Appendix A: DDoS Attack Log Reference
The following table provides the description of the fields in the Log Reference table.
Fields and description
| Field | Description |
|---|---|
| Event code | 1 - Layer 3, 2 - Layer 4, 4 - Layer 7 |
| Subcode | Internal reference only. |
|
Trap Attack Type |
Attack Event identifier included in Attack SNMP Traps sent (instead of Event Name). |
| Event Name | Event Type in the web UI Attack Logs and Graphs, description field in syslog. |
| Category | Filter category in web UI Attack Logs. |
| Period | Interrupt: Rate Flood means the first event is logged within two minutes after the start of an attack and reported every minute thereafter. Periodic: Events other than Rate Flood means events are logged every 5 minutes. |
| Note: Source IP address is reported only for drops due to per-source thresholds. | |
|
Event code |
Sub code |
SNMP Trap attack type |
Event name |
Category |
Period |
Description |
Parameter |
Graph |
|---|---|---|---|---|---|---|---|---|
| 1 | 0 | 1000 | Protocol Flood | Rate Flood | Interrupt | Effective rate limit for the protocol (0-255) has been reached. Protocols are rate-limited at the Threshold. Protocols 6 (TCP) and 17 (UDP) do not normally have Thresholds. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Protocols |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Protocols Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Protocols Tab |
| 1 | 1 | 1001 | Other Protocols Fragment Flood | Rate Flood | Interrupt | Effective rate limit for fragments in Protocols other than TCP, UDP and DNS has been reached. Fragments are rate-limited at the Threshold. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > OTH Fragment | Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Other Fragmented Packets |
|
1 |
7 |
1007 |
Source Table Out of Memory |
Anomaly |
Periodic |
If the system-wide Source IP Address table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops. |
Global Protection > Settings > Out of Memory Mode: Drop | Bypass |
None |
| 1 | 8 | 1008 | Source Flood | Rate Flood | Interrupt | Effective rate limit for the most-active-source threshold has been reached. Source IP address is reported. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Source Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Sources Tab > Most Active Source |
| 1 | 9 | 1009 | Destination Flood | Rate Flood | Interrupt | Effective rate limit for the most-active-destination threshold has been reached. Note: This Threshold is not set by System Recommendations. You may manually add a Threshold if desired. | Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds > Scalars > Most Active Destination |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Destinnation Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Sources Tab > Most Active Destination |
|
1 |
11 |
1011 |
Destination Table Out of Memory |
Anomaly |
Periodic |
If the system-wide Destination IP Address table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops. |
Global Protection > Settings > Out of Memory Mode: Drop | Bypass |
None |
| 1 | 14 | 1014 | IP Header checksum error | Header anomaly | Periodic | Invalid IP header checksum. | Service Protection > IP Profile > IP Strict Anomalies. IP Profile must be assigned to an SPP. | Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > IP Header Checksum |
| 1 | 15 | 1015 | Source IP==dest IP | Header anomaly | Periodic | Identical source and protected IP addresses (LAND attack). | Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > Source and Destination Address Match |
| 1 | 16 | 1016 | Source/dest IP==localhost | Header anomaly | Periodic | Source/destination address is the local host (loopback address spoofing). | Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 > Source/ Destination as Localhost |
| 1 | 17 | 1017 | L3 anomalies | Header anomaly | Periodic |
Drops due to predefined Layer 3 rules: - IP version other than IPv4 or IPv6. - EOP (End of Packet) before 20 bytes of IPv4 data. - EOP comes before the length specified by Total Length. - Reserved Flag set. - More Frag and Don't Frag Flags set. - Added Anomaly for DSCP and ECN. |
Service Protection > IP Profile > IP Strict Anomalies IP Profile must be assigned to an SPP. | Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 3 |
| 1 | 23 | 1023 | TCP Fragment Flood | Rate Flood | Interrupt |
Effective rate limit for the TCP fragment has been reached. Note: Use with care. Miss-configured clients can result in TCP fragmentation. Unless you are sure there can be no TCP Fragmentation, it is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > TCP Fragment |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Fragmented Packets Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > TCP Fragmented Packets |
| 1 | 24 | 1024 | UDP Fragment Flood | Rate Flood | Interrupt |
Effective rate limit for the UDP fragment has been reached. Note: Use with care. Miss-configured clients can result in UDP fragmentation. Unless you are sure there can be no UDP Fragmentation, it is better to use the UDP Fragment Threshold than an ACL. |
Service Protection > Service Protection Policy (List)> Service Protection Policy > Thresholds >Scalars > UDP Fragment |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 3 > Fragmented Packets Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets: UDP Fragmented Packets |
| 1 | 54 | 1054 | Other Protocols Fragment denied | ACL | Periodic |
Fragments for Protocols other than TCP, UDP, DNS, denied by an SPP IP Profile Fragment Check setting. Note: Use with care. Miss-configured clients can result in fragmentation for Protocols like GRE (47) and IPSEC (50). Unless you are sure there can be no Other Protocol Fragmentation, it is better to use the Other Protocol Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check > Other Protocol Fragment IP Profile must be assigned to an SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets: Other Fragmented Packets blocked |
|
1 |
59 |
1059 |
Denied: Geo-location |
ACL |
Periodic |
Denied packets based on Global Geolocation ACLs |
System > Address and Service > Address IPv4: add geolocation country object. If desired, System > Address and Service > AddressIPv4 Group and add geolocations objects. Global Protection > Access Control List: add Service objects above to ACL. Service Protection > (Select SPP): ACL. Create and add Service objects/groups from above |
Monitor: DROPS MONITOR > Global: ACL Tab (for Global ACLs) |
| 1 | 60 | 1060 | Denied: IP address | ACL | Periodic | Denied by Global Blocklist | Global Protection > Blocklist > Blocklisted IPv4 | Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Address Denied: Denied Address Drops |
| 1 | 61 | 1061 | Denied: IP Reputation | ACL | Periodic | Denied by the IP Reputation ACL based on IP Profile per SPP. |
IP Reputation is an optional subscription which must be current for this ACL to work. System > FortiGuard. For IP Reputation settings, subscription confirmation. Service Protection > IP Profile > IP Reputation categories to enable when that IP Profile is assigned to an SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Address Denied: IP Reputation Denied Drops |
| 1 | 63 | 1063 | Denied: IP Multicast | ACL | Periodic | Denied by IP profile per SPP. | Service Protection > IP Profile > IP Multicast Check IP Profile must be assigned to an SPP. | Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > IP Multicast Denied Drops |
| 1 | 64 | 1064 | Denied: Private IP | ACL | Periodic | Denied by IP profile per SPP. | Service Protection > IP Profile > IP Private Check IP Profile must be assigned to an SPP. | Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Private IP Denied Drops |
