Fortinet black logo

Handbook

Home FortiDDoS-F 6.3.3 Handbook

Using the DDoS attack log table

6.3.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1
Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:105908
Download PDF

Using the DDoS attack log table

The DDoS Attack Log table displays the attack event records for the selected SPP or All SPPs. The DDoS Attack Log table is updated every few seconds. It contains a maximum of 1 million events. If the number of events exceeds 1 million, the system deletes the 200,000 oldest events.

Before you begin:

  • You must have an administrator account with the System Admin option enabled.
To view and filter the log:
  1. Go to Log & Report > Log Access > Logs> DDoS Attack Log tab
  2. Use the check boxes to select the types of attack events to view.
  3. Click Filter Settings to display additional filter tools for Date (and Time), Direction, Source IP, Protected IP, Associated Port, Protocol, ICMP Type Code and SPP Policy.
  4. Click OK to apply the filter.

    5. You can apply multiple filters. They will each display in the filter area. You can clear any filter by clicking “X” in the filter description or all filters using the Clear All Filters button.

    Note: These filters are not persistent. If you leave the DDoS Attack Log page, they will be cleared.

Sample DDoS Attack Log table
[placholder screenshot]


DDoS Attack Log Fields

Column Example Description
Event ID 462380959

Log ID
Timestamp 2015-05-05 16:31:00

Log timestamp
SPP ID 0

SPP ID
Source IP 28.0.0.40

Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).
Protected IP 74.255.0.253

Protected IP address.

  • For outbound traffic, Protected IP is the Source IP.
  • For inbound traffic, Protected IP is the Destination IP.
Direction Inbound

Direction: Inbound, Outbound.

  • For TCP, this is the direction of the session/connection.
  • For UDP, this is the direction of the packet.
Protocol 6/tcp

Protocol number/name if assigned.
The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.
ICMP type/code 0/8

ICMP type/code number
Event Type SYN flood

Event type
Associated port 69 Associated port number.
  • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
  • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
Drop Count 14

Packets dropped per this event.
Operating Mode Prevention

Prevention or Detection Mode depending on the SPP Setting when the log was generated.

Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

Event Detail '500'

Reason string. This will be the hash index for HTTP.
Subnet ID 0

Subnet ID

Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

Previous
Next

Using the DDoS attack log table

The DDoS Attack Log table displays the attack event records for the selected SPP or All SPPs. The DDoS Attack Log table is updated every few seconds. It contains a maximum of 1 million events. If the number of events exceeds 1 million, the system deletes the 200,000 oldest events.

Before you begin:

  • You must have an administrator account with the System Admin option enabled.
To view and filter the log:
  1. Go to Log & Report > Log Access > Logs> DDoS Attack Log tab
  2. Use the check boxes to select the types of attack events to view.
  3. Click Filter Settings to display additional filter tools for Date (and Time), Direction, Source IP, Protected IP, Associated Port, Protocol, ICMP Type Code and SPP Policy.
  4. Click OK to apply the filter.

    5. You can apply multiple filters. They will each display in the filter area. You can clear any filter by clicking “X” in the filter description or all filters using the Clear All Filters button.

    Note: These filters are not persistent. If you leave the DDoS Attack Log page, they will be cleared.

Sample DDoS Attack Log table
[placholder screenshot]


DDoS Attack Log Fields

Column Example Description
Event ID 462380959

Log ID
Timestamp 2015-05-05 16:31:00

Log timestamp
SPP ID 0

SPP ID
Source IP 28.0.0.40

Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).
Protected IP 74.255.0.253

Protected IP address.

  • For outbound traffic, Protected IP is the Source IP.
  • For inbound traffic, Protected IP is the Destination IP.
Direction Inbound

Direction: Inbound, Outbound.

  • For TCP, this is the direction of the session/connection.
  • For UDP, this is the direction of the packet.
Protocol 6/tcp

Protocol number/name if assigned.
The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.
ICMP type/code 0/8

ICMP type/code number
Event Type SYN flood

Event type
Associated port 69 Associated port number.
  • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
  • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
Drop Count 14

Packets dropped per this event.
Operating Mode Prevention

Prevention or Detection Mode depending on the SPP Setting when the log was generated.

Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

Event Detail '500'

Reason string. This will be the hash index for HTTP.
Subnet ID 0

Subnet ID

Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

Previous
Next