Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Using the DDoS attack log table

    Using the DDoS attack log table

    The DDoS Attack Log table displays the attack event records for all SPPs and Global ACLs. The DDoS Attack Log table is updated every 1-5 minutes. Note while logs will be reported on the 0,5,10-minute, etc. interval, logs are aggregated which can take 2 minutes, so expect 0, 5, 10 to appear at 2, 7, 12-minutes, etc.

    The log table contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events and/or the oldest, smallest events under control of the Log Purge Settings.

    Note: The GUI will display a maximum of 900,000 logs from most recent timestamp, backwards. If you filter (for inbound, for example), the filter searches the entire 1M-2M database and displays the latest up to 900k logs.

    Before you begin:

    • You must have a minimum of Read access.
    To view the logs:

    1. Go to Log & Report > Log Access > Logs > DDoS Attack Log

      Each row shows 1 Attack event:

    2. Further detail is shown by clicking the Detail icon at the right of each row as shown below:
    To filter the logs

    1. You can add multiple filters from any of the selections below

    2. Filters are not persistent and will clear when you leave the Attack Log page.

    1. Use the top checkboxes to filter by type of event. When all checkboxes are disabled (default) all logs are shown.

    2. Use the three pulldown menus marked “All” to filter by:

      • Direction (Inbound / Outbound)

      • SPP

      • Operating Mode (Detection / Prevention)

    3. Use the plus (+) icon to filter on the following parameters:

      Timestamp | SPP Name | Associated Port | ICMP Type Code | IP Source | Protected IP | Protocol

      Each parameter may provide additional options as shown below.

    4. Use the Search bar for free-form text searches of the Event Type:

    Downloading Attack Logs

    The Download button will download up to 100,000 filtered or unfiltered Attack Logs (from newest to oldest) in CSV format.

    DDoS Attack Log Fields

    ColumnExampleDescription
    Event ID462380959

    Log ID

    Timestamp2015-05-05 16:31:00

    Log timestamp

    SPP ID0

    SPP ID

    Source IP28.0.0.40

    Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).

    Protected IP74.255.0.253

    Protected IP address.

    • For outbound traffic, Protected IP is the Source IP.
    • For inbound traffic, Protected IP is the Destination IP.
    DirectionInbound

    Direction: Inbound, Outbound.

    • For TCP, this is the direction of the session/connection.
    • For UDP, this is the direction of the packet.
    Protocol6/tcp

    Protocol number/name if assigned.
    The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.

    ICMP type/code0/8

    ICMP type/code number

    Event TypeSYN flood

    Event type

    Associated port69Associated port number.
    • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
    • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
    Drop Count14

    Packets dropped per this event.

    Operating ModePrevention

    Prevention or Detection Mode depending on the SPP Setting when the log was generated.

    Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

    Event Detail'500'

    Reason string. This will be the hash index for HTTP.

    Subnet ID0

    Subnet ID

    Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

    The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

    See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

    Previous
    Next

    Using the DDoS attack log table

    Using the DDoS attack log table

    The DDoS Attack Log table displays the attack event records for all SPPs and Global ACLs. The DDoS Attack Log table is updated every 1-5 minutes. Note while logs will be reported on the 0,5,10-minute, etc. interval, logs are aggregated which can take 2 minutes, so expect 0, 5, 10 to appear at 2, 7, 12-minutes, etc.

    The log table contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events and/or the oldest, smallest events under control of the Log Purge Settings.

    Note: The GUI will display a maximum of 900,000 logs from most recent timestamp, backwards. If you filter (for inbound, for example), the filter searches the entire 1M-2M database and displays the latest up to 900k logs.

    Before you begin:

    • You must have a minimum of Read access.
    To view the logs:

    1. Go to Log & Report > Log Access > Logs > DDoS Attack Log

      Each row shows 1 Attack event:

    2. Further detail is shown by clicking the Detail icon at the right of each row as shown below:
    To filter the logs

    1. You can add multiple filters from any of the selections below

    2. Filters are not persistent and will clear when you leave the Attack Log page.

    1. Use the top checkboxes to filter by type of event. When all checkboxes are disabled (default) all logs are shown.

    2. Use the three pulldown menus marked “All” to filter by:

      • Direction (Inbound / Outbound)

      • SPP

      • Operating Mode (Detection / Prevention)

    3. Use the plus (+) icon to filter on the following parameters:

      Timestamp | SPP Name | Associated Port | ICMP Type Code | IP Source | Protected IP | Protocol

      Each parameter may provide additional options as shown below.

    4. Use the Search bar for free-form text searches of the Event Type:

    Downloading Attack Logs

    The Download button will download up to 100,000 filtered or unfiltered Attack Logs (from newest to oldest) in CSV format.

    DDoS Attack Log Fields

    ColumnExampleDescription
    Event ID462380959

    Log ID

    Timestamp2015-05-05 16:31:00

    Log timestamp

    SPP ID0

    SPP ID

    Source IP28.0.0.40

    Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).

    Protected IP74.255.0.253

    Protected IP address.

    • For outbound traffic, Protected IP is the Source IP.
    • For inbound traffic, Protected IP is the Destination IP.
    DirectionInbound

    Direction: Inbound, Outbound.

    • For TCP, this is the direction of the session/connection.
    • For UDP, this is the direction of the packet.
    Protocol6/tcp

    Protocol number/name if assigned.
    The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.

    ICMP type/code0/8

    ICMP type/code number

    Event TypeSYN flood

    Event type

    Associated port69Associated port number.
    • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
    • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
    Drop Count14

    Packets dropped per this event.

    Operating ModePrevention

    Prevention or Detection Mode depending on the SPP Setting when the log was generated.

    Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

    Event Detail'500'

    Reason string. This will be the hash index for HTTP.

    Subnet ID0

    Subnet ID

    Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

    The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

    See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

    Previous
    Next