| 1 | 71 | 1071 | TCP Fragment denied | ACL | Periodic |
TCP Fragments denied by an SPP IP Profile Fragment Check setting. Note: Miss-configured clients can send TCP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check >TCP Fragment IP Profile must be assigned to an SPP. |
Monitor: DROPS MONITOR > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > TCP Fragmented Packets blocked |
| 1 | 72 | 1072 | UDP Fragment denied | ACL | Periodic |
UDP Fragments denied by an SPP IP Profile Fragment Check setting. Note: Miss-configured clients can send UDP Fragments. Use with care. It is better to use the TCP Fragment Threshold than an ACL. |
Service Protection > IP Profile > IP Fragment Check > UDP Fragment IP Profile must be assigned to an SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 3 > Fragmented Packet Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 3 > Other Tab > Fragmented Packets > UDP Fragmented Packets blocked |
| 2 | 0 | 2000 | SYN Flood | Rate Flood | Interrupt |
Effective rate limit for the SYN Threshold has been reached. Note: 1. Crossing the SYN Threshold initiates SYN Validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking). 2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then allowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation. |
Service Protection > Service Protection Policy > Thresholds > Scalars >: SYN Service Protection > TCP Profile >TCP Packets Validation > SYN Validation. Note: If SYN Validation is not enabled no SYN validation nor rate limiting is done. |
Monitor: DROPS MONITOR > SPP > Select SPP > Flood Drops Tab > Layer 3 > SYN Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN |
|
2 |
2 |
2002 |
Global Rule Deny |
ACL |
Periodic |
Drops from any Global Protection > Access Control List entry |
System > Address and Service > Address IPv4: add IPv4, IPv6, Service or Group objects. Global Protection > Access Control List: add objects above to ACL. |
Monitor: DROPS MONITOR > Global: ACL Drops tab: ACL Rule Drops graph: ACL rule drop-down at top-right of graph |
| 2 | 6 | 2006 | State Anomalies: Foreign packet (Out of State) | State anomaly | Periodic | A foreign packet is a TCP packet that does not belong to any known connections. Tracked when TCP Profile for an SPP has Foreign Packet Validation enabled. |
Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation TCP profile must be assigned to an SPP. |
Monitor: DROPS MONITOR > SPP > Select SPP Anomaly Drops Tab > Layer 4 > State |
| 2 | 7 | 2007 | State Anomalies: Outside window | State anomaly | Periodic | Sequence number of a packet was outside the acceptable window. Tracked when TCP Profile for an SPP has Sequence Validation enabled. |
Service Protection > TCP Profile > TCP Packets Validation > Sequence Validation. TCP profile must be assigned to an SPP. |
Monitor: DROPS MONITOR > SPP > Select SPP Anomaly Drops Tab > Layer 4 > State |
|
2 |
11 |
2011 |
Session Table Out of Memory |
Anomaly |
Periodic |
If the system-wide TCP Session table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops. |
Global Protection > Settings > Out of Memory Mode: Drop | Bypass |
None |
| 2 | 12 | 2012 | State Anomalies: State transition error | State anomaly | Periodic | State of the TCP packet received was not consistent with the expected state. Tracked when TCP Profile for an SPP has State Transition Validation enabled. |
Service Protection > TCP Profile > TCP Packets Validation > State Transition Anomalies Validation TCP profile must be assigned to an SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > State |
| 2 | 13 | 2013 | SPP Rule Deny | ACL | Periodic |
SPP-based IPv4, IPv6, Geolocation, Service ACL drops. |
Service Protection > Service Protection Policy > Service Protection Policy Rule > ACL |
Monitor: DROPS MONITOR > SPP > Select SPP > ACL Drops Tab |
|
2 |
14 |
2014 |
Legitimate IP: Out of memory |
Anomaly |
Periodic |
If the system-wide Legitimate IP table overflows, packets bypass or are dropped by configuration option. Drops will be shown by this log. Correctly-sized and configured systems should not see these drops. Legitimate IP table should only be populated during SYN Floods when the source IP has been validated. |
Global Protection > Settings > Out of Memory Mode: Drop | Bypass |
None |
| 2 | 16 | 2016 | TCP zombie Flood | Rate Flood | Interrupt |
Effective rate limit for the new-connections Threshold has been reached. Note: this Threshold is set to maximum by System Recommendations to avoid rate-limiting new connections. You can add a manual Threshold if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > New Connections |
Monitor: DROPS MONITOR > SPP > Select SPP > Flood Drops Tab > Layer 4 > Zombie Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Other Tab > New Connections graph |
| 2 | 17 | 2017 | TCP Port Flood | Rate Flood | Periodic |
Effective rate limit for the port has been reached. Note: Several TCP Ports like 80, 443 are set to system maximum (no thresholds) by System Recommendations. Other parameters (like the various SYN thresholds and Foreign Packet Validation) mitigate DDoS Floods to these Ports. You can add a Threshold for these ports if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > TCP Ports |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > TCP Ports Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Ports > TCP |
| 2 | 18 | 2018 | UDP Port Flood | Rate Flood | Periodic |
Effective rate limit for the port has been reached. Note: No Threshold is set for UDP 53 where DNS mitigations are expected to be used. You can add a Threshold if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > UDP Ports |
Monitor: DROPS MONITOR > TRAFFIC MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > UDP Ports Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Ports > UDP |
| 2 | 19 | 2019 | ICMP Flood | Rate Flood | Periodic | Effective rate limit for the ICMP Type/Code has been reached. Type/Codes will be rate-limited to the Threshold. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > ICMP Types and Codes |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: ICMP Types/Codes subgraph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Other Tab > ICMP |
| 2 | 20 | 2020 | Foreign Packets (Aggressive Aging and Slow Connections) | State anomaly | Periodic | Foreign (out-of-state) Packets seen after Slow Connection Aggressive Aging (RST to server) |
Service Protection > TCP Profile > TCP Packets Validation > Foreign Packet Validation Service Protection > TCP Profile > TCP Session Settings > Aggressive Aging Feature Control > Slow TCP Connections |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab> Layer 4 > State graph |
| 2 | 22 | 2022 | Slow Connection: Source Flood | Rate Flood | Interrupt | Slow connection attack detected and “Source blocking for slow connections” enabled. Source IP address is reported. | Service Protection > TCP Profile > TCP Slow Connection Protection > Block Sources With Slow TCP Connections | Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: Slow Connection subgraph |
|
2 |
23 |
2023 |
Possible UDP Reflection Flood |
Rate Flood |
Interrupt |
Possible UDP Flood FROM UDP Source Ports 1-9999 plus any added as UDP Service Ports in Service Protection Policies. |
Service Protection > Service Protection Policy (List)> Select SPP > Thresholds Tab > UDP Ports |
Monitor > TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > Ports Tab > UDP > Enter Port Number Monitor > DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > UDP Ports subgraph |
