Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.5.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Configuring reports

    Configuring reports

    The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.

    Top attack categories are ranked by drop count (highest to lowest).

    Reports display the top 10 items in each table that are fewer than the top 20 shown in Dashboard > Top Attacks > SPP.

    Combining SPPs in one report will show the top 10 for the combined group.

    To show more information, create separate reports for mission-critical or low-rate SPPs like DNS servers.

    The following attack categories are available within any Report:

    • Top Attacks - Drop count by DDoS attack event type.
    • Top ACL Attacks - Drop count by ACL rules and Global ACL rules.
    • Top Attackers - Drop count by Source IP address.
    • Top Attacked Subnets - Drop count by Protected Subnet.
    • Top ACL Subnets - Drop count by ACLs associated with Protected Subnets.
    • Top Attacked Protocols - Drop count by Protocol.
    • Top Attacked TCP Ports - Drop count by TCP port.
    • Top Attacked UDP Ports - Drop count by UDP port.
    • Top Attacked ICMP Type Codes - Drop count by ICMP Type / Code.
    • Top Attacked HTTP URLs - Drop count by HTTP URL (hash index).
    • Top Attacked HTTP Methods - Drop count by HTTP method.
    • Top Attacked HTTP Hosts - Drop count by Host header (hash index).
    • Top Attacked HTTP Referers - Drop count by Referer header (hash index).
    • Top Attacked HTTP Cookies - Drop count by Cookie header (hash index).
    • Top Attacked HTTP User Agents - Drop count by User-Agent header (hash index).
    • Top Attacked HTTP Servers - Drop count by HTTP server IP address.
    • Top Attacked Destinations - Drop count by Destination IP address.
    • Top Attacked SPPs - Drop count by SPPs.
    • Top Attacked ACL SPPs - Drop count by ACL SPPs.
    • Top Attacked DNS Servers - Drop count by DNS server IP address (destination Port 53).
    • Top Attacked DNS Anomalies - Drop count due to anomalies by DNS server IP address (destination port 53).

    Top Event Reports:

    • Top Successful Logins
    • Top Failed Logins

    Before you begin:

    • You must have Read-Write permission for Log & Report settings.
    • You must have enabled local logging for system events if you want to generate system event reports.
    • If you intend to email reports, you must have configured Log & Report > Alert Email Settings.
    To configure Reports:
    1. Go to Log & Report > Report Configuration and click Create New.
    2. Configure the Report according to the table below.

    Setting

    Description
    Name Required. Characters a-Z and "-" or "_" only.
    Report Title Optional.
    Report Type

    Global or SPP.

    Global = all SPPs. Note: There is an extra Report option when Global is selected to include the Global ACL table.

    SPP = Selected (any/all) SPPs

    SPP Report Settings

    SPP

    Select an or all of the SPPs displayed in the right-hand menu to include in the report.

    Global and Common Report Settings
    DDos Event Subtype Select at least one.
    Event Subtype Optional.
    Format

    Format of the report:

    • HTML – Report saved as a web page
    • PDF - Report saved in PDF format
    • Word - Report saved in RTF format
    Direction Inbound (default) or outbound.

    Period

    Last:

    • Hour
    • 12 Hours
    • 24 Hours
    • 7 Days
    • 14 Days
    • 30 Days
    • 30 Days
    • Month
    • Year

    On Schedule

    Enable if you want to make it a regular report.

    Schedule types:

    • Daily — Select the hour each day when you want the report to run
    • Weekdays — Select the day(s) of the week when you want the report to run
    • Dates — Select the day(s) of the month when you want the report to run
    • Hourly — Report will run every hour 7x24

    On Threshold Violation

    When enabled and the aggregate drop count entered in the field for the selected SPP(s) or Global is exceeded, the Report will be generated for the last 5-minutes only. The intent of this Report is to alert users of differing sized attacks. While FortiDDoS is mitigating autonomously, users may want to know if they are seeing small, medium or large attacks. Set the drop Threshold in 3 different reports at perhaps 100,000, 1,000,000 and 10,000,000, for example.

    Email settings

    If you want to email the reports, complete the email fields:

    • Email subject
    • Email body (optional)
    • Email attachment name (optional)
    • Recipient 1, 2, 3 - you will need to use aliases to send to more than 3 recipients.

    To configure with CLI:

    config log report

    edit DailyLastMonth

    set title "FortiDDoS Report"

    set ddos-event-subtype top_attacks top_acl_attacks top_attackers

    top_attacked_http_methods top_attacked_tcp_ports top_attacked_udp_

    ports top_attacked_icmp_type_codes

    set event-subtype top_successful_logins top_failed_logins

    set direction

    set period-relative

    set email-subject "Report_111"

    set email-body "This is a report generated by FortiDDoS"

    set email-attachname FDD_111_report

    set recipient1 admin@abc.com

    next

    end
    Previous
    Next

    Configuring reports

    Configuring reports

    The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.

