Fortinet white logo
Fortinet white logo

Handbook

Configuring reports

Configuring reports

The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.

Top attack categories are ranked by drop count (highest to lowest).

The following attack categories are available within any Report:

  • Top Attacks - Drop count by DDoS attack event type.
  • Top ACL Attacks - Drop count by ACL rules and Global ACL rules.
  • Top Attackers - Drop count by Source IP address.
  • Top Attacked Subnets - Drop count by Protected Subnet.
  • Top ACL Subnets - Drop count by ACLs associated with Protected Subnets.
  • Top Attacked Protocols - Drop count by Protocol.
  • Top Attacked TCP Ports - Drop count by TCP port.
  • Top Attacked UDP Ports - Drop count by UDP port.
  • Top Attacked ICMP Type Codes - Drop count by ICMP Type / Code.
  • Top Attacked HTTP URLs - Drop count by HTTP URL (hash index).
  • Top Attacked HTTP Methods - Drop count by HTTP method.
  • Top Attacked HTTP Hosts - Drop count by Host header (hash index).
  • Top Attacked HTTP Referers - Drop count by Referer header (hash index).
  • Top Attacked HTTP Cookies - Drop count by Cookie header (hash index).
  • Top Attacked HTTP User Agents - Drop count by User-Agent header (hash index).
  • Top Attacked HTTP Servers - Drop count by HTTP server IP address.
  • Top Attacked Destinations - Drop count by Destination IP address.
  • Top Attacked SPPs - Drop count by SPPs.
  • Top Attacked ACL SPPs - Drop count by ACL SPPs.
  • Top Attacked DNS Servers - Drop count by DNS server IP address (destination Port 53).
  • Top Attacked DNS Anomalies - Drop count due to anomalies by DNS server IP address (destination port 53).

Top Event Reports:

  • Top Successful Logins
  • Top Failed Logins

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
  • You must have enabled local logging for system events if you want to generate system event reports.
  • If you intend to email reports, you must have configured Log & Report > Alert Email Settings.
To configure Reports:
  1. Go to Log & Report > Report Configuration and click Create New.
  2. Configure the Report according to the table below.

Setting

Description

Name Required. No spaces.
Report Title Optional
Report Type Global report type
DDos Event Subtype Select at least one
Event Subtype Optional
Format

Format of the report

  • HTML – Report saved as a web page
  • PDF - Report saved in PDF format
  • Word - Report saved in RTF format
Direction Inbound (default) or outbound
Period Last 7 days, last month, or last year

On Schedule

Enable if you want to make it a regular report.

Schedule types:

  • Daily - Select the hour each day when you want the report to run
  • Weekdays - Select the day(s) of the week when you want the report to run
  • Dates - Select the day(s) of the month when you want the report to run
  • Hourly - Report will run every hour 7x24

Email settings

If you want to email the reports, complete the email fields:

  • Email subject
  • Email body (optional)
  • Email attachment name (optional)
  • Recipient 1, 2, 3 - you will need to use aliases to send to more than 3 recipients.

To configure with CLI:

config log report

edit DailyLastMonth

set title "FortiDDoS Report"

set ddos-event-subtype top_attacks top_acl_attacks top_attackers

top_attacked_http_methods top_attacked_tcp_ports top_attacked_udp_

ports top_attacked_icmp_type_codes

set event-subtype top_successful_logins top_failed_logins

set direction

set period-relative

set email-subject "Report_111"

set email-body "This is a report generated by FortiDDoS"

set email-attachname FDD_111_report

set recipient1 admin@abc.com

next

end

Configuring reports

Configuring reports

The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.

Top attack categories are ranked by drop count (highest to lowest).

The following attack categories are available within any Report:

  • Top Attacks - Drop count by DDoS attack event type.
  • Top ACL Attacks - Drop count by ACL rules and Global ACL rules.
  • Top Attackers - Drop count by Source IP address.
  • Top Attacked Subnets - Drop count by Protected Subnet.
  • Top ACL Subnets - Drop count by ACLs associated with Protected Subnets.
  • Top Attacked Protocols - Drop count by Protocol.
  • Top Attacked TCP Ports - Drop count by TCP port.
  • Top Attacked UDP Ports - Drop count by UDP port.
  • Top Attacked ICMP Type Codes - Drop count by ICMP Type / Code.
  • Top Attacked HTTP URLs - Drop count by HTTP URL (hash index).
  • Top Attacked HTTP Methods - Drop count by HTTP method.
  • Top Attacked HTTP Hosts - Drop count by Host header (hash index).
  • Top Attacked HTTP Referers - Drop count by Referer header (hash index).
  • Top Attacked HTTP Cookies - Drop count by Cookie header (hash index).
  • Top Attacked HTTP User Agents - Drop count by User-Agent header (hash index).
  • Top Attacked HTTP Servers - Drop count by HTTP server IP address.
  • Top Attacked Destinations - Drop count by Destination IP address.
  • Top Attacked SPPs - Drop count by SPPs.
  • Top Attacked ACL SPPs - Drop count by ACL SPPs.
  • Top Attacked DNS Servers - Drop count by DNS server IP address (destination Port 53).
  • Top Attacked DNS Anomalies - Drop count due to anomalies by DNS server IP address (destination port 53).

Top Event Reports:

  • Top Successful Logins
  • Top Failed Logins

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
  • You must have enabled local logging for system events if you want to generate system event reports.
  • If you intend to email reports, you must have configured Log & Report > Alert Email Settings.
To configure Reports:
  1. Go to Log & Report > Report Configuration and click Create New.
  2. Configure the Report according to the table below.

Setting

Description

Name Required. No spaces.
Report Title Optional
Report Type Global report type
DDos Event Subtype Select at least one
Event Subtype Optional
Format

Format of the report

  • HTML – Report saved as a web page
  • PDF - Report saved in PDF format
  • Word - Report saved in RTF format
Direction Inbound (default) or outbound
Period Last 7 days, last month, or last year

On Schedule

Enable if you want to make it a regular report.

Schedule types:

  • Daily - Select the hour each day when you want the report to run
  • Weekdays - Select the day(s) of the week when you want the report to run
  • Dates - Select the day(s) of the month when you want the report to run
  • Hourly - Report will run every hour 7x24

Email settings

If you want to email the reports, complete the email fields:

  • Email subject
  • Email body (optional)
  • Email attachment name (optional)
  • Recipient 1, 2, 3 - you will need to use aliases to send to more than 3 recipients.

To configure with CLI:

config log report

edit DailyLastMonth

set title "FortiDDoS Report"

set ddos-event-subtype top_attacks top_acl_attacks top_attackers

top_attacked_http_methods top_attacked_tcp_ports top_attacked_udp_

ports top_attacked_icmp_type_codes

set event-subtype top_successful_logins top_failed_logins

set direction

set period-relative

set email-subject "Report_111"

set email-body "This is a report generated by FortiDDoS"

set email-attachname FDD_111_report

set recipient1 admin@abc.com

next

end