| 2 | 24 | 2024 | TCP checksum error | Header anomaly | Periodic | Invalid TCP checksum. |
Service Protection > TCP Profile > Strict Anomalies TCP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: TCP Checksum Error subgraph |
| 2 | 26 | 2026 | ICMP checksum error | Header anomaly | Periodic | Invalid ICMP checksum. |
Service Protection > ICMP Profile > ICMP Strict Anomalies ICMP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: ICMP Checksum Error subgraph |
| 2 | 27 | 2027 | TCP invalid flag combination | Header anomaly | Periodic | Invalid TCP flag combination. If the urgent flag is set, then the urgent pointer must be non-zero. SYN, FIN or RST is set for fragmented packets, no flags, all flags and others. |
Service Protection > TCP Profile > Strict Anomalies TCP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header : TCP Invalid Flag Combination subgraph |
| 2 | 28 | 2028 | L4 anomalies | Header anomaly | Periodic |
Drops due to predefined Layer 4 header rules: Data offset is less than 5 for a TCP packet; EOP (End of packet) is detected before the 20 bytes of TCP header; EOP before the data offset indicated data offset; Length field in TCP window scale option is a value other than 3; Length field in TCP window scale option is a value other than 3: Missing UDP payload; Missing ICMP payload; and TCP Option Anomaly based on Option Type. All the above are controlled by the SPP > Strict Anomalies checkbox. SYN with Payload, controlled by the SPP > SYN With Payload Direction checkboxes. |
Service Protection > TCP Profile >Strict Anomalies Service Protection > TCP Profile > SYN with Payload Service Protection > ICMP Profile > Strict Anomalies ICMP and TCP Profiles must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header: Anomaly Detected subgraph |
| 2 | 54 | 2054 | ICMP Type/Code denied | ACL | Periodic | Denied by an ICMP Profile TypeCode ACL |
Service Protection > ICMP Profile > ICMP Type Code ACL ICMP ICMP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 4 > Aggregate: ICMP Type/Code Denied Drops subgraph |
| 2 | 56 | 2056 | SYN Flood from source | Rate Flood | Interrupt |
Effective rate limit for the syn-per-src threshold from a single Source IP has been reached. Source IP address is reported. Note: No SYN Validation is done on SYN per Source Floods. The Source is rate-limited to the Threshold |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN Per Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4: SYN Per Source subgraph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN per Source |
| 2 | 61 | 2061 | Excessive Concurrent Connections Per Source Flood | Rate Flood | Interrupt | Effective rate limit for the concurrent-connections-per-source threshold has been reached. Source IP address is reported. Per-Source Connections are rate-limited to the Threshold. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > Concurrent-Connections-per-Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > Concurrent Connection per Source Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 >Other Tab > Concurrent Connections per Source |
| 2 | 62 | 2062 | SYN per Destination Flood | Rate Flood | Interrupt |
Effective rate limit for the SYN per Destination threshold has been reached. Note: 1. Crossing the SYN per Destination Threshold initiates SYN validation of the Source IPs. If TCP Profile > SYN Validation is not enabled, no SYN Validation will be done over-threshold (no SYN or Source blocking). 2. SYN Validation reports SYNs initially dropped by the system while validating the Sources. Valid Sources are then alllowed to exceed the SYN per Destination Threshold. Check the SYN per Destination graph, and Established Connections graph to view how many SYNs and Connections are allowed after validation. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN-per-Destination |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN per Destination Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 4 > SYN per Destination |
| 2 | 63 | 2063 | SYN/ACK flood in asymmetric mode | Rate Flood | Interrupt | Drops caused by SYN-ACK over Threshold rate (in asymmetric mode only) | Global Deployment > Deployment: Asymmetric Mode AND Asymmetric Mode Allow Inbound Synack SYN-ACK-per-Destination Threshold is set manually via Service Protection > Service Protection Policy (Select SPP) > Select Threshold tab: Select Scalars from drop-down: Create New or Select SYN-ACK-per-Destination. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN/ACK Flood Monitor: TRAFFIC MONITOR > Layer3/4/7 > (Select SPP) > Layer 4 > SYN > SYN-ACK graph |
| 2 | 64 | 2064 | SYN/ACK Per Destination flood in asymmetric mode | Rate Flood | Interrupt | Drops caused by SYN-ACK-per-Destination over Threshold rate (in asymmetric mode only) | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > SYN/ACK Per Destination In Asymmetric Mode | Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 4 > SYN/ACK per Destination Flood Monitor: TRAFFIC MONITOR > Layer3/4/7 > (Select SPP) > Layer 4 > SYN > scroll to SYN-ACK-per-Destination graph |
| 2 | 82 | 2082 | DNS Query Flood from Source | Rate Flood | Periodic |
Effective rate limit for the DNS-Query-per-Source threshold has been reached. Note: 1. No Source Validation (Anti-Spoofing) is attempted for DNS Query per Source. Queries from Sources are rate-limited to the Threshold. 2. DNS Query per Source Threshold is not set by System Recommendations. A manual Threshold can be added if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS-Query-per-Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Query per Source Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS > Query per Source |
| 2 | 83 | 2083 | DNS Packet Track Flood from Source | Rate Flood | Periodic |
Effective rate limit for the DNS-Packet-Track-per-Source (Suspicious Sources) threshold has been reached. Note: 1. No Source Validation (Anti-Spoofing) is attempted for DNS Packet Track per Source (Suspicious Sources). Queries from Sources are rate-limited to the Threshold. 2. DNS Packet Track per Source (Suspicious Sources) Threshold is not set by System Recommendations. A manual Threshold can be added if desired. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Packet Track per Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Suspicious Sources Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS > DNS Packet Track per Source |
| 2 | 86 | 2086 | Invalid ICMP Type/Code | Header Anomaly | Periodic | Invalid ICMP Type/Code. |
Service Protection > ICMP Profile > ICMP Type Code Anomaly ICMP Profile must be assigned to an SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 4 > Header > Invalid ICMPv4 Type/Code or Invalid ICMPv6 Type/Code |
| 2 | 87 | 2087 | HTTP Method Flood from source | Rate Flood | Interrupt | Effective rate limit for the HTTP-Method-per-Source threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > HTTP Method Per Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Method Per Source Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Method per Source |
|
2 |
88 |
2088 |
GRE Header checksum error |
Header Anomaly |
Periodic |
Packet with GRE Header checksum error detected and dropped |
Global > GRE Tunnel Endpoints must be configured. Service Protection > IP Profile> IP Strict Anomalies |
Monitor: SPP (select SPP) > Anomaly Drops tab > Layer 3 |
| 4 | 0 | 4000 | HTTP Method Flood | Rate Flood | Interrupt | Effective rate limit for a particular HTTP method threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > HTTP Methods |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Method Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Methods (Select Method from drop-down) |
