Using the Layer 7 graphs
Example Layer 7 graph
Before you begin:
• You must have Read permission for the Monitor menu.
• Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graphs:
• Go to Monitor / Traffic Monitor / > Layer 3/4/7 > Layer 7 > [SPP] [HTTP / DNS / NTP] [Y-Axis view] [Direction] [Reporting Period]. Some Graphs may have additional parameter selection such as [Method].
Statistic |
Description |
---|---|
HTTP Tab |
|
Methods |
Displays HTTP Method Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. The following Methods are monitored: [GET | HEAD | OPTIONS | TRACE | POST | PUT | DELETE | CONNECT] Subgraphs for:
Note:
|
Method per Source |
Displays HTTP Method per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information:
|
URLs |
Displays HTTP URL Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. URL can be over 4000 characters long, resulting in almost unlimited numbers of URLs. FortiDDoS tracks the top 32,000 URLs but uses a single Threshold learned from Traffic Statistics to rate-limit any URL. URLs are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe URL Drops in the Attack Logs to obtain the hash index under attack.
Note: Specific URLs may be ACLed via the HTTP Profile assigned to an SPP. |
Hosts |
Displays HTTP Host Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Hosts but uses a single Threshold learned from Traffic Statistics to rate-limit any Host. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Host Drops in the Attack Logs to obtain the hash index under attack.
Note: Specific Hosts may be ACLed via the HTTP Profile assigned to an SPP. |
Referers |
Displays HTTP Referer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Referers but uses a single Threshold learned from Traffic Statistics to rate-limit any Referer. Hosts are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Referer Drops in the Attack Logs to obtain the hash index under attack.
Note: Specific Referer may be ACLed via the HTTP Profile assigned to an SPP. |
Cookies |
Displays HTTP Cookie Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 Cookies but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie. Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe Cookie Drops in the Attack Logs to obtain the hash index under attack.
Note: Specific Cookies may be ACLed via the HTTP Profile assigned to an SPP. |
User Agents |
Displays HTTP User Agent Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. FortiDDoS tracks the top 512 User Agents but uses a single Threshold learned from Traffic Statistics to rate-limit any Cookie. Cookies are one-way hashed and the hash index is shown on the graph. In order to use this graph, observe User Agent Drops in the Attack Logs to obtain the hash index under attack.
Note: Specific User Agents may be ACLed via the HTTP Profile assigned to an SPP. |
DNS Tab |
|
DNS Query |
Displays DNS Query Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Subgraphs for:
Note:
|
Query Per Source |
Displays DNS UDP/TCP Query per Source Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.
Note: If Block Identified Source is disabled in a DNS Profile assigned to an SPP, the Query per Source Threshold will not be tracked nor displayed on the graph. |
Suspicious Sources |
Displays DNS Packet-Track per Source (Suspicious Sources) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Packet-Track per Source (Suspicious Sources) is based on a machine-learned, heuristics-based score that counts fragmented packets, Response not found in DQRM and/or queries that generate responses with RCODE other than 0, for any Source.
Note: If Block Identified Source in a DNS Profile assigned to an SPP is disabled, the DNS Packet-Track per Source (Suspicious Sources) Threshold will not be tracked nor displayed on the graph. |
Question Count |
Displays the sum of all Question Count fields in all DNS UDP/TCP Query Packets, Threshold, Estimated Threshold and per-5-minute Drop information.
Note:
|
Fragment |
Displays the DNS UDP/TCP Query Fragment Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. Note: Only the first fragment in a series of fragments provides Layer 4 information to identify the packet as a DNS Fragment. These fragments will be displayed on this graph. Subsequent fragments have only Layer 3 information and will be displayed on Monitor > / Traffic Monitor / > Layer 3 /4/7 > Layer 3 > Other > Fragmented Packet graph
|
QType MX |
Displays the DNS UDP/TCP Query Type MX (email) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.
Note:
|
QType All |
Displays the DNS UDP/TCP Query Type ALL (ANY/*) Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.
Note:
|
QType Zone Transfer |
Displays the DNS TCP Query Type Zone Transfer Traffic, Threshold, Estimated Threshold and per-5-minute Drop information.
Note: Zone Transfer requests must be TCP. If attackers use UDP, the UDP Query Thresholds and mitigations will apply. |
DNS Response Code |
Displays the DNS Response Code Traffic, Threshold, Estimated Threshold and per-5-minute Drop information. DNS Responses contain a Response Code indicating information about the Response. The field allows 15 different Response Codes but many are unassigned, not implemented or rarely used. The most-used Response Codes are 0=Good Response | 1=Query Format Error | 2=Server Failure | 3=NxDomain | 5=Refused | The DNS Response Code graph contains an additional selection field to enter the Response Code of interest from 0-15.
|
DNSSEC |
Note: This graph will only display when the system is in Asymmetric Mode Displays the various DNS DNSSEC Traffic parameters, Threshold, Estimated Threshold and per-5-minute Drop information.
|
NTP Tab |
|
Request |
Displays NTP Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:
|
Response |
Displays NTP Response Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:
|
Broadcast |
Displays NTP Broadcast Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:
|
Response Per Destination |
Displays NTP Response per Destination Traffic, Threshold, Estimated Threshold and per-5-minute Drop information for:
|
DTLS Tab |
|
DTLS |
Displays DTLS Traffic, Threshold and per-5-minute Drop information for:
Note: Drops will not appear unless Thresholds for the following are manually set in Service Protection Policy > Thresholds > Scalars:
Use these traffic graphs to determine peak inbound egress traffic over time, and multiply by 2x to create the manual threshold. |
QUIC Tab |
|
QUIC |
Displays QUIC Traffic, Estimated Threshold and per-5-minute Drop information for:
|