Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.6.3
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Using the DDoS attack log table

    Using the DDoS attack log table

    The DDoS Attack Log table displays the attack event records for the selected SPP or All SPPs. The DDoS Attack Log table is updated every 1-5 minutes. It contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events.

    Before you begin:

    • You must have an administrator account with the System Admin option enabled.
    To view and filter the log:
    1. Go to Log & Report > Log Access > Logs> DDoS Attack Log tab
    2. Use the check boxes to select the types of attack events to view. If all boxes are unchecked, logs from all events display.
    3. Select the directionality of the logs to display from the drop-down menu: All logs, Inbound or Outbound logs.
    4. Select the SPP log to display from the drop-down menu: All SPPs or any of the SPPs listed.
    5. Click Add Filter to display additional filter tools for Date and Time, Source IP, Protected IP, Layer 3 Protocol, ICMP Type Code, and SPP Operating Mode. Each filter will open additional fields to define the filter.
      1. Click OK to apply the additional filters.
        You can apply multiple filters. Each filter will display in the filter area. You can clear any filter by clicking "x" in the filter description or all filters by clicking Clear All Filters.

    Note: These filters are not persistent. If you leave the DDoS Attack Log page, they will be cleared.

    Downloading Attack Logs

    The Download button will download up to 20,000 filtered or unfiltered Attack Logs in CSV format. To download more than 20,000 logs, use System > Debug. The Customer and Debug files created there provide 100,000 unfiltered Attack Logs.


    DDoS Attack Log Fields

    Column Example Description
    Event ID 462380959

    Log ID
    Timestamp 2015-05-05 16:31:00

    Log timestamp
    SPP ID 0

    SPP ID
    Source IP 28.0.0.40

    Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).
    Protected IP 74.255.0.253

    Protected IP address.

    • For outbound traffic, Protected IP is the Source IP.
    • For inbound traffic, Protected IP is the Destination IP.
    Direction Inbound

    Direction: Inbound, Outbound.

    • For TCP, this is the direction of the session/connection.
    • For UDP, this is the direction of the packet.
    Protocol 6/tcp

    Protocol number/name if assigned.
    The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.
    ICMP type/code 0/8

    ICMP type/code number
    Event Type SYN flood

    Event type
    Associated port 69 Associated port number.
    • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
    • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
    Drop Count 14

    Packets dropped per this event.
    Operating Mode Prevention

    Prevention or Detection Mode depending on the SPP Setting when the log was generated.

    Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

    Event Detail '500'

    Reason string. This will be the hash index for HTTP.
    Subnet ID 0

    Subnet ID

    Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

    The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

    See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

    Previous
    Next

    Using the DDoS attack log table

    Using the DDoS attack log table

    The DDoS Attack Log table displays the attack event records for the selected SPP or All SPPs. The DDoS Attack Log table is updated every 1-5 minutes. It contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events.

    Before you begin:

    • You must have an administrator account with the System Admin option enabled.
    To view and filter the log:
    1. Go to Log & Report > Log Access > Logs> DDoS Attack Log tab
    2. Use the check boxes to select the types of attack events to view. If all boxes are unchecked, logs from all events display.
    3. Select the directionality of the logs to display from the drop-down menu: All logs, Inbound or Outbound logs.
    4. Select the SPP log to display from the drop-down menu: All SPPs or any of the SPPs listed.
    5. Click Add Filter to display additional filter tools for Date and Time, Source IP, Protected IP, Layer 3 Protocol, ICMP Type Code, and SPP Operating Mode. Each filter will open additional fields to define the filter.
      1. Click OK to apply the additional filters.
        You can apply multiple filters. Each filter will display in the filter area. You can clear any filter by clicking "x" in the filter description or all filters by clicking Clear All Filters.

    Note: These filters are not persistent. If you leave the DDoS Attack Log page, they will be cleared.

    Downloading Attack Logs

    The Download button will download up to 20,000 filtered or unfiltered Attack Logs in CSV format. To download more than 20,000 logs, use System > Debug. The Customer and Debug files created there provide 100,000 unfiltered Attack Logs.


    DDoS Attack Log Fields

    Column Example Description
    Event ID 462380959

    Log ID
    Timestamp 2015-05-05 16:31:00

    Log timestamp
    SPP ID 0

    SPP ID
    Source IP 28.0.0.40

    Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).
    Protected IP 74.255.0.253

    Protected IP address.

    • For outbound traffic, Protected IP is the Source IP.
    • For inbound traffic, Protected IP is the Destination IP.
    Direction Inbound

    Direction: Inbound, Outbound.

    • For TCP, this is the direction of the session/connection.
    • For UDP, this is the direction of the packet.
    Protocol 6/tcp

    Protocol number/name if assigned.
    The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.
    ICMP type/code 0/8

    ICMP type/code number
    Event Type SYN flood

    Event type
    Associated port 69 Associated port number.
    • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
    • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
    Drop Count 14

    Packets dropped per this event.
    Operating Mode Prevention

    Prevention or Detection Mode depending on the SPP Setting when the log was generated.

    Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

    Event Detail '500'

    Reason string. This will be the hash index for HTTP.
    Subnet ID 0

    Subnet ID

    Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

    The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

    See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

    Previous
    Next