| 4 | 1 | 4001 | Known HTTP Method Anomaly | Header anomaly | Periodic | HTTP Known Method anomaly as defined in an HTTP Profile. |
Service Protection > HTTP Profile > Known Method Anomaly HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 >Anomaly Drops Tab > HTTP > Known Method |
| 4 | 2 | 4002 | Invalid HTTP Version Anomaly | Header anomaly | Periodic | Packets dropped due to the HTTP Profile version anomaly option |
Service Protection > HTTP Profile > Version Anomaly HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Invalid HTTP Version |
| 4 | 3 | 4003 | URL denied | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > URL Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > URL: Packets Blocked |
| 4 | 4 | 4004 | URL Flood | Rate Flood | Periodic | Effective rate limit for a particular URL threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > URLs |
Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Flood Drops Tab > HTTP > URL Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > URLs |
| 4 | 5 | 4005 | Unknown HTTP Method Anomaly | Header Anomaly | Periodic | HTTP Profile Unknown HTTP Method. |
Service Protection > HTTP Profile > Unknown Method Anomaly HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Unknown Method |
| 4 | 6 | 4006 | HTTP L7 Host Flood | Rate Flood | Interrupt | Effective rate limit for a particular Host threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Hosts |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Host Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Hosts |
| 4 | 7 | 4007 | HTTP L7 Host Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > Host Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Hosts: Packets Blocked |
| 4 | 8 | 4008 | HTTP L7 Referer Flood | Rate Flood | Interrupt | Effective rate limit for a particular Referer header threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Referers |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Referer Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Referers |
| 4 | 9 | 4009 | HTTP L7 Referer Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > HTTP > Layer 7 > Referer Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Referers: Packets Blocked |
| 4 | 10 | 4010 | HTTP L7 Cookie Flood | Rate Flood | Interrupt | Effective rate limit for a particular Cookie header threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Cookies |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > Cookie Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Cookies |
| 4 | 11 | 4011 | HTTP L7 Cookie Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > Cookie Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > Cookies: Packets Blocked |
| 4 | 12 | 4012 | HTTP L7 User Agent Flood | Rate Flood | Interrupt | Effective rate limit for a particular User-Agent threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > User Agents |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > HTTP > User Agent Flood Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > User Agents |
| 4 | 13 | 4013 | HTTP L7 User Agent Deny | ACL | Periodic | Denied by an HTTP Profile ACL rule. |
Service Protection > HTTP Profile > HTTP Param ACL HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > HTTP > User Agent Denied Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > HTTP > User Agents: Packets Blocked |
| 4 | 37 | 4037 | DNS Fragment Deny | ACL | Periodic | Denied by an DNS Profile DNS fragment option | Service Protection > DNS Profile > DNS Fragment | Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > DNS > Frag Drops |
| 4 | 41 | 4041 | DNS Rcode Flood | Rate Flood | Interrupt | Effective rate limit for the DNS Rcode threshold has been reached. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > DNS Rcode |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Response Code Drop Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Response Code |
| 4 | 42 | 4042 | DNS Header Anomaly: Invalid Opcode | DNS Anomaly | Periodic | Invalid value in the DNS OpCode field., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Op Code DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header |
| 4 | 43 | 4043 | DNS Header Anomaly: Illegal Flag Combination | DNS Anomaly | Periodic | Invalid combination in the flags field., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Illegal Flag Combination
DNS Profile must be assigned to SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header |
| 4 | 44 | 4044 | DNS Header Anomaly: Same Source/ Destination Port | DNS Anomaly | Periodic | DNS Header where Source Port==Destination Port == 53., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > SP,DP Both 53 DNS Profile must be assigned tothe SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Header |
| 4 | 45 | 4045 | DNS Query Anomaly: Query Bit Set | DNS Anomaly | Periodic | (QR) bit set to 1., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit Set DNS Profile must be assigned to SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query |
| 4 | 46 | 4046 | DNS Query Anomaly: RA Bit Set | DNS Anomaly | Periodic | Recursion allowed (RA) bit set., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > RA Bit Set DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query |
| 4 | 47 | 4047 | DNS Query Anomaly: Null Query | DNS Anomaly | Periodic | DNS query with count 0., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Null Query DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query |
| 4 | 48 | 4048 | DNS Query Anomaly: QD Count not One in query | DNS Anomaly | Periodic | Question count not 1., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > DNS Query Anomaly: QD Count not One in query DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Query |
| 4 | 50 | 4050 | DNS Reply Anomaly: Qclass in reply | DNS Anomaly | Periodic | DNS response with QCLASS., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > QCLASS in Reply DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response |
| 4 | 51 | 4051 | DNS Reply Anomaly: Qtype in reply | DNS Anomaly | Periodic | DNS response with a resource specifying a TYPE ID., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > QType in Reply DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response |
| 4 | 52 | 4052 | DNS Reply Anomaly: Query bit not set | DNS Anomaly | Periodic | (QR) bit set to 0., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Query Bit not Set DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response |
| 4 | 53 | 4053 | DNS Reply Anomaly: QD count not 1 in response | DNS Anomaly | Periodic | DNS Response where QD count is not 1., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > QDCOUNT not One in Response DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Response |
| 4 | 54 | 4054 | DNS Buffer Overflow Anomaly: Message too long | DNS Anomaly | Periodic | DNS Query or Response message that exceeds the maximum header length., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Message too Long/UDP Message too Long DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow |
| 4 | 55 | 4055 | DNS Buffer Overflow Anomaly: Name too long | DNS Anomaly | Periodic | DNS name that exceeds 255 characters., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name too Long DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow |
| 4 | 56 | 4056 | DNS Buffer Overflow Anomaly: Label length too large | DNS Anomaly | Periodic | Query or response with a label that exceeds the maximum length (63)., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Label Length too Large DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Buffer Overflow |
