empty.

Service Protection > NTP Profile > Stratum Anomaly Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 211 4211 NTP Data Length Anomaly NTP Header Anomaly Periodic Enforces minimum and maximum data lengths defined in NTP Versions 1-4)

Service Protection > NTP Profile > Data Length Anomaly Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 212 4212 NTP Control Header Anomaly NTP Header Anomaly Periodic Examines Control Header for 10 different Anomalies and drops if seen.

Service Protection > NTP Profile > Control Header Anomalies Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header
4 213 4213 NTP Duplicate Request Before Response Anomaly Periodic Drops identical requests in a few seconds before a reply (mini-Flood).

Service Protection > NTP Profile > Retransmission Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 214 4214 NTP Unsolicited Response Rate Flood treated like Anomaly Periodic Drops Responses where the Query was not recorded in NTP Response Matching (NRM) table. Use ONLY with symmetric traffic or asymmetric traffic where both links traverse FortiDDoS.

Service Protection > NTP Profile > Unsolicited Response Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 215 4215 NTP State Anomalies: Sequence mismatch State Anomaly Periodic Drops Queries where Sequence number is incorrect. Normally only used when hosting NTP Servers

Service Protection > NTP Profile > Sequence Mismatch Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 218 4218 NTP State Anomalies: Mode Mismatch State Anomaly Periodic Client Query/Server Response Modes do not match 1/2 or 3/4. If NTP Reflection ACL not enabled, then also checks or not matching Modes 6/6 or 7/7. Anything other than the above mode pairs is dropped as mismatched.

Service Protection > NTP Profile > Mode Mismatch Check

NTP Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State
4 219 4219 NTP Response Per Destination Rate Flood Interrupt Rate Threshold for NTP Responses Per Destination has been exceeded. This indicates a reflected NTP Response Flood towards a single destination. Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Per Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Response Per Destination Flood Drop

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Response per Destination

4 224 4224 SSL/TLS Protocol Anomaly Anomaly Periodic Drop due to SSL/TLS profile's Protocol Anomaly check

Service Protection > SSL/TLS Profile > Protocol Anomaly

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Protocol
4 225 4225 SSL/TLS Version Anomaly Anomaly Periodic Drop due to SSL/TLS profile's Version Anomaly check

Service Protection > SSL/TLS Profile > Version Anomaly

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Version
4 226 4226 SSL/TLS Cipher Anomaly Anomaly Periodic Drop due to SSL/TLS Profile Cipher Anomaly check

Service Protection > SSL/TLS Profile > Cipher Anomaly

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Cipher
4 227 4227 SSL/TLS Incomplete Request Anomaly Anomaly Periodic Drop due to SSL/TLS profile's Block Incomplete Request check

Service Protection > SSL/TLS Profile > Block Incomplete Request

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Incomplete Request
4 228 4228 SSL/TLS Incomplete Request: Source Flood Rate Flood Interrupt Drop due to SSL/TLS profile's Block Source With Incomplete Request

Service Protection > SSL/TLS Profile > Block Source With Incomplete Request

SSL/TLS Profile must be assigned to the SPP.

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > SSL > SSL/TLS Incomplete Request Source Flood
4 232 4232 DTLS Client Hello Flood from Source Rate flood Interrupt Drops due to DTLS Client Hello per Source Scalar Threshold Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars, Edit of Create new DTLS Client Hello per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS

4 233 4233 DTLS Server Hello Per Source Flood Rate flood Interrupt Effective rate limit for the DTLS Server Hello Per Source threshold has been reached Service Protection > Service Protection Policy > Thresholds > Scalars: DTLS Server Hello Per Source

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS

4 234 4234 DTLS Server Hello Flood per Destination Rate flood Interrupt Drops due to DTLS Server Hello per Destinationn Scalar Threshold Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DTLS Server Hello per Destination

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS

4 235 4235 DTLS State Anomalies: DTLS negotiation without verification Anomaly Periodic Drops from DTLS Protocol Check - incorrect DTLS Client/Server handshake (no Client Verification message).

Service Protection > DTLS Profile > Protocol Check (use with symmetric traffic only)

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DTLS graph
4 236 4236 DTLS Reflection ACL ACL Periodic Drops from Server Hello messages when no Client Hello was sent.

Service Protection > DTLS Profile > Reflection Deny (use with symmetric traffic only)

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DTLS graph

4

240

4240

DNS UDP Query Blocked (Blocklisted Domains)

ACL

Periodic

DNS UDP Query or Response ACL Drops due to Blocklisted Domains, FQDN File Blocklist/Allowlist and FQDN List.