    Top attack categories are ranked by drop count (highest to lowest).

    Reports display the top 10 items in each table that are fewer than the top 20 shown in Dashboard > Top Attacks > SPP.

    Combining SPPs in one report will show the top 10 for the combined group.

    To show more information, create separate reports for mission-critical or low-rate SPPs like DNS servers.

    The following attack categories are available within any Report:

    • Top Attacks - Drop count by DDoS attack event type.
    • Top ACL Attacks - Drop count by ACL rules and Global ACL rules.
    • Top Attackers - Drop count by Source IP address.
    • Top Attacked Subnets - Drop count by Protected Subnet.
    • Top ACL Subnets - Drop count by ACLs associated with Protected Subnets.
    • Top Attacked Protocols - Drop count by Protocol.
    • Top Attacked TCP Ports - Drop count by TCP port.
    • Top Attacked UDP Ports - Drop count by UDP port.
    • Top Attacked ICMP Type Codes - Drop count by ICMP Type / Code.
    • Top Attacked HTTP URLs - Drop count by HTTP URL (hash index).
    • Top Attacked HTTP Methods - Drop count by HTTP method.
    • Top Attacked HTTP Hosts - Drop count by Host header (hash index).
    • Top Attacked HTTP Referers - Drop count by Referer header (hash index).
    • Top Attacked HTTP Cookies - Drop count by Cookie header (hash index).
    • Top Attacked HTTP User Agents - Drop count by User-Agent header (hash index).
    • Top Attacked HTTP Servers - Drop count by HTTP server IP address.
    • Top Attacked Destinations - Drop count by Destination IP address.
    • Top Attacked SPPs - Drop count by SPPs.
    • Top Attacked ACL SPPs - Drop count by ACL SPPs.
    • Top Attacked DNS Servers - Drop count by DNS server IP address (destination Port 53).
    • Top Attacked DNS Anomalies - Drop count due to anomalies by DNS server IP address (destination port 53).

    Top Event Reports:

    • Top Successful Logins
    • Top Failed Logins

    Before you begin:

    • You must have Read-Write permission for Log & Report settings.
    • You must have enabled local logging for system events if you want to generate system event reports.
    • If you intend to email reports, you must have configured Log & Report > Alert Email Settings.
    To configure Reports:
    1. Go to Log & Report > Report Configuration and click Create New.
    2. Configure the Report according to the table below.

    Setting

    Description
    Name Required. Characters a-Z and "-" or "_" only.
    Report Title Optional.
    Report Type

    Global or SPP.

    Global = all SPPs. Note: There is an extra Report option when Global is selected to include the Global ACL table.

    SPP = Selected (any/all) SPPs

    SPP Report Settings

    SPP

    Select an or all of the SPPs displayed in the right-hand menu to include in the report.

    Global and Common Report Settings
    DDos Event Subtype Select at least one.
    Event Subtype Optional.
    Format

    Format of the report:

    • HTML – Report saved as a web page
    • PDF - Report saved in PDF format
    • Word - Report saved in RTF format
    Direction Inbound (default) or outbound.

    Period

    Last:

    • Hour
    • 12 Hours
    • 24 Hours
    • 7 Days
    • 14 Days
    • 30 Days
    • 30 Days
    • Month
    • Year

    On Schedule

    Enable if you want to make it a regular report.

    Schedule types:

    • Daily — Select the hour each day when you want the report to run
    • Weekdays — Select the day(s) of the week when you want the report to run
    • Dates — Select the day(s) of the month when you want the report to run
    • Hourly — Report will run every hour 7x24

    On Threshold Violation

    When enabled and the aggregate drop count entered in the field for the selected SPP(s) or Global is exceeded, the Report will be generated for the last 5-minutes only. The intent of this Report is to alert users of differing sized attacks. While FortiDDoS is mitigating autonomously, users may want to know if they are seeing small, medium or large attacks. Set the drop Threshold in 3 different reports at perhaps 100,000, 1,000,000 and 10,000,000, for example.

    Email settings

    If you want to email the reports, complete the email fields:

    • Email subject
    • Email body (optional)
    • Email attachment name (optional)
    • Recipient 1, 2, 3 - you will need to use aliases to send to more than 3 recipients.

    To configure with CLI:

    config log report

    edit DailyLastMonth

    set title "FortiDDoS Report"

    set ddos-event-subtype top_attacks top_acl_attacks top_attackers

    top_attacked_http_methods top_attacked_tcp_ports top_attacked_udp_

    ports top_attacked_icmp_type_codes

    set event-subtype top_successful_logins top_failed_logins

    set direction

    set period-relative

    set email-subject "Report_111"

    set email-body "This is a report generated by FortiDDoS"

    set email-attachname FDD_111_report

    set recipient1 admin@abc.com

    next

    end
    Previous
    Next