| 4 | 57 | 4057 | DNS Exploit Anomaly: Pointer loop | DNS Anomaly | Periodic | DNS message with a pointer that points beyond the end of data., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Pointer Loop DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit |
| 4 | 58 | 4058 | DNS Exploit Anomaly: Zone Transfer | DNS Anomaly | Periodic | An asynchronous Transfer Full Range (AXFR) request (QTYPE=252)., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Zone transfer DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Anomaly Drops Tab > DNS > Exploit |
| 4 | 59 | 4059 | DNS Exploit Anomaly: Class is not IN | DNS Anomaly | Periodic | A query/response in which the question/resource address class is not IN., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Class not IN DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit |
| 4 | 60 | 4060 | DNS Exploit Anomaly: Empty UDP message | DNS Anomaly | Periodic | UDP DNS Query has no data., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Empty UDP DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit |
| 4 | 61 | 4061 | DNS Exploit Anomaly: Message ends prematurely | DNS Anomaly | Periodic | DNS message ends before proper EOP info., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Message Ends Prematurely DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit |
| 4 | 62 | 4062 | DNS Exploit Anomaly: TCP Buffer Underflow | DNS Anomaly | Periodic | A query/response with less than two bytes of data specified in the two-byte prefix field., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > TCP Buffer Underflow DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Exploit |
| 4 | 63 | 4063 | DNS Info Anomaly: DNS type all used | DNS Anomaly | Periodic | DNS request with request type set to ALL (QTYPE=255)., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Info Anomaly enable DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Info |
| 4 | 64 | 4064 | DNS Data Anomaly: Invalid type class | DNS Anomaly | Periodic | A query/response with TYPE or CLASS reserved values., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Invalid Class Type DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data |
| 4 | 65 | 4065 | DNS Data Anomaly: Extraneous data | DNS Anomaly | Periodic | A query/response with excess data., selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Extraneous Data DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data |
| 4 | 66 | 4066 | DNS Data Anomaly: TTL too long | DNS Anomaly | Periodic |
TTL value is greater than 7 days, selected in DNS Profile. Note: Some services (Yahoo Mail for example) have TTLs longer than 7 days. This Anomaly should remain disabled. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > TTL too Long DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data |
| 4 | 67 | 4067 | DNS Data Anomaly: Name length too short | DNS Anomaly | Periodic | A query/response with a null DNS name or lacking a TLD, selected in DNS Profile. |
Service Protection > DNS Profile > DNS Anomaly Feature Controls > Name Length too Short DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > DNS > Data |
| 4 | 68 | 4068 | DNS UDP Unsolicited Response | Rate Flood | Periodic | UDP Drops due to a response with no matching query, selected in DNS Profile. |
Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries (DQRM) DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Unsolicited DNS Response Drops |
| 4 | 69 | 4069 | DNS TCP Unsolicited Response | Rate Flood | Periodic | TCP Drops due to a response with no matching query, selected in DNS Profile. |
Service Protection > DNS Profile > DNS Feature Controls >Match Response With Queries (DQRM)
DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Unsolicited DNS Response Drops |
| 4 | 71 | 4071 | DNS DQRM Out of Memory | Internal | Periodic | An issue with DQRM table internal logic or memory. Contact Fortinet. | None. Internal Table issue. Report to Fortinet. | Monitor: DROPS MONITOR > SPP > (Select SPP) > Out of Memory Drops Tab > Layer 7 > DNS |
| 4 | 72 | 4072 | DNS UDP Response same direction | Rate Flood | Periodic | Drops due to UDP DNS Response sent to port 53. |
Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM) DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unsolicited DNS Response Drops |
| 4 | 73 | 4073 | DNS TCP Response same direction | Rate Flood | Periodic | Drops due to TCP DNS Response sent to port 53 |
Service Protection > DNS Profile > DNS Feature Controls > Match Response With Queries(DQRM) DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unsolicited DNS Response Drops |
| 4 | 74 | 4074 | DNS LQ: UDP Query Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS QG88:G94uery Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood (LQ) DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops |
| 4 | 75 | 4075 | DNS LQ: UDP Question Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS Question Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS > Question Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ) DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops |
| 4 | 76 | 4076 | DNS LQ: UDP Qtype All Flood | Rate Flood | Periodic | UDP drops due to LQ check during UDP Qtype All (ANY/*) Flood, selected in DNS Profile. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ) DNS Profile must be assigned to SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops |
| 4 | 78 | 4078 | DNS LQ: UDP Qtype MX Flood | Rate Flood | Periodic | Drops due to LQ check during UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Allow Only Valid Queries Under Flood(LQ) DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: LQ Drops |
| 4 | 81 | 4081 | DNS TTL: UDP Query Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Query Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query UDP and Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops |
| 4 | 82 | 4082 | DNS TTL: UDP Question Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops |
| 4 | 83 | 4083 | DNS TTL: UDP Qtype All Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Qtype ALL (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls >Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops |
| 4 | 85 | 4085 | DNS TTL: UDP Qtype MX Flood | Rate Flood | Periodic | Drops due to TTL check during UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNSMX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Validate TTL For Queries From The Same IP DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: TTL Drops |
| 4 | 87 | 4087 | DNS Spoofed IP: UDP Query Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Query Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 88 | 4088 | DNS Spoofed IP: UDP Question Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Question Flood |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 89 | 4089 | DNS Spoofed IP: UDP Qtype All Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Qtype All (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 91 | 4091 | DNS Spoofed IP: UDP Qtype MX Flood drop during TC=1 check | Rate Flood | Periodic | Drops due to TC=1 antispoofing check during UDP DNS Qtype MXFlood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: TC Equal One DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 93 | 4093 | DNS Spoofed IP: UDP Query Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Query Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 94 | 4094 | DNS Spoofed IP: UDP Question Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Question Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 95 | 4095 | DNS Spoofed IP: UDP Qtype All Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Qtype All (ANT/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 96 | 4096 | DNS Spoofed IP: UDP Qtype Zone Transfer Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP DNS Qtype Zone Transfer Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >Scalars > DNS Query UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 97 | 4097 | DNS Spoofed IP: UDP Qtype MX Flood Drop during Retransmission Check | Rate Flood | Periodic | Drops due to Retransmission antispoofing check during UDP Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Flood Mitigation Mode: Retransmission DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Spoofed IP Drops |