Service Protection > DNS Profile: DNS Feature Controls:

  • FQDN Control List Type

  • FQDN Files and

  • FQDN List

Monitor: DROPS MONITOR > SPP > (Select SPP) > Layer 7> ACL Drops Tab: DNS graph

4

241

4241

DNS TCP Query Blocked (Blocklisted Domains)

ACL

Periodic

DNS TCP Query or Response ACL Drops due to Blocklisted Domains, Domain Reputation, FQDN File Blocklist/Allowlist and FQDN List.

Service Protection > DNS Profile: DNS Feature Controls:

  • FQDN Control List Type

  • FQDN Files and

  • FQDN List

Monitor: DROPS MONITOR > SPP > (Select SPP) > Layer 7: ACL Drops Tab: DNS graph

4

242

4242

DNSSEC UDP Asymmetric Response Source Flood

Rate Flood

Interrupt

Drops due to DNSSEC Response UDP Asymmetric Source Scalar Threshold.

Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Source Scalar Threshold

(DNSSEC Response per Source for asymmetric traffic)

Monitor: DROPS MONITOR: SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode)

4

243

4243

DNSSEC UDP Asymmetric Response Flood

Rate Flood

Interrupt

Drops due to DNSSEC Response UDP Asymmetric Scalar Threshold.

Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Scalar Threshold

(DNSSEC aggregate Responses for asymmetric traffic)

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode)

4

244

4244

DNSSEC UDP Asymmetric Response Destination Flood

Rate Flood

Interrupt

Drops due to DNSSEC Response UDP Destination Asymmetric Scalar Threshold.

Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Destination Scalar Threshold

(DNSSEC Response per Destination for asymmetric traffic)

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode)

4

245

4245

DNS UDP Header Anomaly: Missing Header

Anomaly

Periodic

Drops due to packet to/from UDP Port 53 with no DNS header information.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Header Anomaly: Incomplete DNS

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

246

4246

DNS TCP Header Anomaly: Missing Header

Anomaly

Periodic

Drops due to packet to/from TCP Port 53 with no DNS header information.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Header Anomaly: Incomplete DNS

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

247

4247

DNS UDP Data Anomaly - EDNS0 Multi Option Error

Anomaly

Periodic

UDP Drops due to DNS Profile: Data Anomaly: Multiple OPT RR enabled.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Data Anomaly: Multiple OPT RR

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

248

4248

DNS TCP Data Anomaly - EDNS0 Multi Option Error

Anomaly

Periodic

TCP Drops due to DNS Profile: Data Anomaly: Multiple OPT RR enabled.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: Data Anomaly: Multiple OPT RR

Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph

4

251

4251

DNSSEC UDP Unsolicited Response

Flood

Interrupt

UDP DNSSEC Drops due to a response with no matching query.

Service Protection > DNS Profile: DNS Anomaly Feature Controls: DNSSEC Require Response After Query

Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph

4

252

4252

DNSSEC Deny

ACL

Periodic

Drops due to Forbid DNSSEC feature option.

Service Protection > DNS Profile: DNS Feature Controls: Forbid DNSSEC

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DNS graph

4

285

4253

DNS Fragment Deny

ACL

Periodic

Drops due to DNS Fragment feature option.

Service Protection > DNS Profile: DNS Feature Controls: DNS Fragment

Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DNS graph

DDoS Attack log Directionality for TCP

Setup Traffic Direction Source Destination Source Port Destination Port Attack Log Direction Protected IP
SYN Outbound Inside Outside High Low Outbound Inside
ACK Inbound Outside Inside Low High Outbound Inside
SYN Inbound Outside Inside High Low Inbound Inside
ACK Outbound Inside Outside Low High Inbound Inside
SYN Outbound Inside Outside High High Outbound Inside
ACK Inbound Outside Inside High High Outbound Inside
SYN Inbound Outside Inside High High Inbound Inside
ACK Outbound Inside Outside High High Inbound Inside
SYN Outbound Inside Outside Low Low Outbound Inside
ACK Inbound Outside Inside Low Low Outbound Inside
SYN Inbound Outside Inside Low Low Inbound Inside
ACK Outbound Inside Outside Low Low Inbound Inside

DDoS Attack log Directionality for UDP

Traffic Direction Source Destination Source Port Destination Port Attack Log Direction Protected IP
Outbound Inside Outside High Low Outbound Inside
Inbound Outside Inside Low High Inbound Inside
Inbound Outside Inside High Low Inbound Inside
Outbound Inside Outside Low High Outbound Inside
Outbound Inside Outside High High Outbound Inside
Inbound Outside Inside High High Inbound Inside