| 4 | 99 | 4099 | DNS Cache: UDP Query Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Query Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 100 | 4100 | DNS Cache: UDP Question Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNA Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP and Service Protection > DNS Profile > DNS Feature Controls >Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 101 | 4101 | DNS Cache: UDP Qtype All Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Qtype All (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 103 | 4103 | DNS Cache: UDP Qtype MX Flood Drop Due To Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was served from the cache during a UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 105 | 4105 | DNS Cache: UDP Query Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was not served from the cache during a UDP DNS Query Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS UDP Query and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 106 | 4106 | DNS Cache: UDP Question Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was not served from the cache during a UDP DNS Question Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Question Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 107 | 4107 | DNS Cache: UDP Qtype All Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query drops because the response was not served from the cache during a UDP DNS Qtype All (ANY/*) Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS All UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 109 | 4109 | DNS Cache: UDP Qtype MX Flood Drop Due To No Response From Cache | Rate Flood | Periodic | DNS Query dropss because the response was not served from the cache during a UDP DNS Qtype MX Flood. |
Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS MX Count UDP and Service Protection > DNS Profile > DNS Feature Controls > Generate Response From Cache Under Flood DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS: Cache Drops |
| 4 | 111 | 4111 | DNS TCP Query Flood | Rate Flood | Interrupt | Effective rate limit for the dns-query threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > DNS Query TCP |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Query Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Query TCP Query |
| 4 | 112 | 4112 | DNS TCP Question Flood | Rate Flood | Interrupt | Effective rate limit for the dns-question-count threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds >> Scalars > DNS Question Count TCP |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Question Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > DNS Question Count: TCP Question |
| 4 | 113 | 4113 | DNS TCP Fragment Flood | Rate Flood | Interrupt | Effective rate limit for the dns-fragment threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Fragment TCP |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Fragment Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > Fragment: TCP Fragment |
| 4 | 114 | 4114 | DNS TCP Zone Transfer Flood | Rate Flood | Interrupt | Effective rate limit for the dns-zone-xfer threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS Zone Transfer TCP |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP Zone Transfer Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > QType Zone Transfer: TCP Zone Transfer |
| 4 | 115 | 4115 | DNS TCP MX Flood | Rate Flood | Interrupt | Effective rate limit for the dns-mx threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS MX Count TCP |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP MX Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > QType MX: TCP MX |
| 4 | 116 | 4116 | DNS TCP All Flood | Rate Flood | Interrupt | Effective rate limit for the dns-all threshold has been reached. Queries are rate-limited with no Query validations. Source validation is done at Layer 4. | Service Protection > Service Protection Policy > Service Protection Policy Rule > Thresholds > Scalars > DNS All TCP |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > TCP ALL Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DNS > Qtype All: TCP All |
| 4 | 117 | 4117 | DNS UDP Unexpected Query before Response | Rate Flood | Periodic | UDP Drops due to DQRM duplicate query check (more then 3 identical Queries (Source, XID) per second |
Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unexpected Query Drops |
| 4 | 118 | 4118 | DNS TCP Unexpected Query before Response | Rate Flood | Periodic | TCP Drops due to DQRM duplicate query check. |
Service Protection > DNS Profile > DNS Feature Controls > Duplicate Query Check DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > DNS > Unexpected Query Drops |
| 4 | 121 | 4121 | DNS Resource Record Type Deny | ACL | Periodic | DNS Query ACL drops due to Resource Record ACL |
Service Protection > DNS Profile > DNS Feature Controls > DNS Resource Record Type ACL DNS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > DNS > DNS Resource Record Type Drops |
| 4 | 122 | 4122 | DNS Query Anomaly: UDP Session Reuse | Anomaly | Periodic | DNS UDP Query reuse session within one second | Service Protection > DNS Profile | Monitor: DROPS MONITOR > SPP > (Select SPP) > L7 > Anomaly Drops Tab > DNS > Query |
| 4 | 123 | 4123 | DNS Query Blocked (Domain Reputation) | ACL | Periodic | Drops from matching to FortiGuard Domain Reputation list |
Service Protection > DNS Profile > Create new / Edit existing: DNS Feature Controls: Domain Reputation System > FortiGuard: Domain Reputation Subscription and settings |
Monitor: DROPS MONITOR > SPP > (Select SPP) > SPP (select SPP) > ACL Drops tab > Layer 7: DNS graph |
| 4 | 201 | 4201 | HTTP Header Range Present Anomaly | Header anomaly | Periodic | Drops due to packets with a header range request. |
Service Protection > HTTP Profile > Drop Range Header HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Range Present |
| 4 | 203 | 4203 | Incomplete HTTP Request | Header anomaly | Periodic | Drops due to HTTP requests that do not end in the correct end-of-packet information. |
Service Protection > HTTP Profile > Incomplete Request Action = Drop or Aggressive Aging HTTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > HTTP > Incomplete HTTP Request |
| 4 | 204 | 4204 | SSL Renegotiation | Anomaly | Periodic | Drop due to SSL/TLS Renegotiation Check |
Service Protection > SSL/TLS Profile > Renegotiation Check SSL/TLS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Renegotiation |
| 4 | 205 | 4205 | NTP Request Flood | Rate Flood | Interrupt | Rate Threshold for NTP Requests has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Request Flood |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Request Flood Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Request |
| 4 | 206 | 4206 | NTP Response Flood | Rate Flood | Interrupt | Rate Threshold for NTP Responses has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Flood |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Response Flood Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Response |
| 4 | 207 | 4207 | NTP Broadcast Flood | Rate Flood | Interrupt | Rate Threshold for NTP Broadcasts has been exceeded. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Broadcast Flood |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Broadcast Flood Drops Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Broadcast |
| 4 | 208 | 4208 | NTP Reflection ACL | ACL | Periodic | Drops due to NTP Reflection Deny option. Blocks NTP Mode 6 (varlist) and Mode 7 (monlist) Queries or Responses. |
Service Protection > NTP Profile > Reflection Deny NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > NTP > NTP Reflection ACL Drops |
| 4 | 209 | 4209 | NTP Version Anomaly | NTP Header Anomaly | Periodic | NTP Version and Modes must match currently ratified versions (Version =1-4 and Mode >0 if Version =1). |
Service Protection > NTP Profile > Version Anomaly Check NTP Profile must be assigned to the SPP |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header |
| 4 | 210 | 4210 | NTP Stratum Anomaly | NTP Header Anomaly | Periodic | Stratum must be 1-16 (17-255 are invalid). If Stratum >2, Reference ID cannot be null/empty. |
Service Protection > NTP Profile > Stratum Anomaly Check NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header |
| 4 | 211 | 4211 | NTP Data Length Anomaly | NTP Header Anomaly | Periodic | Enforces minimum and maximum data lengths defined in NTP Versions 1-4) |
Service Protection > NTP Profile > Data Length Anomaly Check NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header |
| 4 | 212 | 4212 | NTP Control Header Anomaly | NTP Header Anomaly | Periodic | Examines Control Header for 10 different Anomalies and drops if seen. |
Service Protection > NTP Profile > Control Header Anomalies Check NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > Header |
| 4 | 213 | 4213 | NTP Duplicate Request Before Response | Anomaly | Periodic | Drops identical requests in a few seconds before a reply (mini-Flood). |
Service Protection > NTP Profile > Retransmission Check NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State |
| 4 | 214 | 4214 | NTP Unsolicited Response | Rate Flood treated like Anomaly | Periodic | Drops Responses where the Query was not recorded in NTP Response Matching (NRM) table. Use ONLY with symmetric traffic or asymmetric traffic where both links traverse FortiDDoS. |
Service Protection > NTP Profile > Unsolicited Response Check NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State |
| 4 | 215 | 4215 | NTP State Anomalies: Sequence mismatch | State Anomaly | Periodic | Drops Queries where Sequence number is incorrect. Normally only used when hosting NTP Servers |
Service Protection > NTP Profile > Sequence Mismatch Check NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State |
| 4 | 218 | 4218 | NTP State Anomalies: Mode Mismatch | State Anomaly | Periodic | Client Query/Server Response Modes do not match 1/2 or 3/4. If NTP Reflection ACL not enabled, then also checks or not matching Modes 6/6 or 7/7. Anything other than the above mode pairs is dropped as mismatched. |
Service Protection > NTP Profile > Mode Mismatch Check NTP Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > NTP > State |
| 4 | 219 | 4219 | NTP Response Per Destination | Rate Flood | Interrupt | Rate Threshold for NTP Responses Per Destination has been exceeded. This indicates a reflected NTP Response Flood towards a single destination. | Service Protection > Service Protection Policy (List) > Service Protection Policy > Thresholds > Scalars > NTP Response Per Destination |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > NTP > Response Per Destination Flood Drop Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > NTP > Response per Destination |
| 4 | 224 | 4224 | SSL/TLS Protocol Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Protocol Anomaly check |
Service Protection > SSL/TLS Profile > Protocol Anomaly SSL/TLS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Protocol |
| 4 | 225 | 4225 | SSL/TLS Version Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Version Anomaly check |
Service Protection > SSL/TLS Profile > Version Anomaly SSL/TLS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Version |
| 4 | 226 | 4226 | SSL/TLS Cipher Anomaly | Anomaly | Periodic | Drop due to SSL/TLS Profile Cipher Anomaly check |
Service Protection > SSL/TLS Profile > Cipher Anomaly SSL/TLS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Cipher |
| 4 | 227 | 4227 | SSL/TLS Incomplete Request Anomaly | Anomaly | Periodic | Drop due to SSL/TLS profile's Block Incomplete Request check |
Service Protection > SSL/TLS Profile > Block Incomplete Request SSL/TLS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > SSL > SSL Incomplete Request |
| 4 | 228 | 4228 | SSL/TLS Incomplete Request: Source Flood | Rate Flood | Interrupt | Drop due to SSL/TLS profile's Block Source With Incomplete Request |
Service Protection > SSL/TLS Profile > Block Source With Incomplete Request SSL/TLS Profile must be assigned to the SPP. |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > SSL > SSL/TLS Incomplete Request Source Flood |
| 4 | 232 | 4232 | DTLS Client Hello Flood from Source | Rate flood | Interrupt | Drops due to DTLS Client Hello per Source Scalar Threshold | Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars, Edit of Create new DTLS Client Hello per Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS |
| 4 | 233 | 4233 | DTLS Server Hello Per Source Flood | Rate flood | Interrupt | Effective rate limit for the DTLS Server Hello Per Source threshold has been reached | Service Protection > Service Protection Policy > Thresholds > Scalars: DTLS Server Hello Per Source |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS |
| 4 | 234 | 4234 | DTLS Server Hello Flood per Destination | Rate flood | Interrupt | Drops due to DTLS Server Hello per Destinationn Scalar Threshold | Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DTLS Server Hello per Destination |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DTLS graph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > L7 > DTLS |
| 4 | 235 | 4235 | DTLS State Anomalies: DTLS negotiation without verification | Anomaly | Periodic | Drops from DTLS Protocol Check - incorrect DTLS Client/Server handshake (no Client Verification message). |
Service Protection > DTLS Profile > Protocol Check (use with symmetric traffic only) |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DTLS graph |
| 4 | 236 | 4236 | DTLS Reflection ACL | ACL | Periodic | Drops from Server Hello messages when no Client Hello was sent. |
Service Protection > DTLS Profile > Reflection Deny (use with symmetric traffic only) |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DTLS graph |
|
4 |
240 |
4240 |
DNS UDP Query Blocked (Blocklisted Domains) |
ACL |
Periodic |
DNS UDP Query or Response ACL Drops due to Blocklisted Domains, FQDN File Blocklist/Allowlist and FQDN List. |
Service Protection > DNS Profile: DNS Feature Controls:
|
Monitor: DROPS MONITOR > SPP > (Select SPP) > Layer 7> ACL Drops Tab: DNS graph |
|
4 |
241 |
4241 |
DNS TCP Query Blocked (Blocklisted Domains) |
ACL |
Periodic |
DNS TCP Query or Response ACL Drops due to Blocklisted Domains, Domain Reputation, FQDN File Blocklist/Allowlist and FQDN List. |
Service Protection > DNS Profile: DNS Feature Controls:
|
Monitor: DROPS MONITOR > SPP > (Select SPP) > Layer 7: ACL Drops Tab: DNS graph |
|
4 |
242 |
4242 |
DNSSEC UDP Asymmetric Response Source Flood |
Rate Flood |
Interrupt |
Drops due to DNSSEC Response UDP Asymmetric Source Scalar Threshold. |
Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Source Scalar Threshold (DNSSEC Response per Source for asymmetric traffic) |
Monitor: DROPS MONITOR: SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode) |
|
4 |
243 |
4243 |
DNSSEC UDP Asymmetric Response Flood |
Rate Flood |
Interrupt |
Drops due to DNSSEC Response UDP Asymmetric Scalar Threshold. |
Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Scalar Threshold (DNSSEC aggregate Responses for asymmetric traffic) |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode) |
|
4 |
244 |
4244 |
DNSSEC UDP Asymmetric Response Destination Flood |
Rate Flood |
Interrupt |
Drops due to DNSSEC Response UDP Destination Asymmetric Scalar Threshold. |
Service Protection > Service Protection Profile > Create/Edit SPP > Thresholds tab > Scalars: Edit or Create new DNSSEC Response UDP Asymmetric Destination Scalar Threshold (DNSSEC Response per Destination for asymmetric traffic) |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph Monitor: TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > DNS Tab > DNSSEC (only shown when system is in Asymmetric Mode) |
|
4 |
245 |
4245 |
DNS UDP Header Anomaly: Missing Header |
Anomaly |
Periodic |
Drops due to packet to/from UDP Port 53 with no DNS header information. |
Service Protection > DNS Profile: DNS Anomaly Feature Controls: Header Anomaly: Incomplete DNS |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph |
|
4 |
246 |
4246 |
DNS TCP Header Anomaly: Missing Header |
Anomaly |
Periodic |
Drops due to packet to/from TCP Port 53 with no DNS header information. |
Service Protection > DNS Profile: DNS Anomaly Feature Controls: Header Anomaly: Incomplete DNS |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph |
|
4 |
247 |
4247 |
DNS UDP Data Anomaly - EDNS0 Multi Option Error |
Anomaly |
Periodic |
UDP Drops due to DNS Profile: Data Anomaly: Multiple OPT RR enabled. |
Service Protection > DNS Profile: DNS Anomaly Feature Controls: Data Anomaly: Multiple OPT RR |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph |
|
4 |
248 |
4248 |
DNS TCP Data Anomaly - EDNS0 Multi Option Error |
Anomaly |
Periodic |
TCP Drops due to DNS Profile: Data Anomaly: Multiple OPT RR enabled. |
Service Protection > DNS Profile: DNS Anomaly Feature Controls: Data Anomaly: Multiple OPT RR |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7: DNS graph |
|
4 |
251 |
4251 |
DNSSEC UDP Unsolicited Response |
Flood |
Interrupt |
UDP DNSSEC Drops due to a response with no matching query. |
Service Protection > DNS Profile: DNS Anomaly Feature Controls: DNSSEC Require Response After Query |
Monitor: DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7: DNS graph |
|
4 |
252 |
4252 |
DNSSEC Deny |
ACL |
Periodic |
Drops due to Forbid DNSSEC feature option. |
Service Protection > DNS Profile: DNS Feature Controls: Forbid DNSSEC |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DNS graph |
|
4 |
253 |
4253 |
QUIC Server Reflection Deny |
ACL |
Periodic |
Drop any QUIC Server Initial packets if Client Initial packet was not seen first. |
Service Protection > QUIC Profile > Reflection Deny |
Monitor > DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > QUIC |
|
4 |
254 |
4254 |
QUIC Version Negotiation Deny |
ACL |
Periodic |
Drop any QUIC Version Negotiation requests. |
Service Protection > QUIC Profile > Version Negotiation Check |
Monitor > DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7 > QUIC |
|
4 |
255 |
4255 |
QUIC Strict Anomalies |
Anomaly |
Periodic |
Drop anomalous QUIC packets. |
Service Protection > QUIC Profile > Strict Anomalies Check |
Monitor > DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > QUIC |
|
4 |
256 |
4256 |
QUIC Initial Packet Size Anomaly |
Anomaly |
Periodic |
Drop too small QUIC Initial packets. |
Service Protection > QUIC Profile > Initial Packet Check |
Monitor > DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > QUIC |
|
4 |
257 |
4257 |
QUIC Version Anomaly |
Anomaly |
Periodic |
Drop invalid QUIC versions. |
Service Protection > QUIC Profile > Version Check |
Monitor > DROPS MONITOR > SPP > (Select SPP) > Anomaly Drops Tab > Layer 7 > QUIC |
|
4 |
258 |
4258 |
QUIC Session Out Of Memory |
Internal |
Periodic |
Drops caused by the number of QUIC sessions exceeding the table size. |
Internal - no settings |
Contact Fortinet Support. There is no graph for this parameter. |
|
4 |
259 |
4259 |
QUIC Response Initial Packet Per Destination Flood |
Rate Flood |
Interrupt |
Effective rate limit for the QUIC Response Initial Packet Per Destination Flood Threshold |
Service Protection > Service Protection Policy (List) > Select SPP > Thresholds Tab > Scalars |
Monitor > TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > QUIC Tab Monitor > DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > Scroll to QUIC |
|
4 |
260 |
4260 |
QUIC Request Initial Packet Per Source Flood |
Rate Flood |
Interrupt |
Effective rate limit for the QUIC Request Initial Packet Per Source Flood Threshold |
Service Protection > Service Protection Policy (List) > Select SPP > Thresholds Tab > Scalars |
Monitor > TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > QUIC Tab Monitor > DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > Scroll to QUIC |
|
4 |
261 |
4261 |
QUIC Request Initial Packet Flood |
Rate Flood |
Interrupt |
Effective rate limit for the QUIC Request Initial Packet Flood Threshold |
Service Protection > Service Protection Policy (List) > Select SPP > Thresholds Tab > Scalars |
Monitor > TRAFFIC MONITOR > Layer 3/4/7 > (Select SPP) > Layer 7 > QUIC Tab Monitor > DROPS MONITOR > SPP > (Select SPP) > Flood Drops Tab > Layer 7 > Scroll to QUIC |
|
4 |
285 |
4285 |
DNS Fragment Deny |
ACL |
Periodic |
Drops due to DNS Fragment feature option. |
Service Protection > DNS Profile: DNS Feature Controls: DNS Fragment |
Monitor: DROPS MONITOR > SPP > (Select SPP) > ACL Drops Tab > Layer 7: DNS graph |
DDoS Attack log Directionality for TCP
| Setup | Traffic Direction | Source | Destination | Source Port | Destination Port | Attack Log Direction | Protected IP |
|---|---|---|---|---|---|---|---|
| SYN | Outbound | Inside | Outside | High | Low | Outbound | Inside |
| ACK | Inbound | Outside | Inside | Low | High | Outbound | Inside |
| SYN | Inbound | Outside | Inside | High | Low | Inbound | Inside |
| ACK | Outbound | Inside | Outside | Low | High | Inbound | Inside |
| SYN | Outbound | Inside | Outside | High | High | Outbound | Inside |
| ACK | Inbound | Outside | Inside | High | High | Outbound | Inside |
| SYN | Inbound | Outside | Inside | High | High | Inbound | Inside |
| ACK | Outbound | Inside | Outside | High | High | Inbound | Inside |
| SYN | Outbound | Inside | Outside | Low | Low | Outbound | Inside |
| ACK | Inbound | Outside | Inside | Low | Low | Outbound | Inside |
| SYN | Inbound | Outside | Inside | Low | Low | Inbound | Inside |
| ACK | Outbound | Inside | Outside | Low | Low | Inbound | Inside |
DDoS Attack log Directionality for UDP
| Traffic Direction | Source | Destination | Source Port | Destination Port | Attack Log Direction | Protected IP |
|---|---|---|---|---|---|---|
| Outbound | Inside | Outside | High | Low | Outbound | Inside |
| Inbound | Outside | Inside | Low | High | Inbound | Inside |
| Inbound | Outside | Inside | High | Low | Inbound | Inside |
| Outbound | Inside | Outside | Low | High | Outbound | Inside |
| Outbound | Inside | Outside | High | High | Outbound | Inside |
| Inbound | Outside | Inside | High | High | Inbound | Inside |