Fortinet white logo
Fortinet white logo

Handbook

Using the Anomaly Drops graphs

Using the Anomaly Drops graphs

Use the Anomaly Drops graphs to monitor drops due to Layer 3, Layer 4, and Layer 7 anomalies.

Customize the graph with the following viewing parameters: SPP, Reporting Period (1-hr to 1-yr), Linear/Logarithmic Y-Axis.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

Before you begin:

  • You must have Read permission for the Monitor menu.
  • Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graph:
  1. Go to Monitor > Drops Monitor > SPP > Anomaly Drops Tab > [SPP] [Aggregate/Layer 3/4/7] [Y-Axis View] [Reporting Period].

Statistic

Description

Aggregate

Aggregation of all anomaly drops for:

  • Layer 3
  • Layer 4
  • Layer 7

Layer 3

Drops due to (IP Profile Strict Anomalies option):

  • IP Header Checksum Error
  • Source and Destination Address Match - Source and Destination addresses are the same (LAND attack).

  • Source/Destination as LocalHost - Source or Destination address is the same as the localhost (loopback address spoofing).

  • Drops due to the other Layer 3 anomalies, including:
    • IP version other than 4 or 6
    • Header length less than 5 words
    • End of packet (EOP) before 20 bytes of IPV4 Data
    • Total length less than 20 bytes
    • EOP comes before the length specified by Total length
    • End of Header before the data offset (while parsing options)
    • Length field in LSRR/SSRR option is other than (3+(n*4)) where n takes value greater than or equal to 1
    • Pointer in LSRR/SSRR is other than (n*4) where n takes value greater than or equal to 1
    • For IP Options length less than 3
    • Reserved flag set
    • More fragments and Don't Fragment Flags both set

Layer 4

Aggregate

Aggregate graphs showing all anomaly drops due to Layer 4:

  • Header
  • State

Header

Anomaly drops due to (IP and TCP Profile Strict Anomalies options):

  • TCP checksum errors
  • UDP checksum errors
  • ICMP Checksum errors
  • TCP Invalid Flag Combination –Invalid TCP flag combinations such as SYN-PSH-RST
  • (other) Anomaly Detected, including:
    • Other header anomalies, such as incomplete packet
    • Urgent flag is set then the urgent pointer must be non-zero
    • SYN or FIN or RST is set for fragmented packets
    • Data offset is less than 5 for a TCP packet
    • End of packet is detected before the 20 bytes of TCP header
    • EOP before the data offset indicated data offset
    • Length field in Window scale option other than 3 in a TCP packet
    • Missing UDP payload
    • Missing ICMP payload
    • SYN with payload (TCP Profile option)
  • Invalid ICMPv4 Type/Code via Protocol 1 (ICMP Profile option) – Invalidates (makes anomalies) the >64,000 available ICMP Types/Codes that are not IETF/IANA ratified and in-use.
  • Invalid ICMPv6 Type/Code via Protocol 58 (ICMP Profile option) – Invalidates (makes anomalies) the >64,000 available ICMP Types/Codes that are not IETF/IANA ratified and in-use.

State

Anomaly drops due to (TCP Profile options):

  • Foreign Packets (Out-of-State) – (TCP Profile Foreign Packet Validation option)
  • Forward Transmission Not Within Window - Packets outside the receiver’s windows (TCP Profile Sequence Validation option)
  • Reverse Transmission Not Within Window - Packets outside the receiver’s windows (TCP Profile Sequence Validation option)
  • TCP State Transition - Packets that violate the TCP Protocol state transition rules or sequence numbers (TCP Profile State Transition Validation option)
  • Foreign Packets (Aggressive aging and Slow Connections) – Packets no longer in active sessions due to aggressive aging or slow connection blocking (TCP Profile option)
  • Aggressive Aging (Concurrent Connection per Source Flood) - Packets no longer in active sessions due to aggressive aging based on Concurrent Connections per Source Threshold and Aggressive Aging Feature Control > High Concurrent Connection per Source (TCP Profile option)

Layer 7

Aggregate

Aggregate of drops due to anomalies for:

  • HTTP
  • SSL
  • DNS
  • NTP
  • DTLS
  • QUIC
  • Video Conference

HTTP Header

HTTP Anomaly Drops (HTTP Profile options) for:

  • Known Method - Drops packets if the METHOD matches with any of the eight known OpCodes selected as not allowed in the HTTP Profile (GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
  • Unknown Method – Drops packets whose METHOD is outside the 8 known Methods (any Method that is not: GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
  • Invalid HTTP Version - packets with an invalid HTTP version
  • Range Present - packets with a header range request
  • Incomplete HTTP Request - HTTP requests that do not end in the correct end-of-packet information.

SSL

SSL/TLS Anomaly Drops (SSL/TLS Profile options) for:

  • SSL Renegotiation – packets dropped due to excessive numbers of renegotiation requests over time as configured in the SSL/TLS Profile
  • SSL Protocol errors
  • SSL Version errors
  • SSL Cipher suite errors
  • SSL Incomplete Request errors

DNS

DNS Anomaly Drops (DNS Profile Options) for:

  • Header
  • Query
  • Response
  • Buffer Overflow
  • Exploit
  • Info
  • Data

NTP

NTP Anomaly Drops (NTP Profile Options) for:

  • Header
  • State

DTLS

DTLS Anomaly Drops for:

  • State (DTLS Profile: Protocol option)

QUIC

QUIC Anomaly Drops for:

  • Strict (QUIC Profile: Strict Anomalies Check)

  • Initial Packet Size (QUIC Profile: Initial Packet Check)

  • Version (QUIC Profile: Version Check)

Video Conference

Video Conference Anomaly Drops:

  • Zoom UDP Strict (anomalies)

Using the Anomaly Drops graphs

Using the Anomaly Drops graphs

Use the Anomaly Drops graphs to monitor drops due to Layer 3, Layer 4, and Layer 7 anomalies.

Customize the graph with the following viewing parameters: SPP, Reporting Period (1-hr to 1-yr), Linear/Logarithmic Y-Axis.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

Before you begin:

  • You must have Read permission for the Monitor menu.
  • Refer to Reading Monitor graphs to understand the graphs in detail.
To display the graph:
  1. Go to Monitor > Drops Monitor > SPP > Anomaly Drops Tab > [SPP] [Aggregate/Layer 3/4/7] [Y-Axis View] [Reporting Period].

Statistic

Description

Aggregate

Aggregation of all anomaly drops for:

  • Layer 3
  • Layer 4
  • Layer 7

Layer 3

Drops due to (IP Profile Strict Anomalies option):

  • IP Header Checksum Error
  • Source and Destination Address Match - Source and Destination addresses are the same (LAND attack).

  • Source/Destination as LocalHost - Source or Destination address is the same as the localhost (loopback address spoofing).

  • Drops due to the other Layer 3 anomalies, including:
    • IP version other than 4 or 6
    • Header length less than 5 words
    • End of packet (EOP) before 20 bytes of IPV4 Data
    • Total length less than 20 bytes
    • EOP comes before the length specified by Total length
    • End of Header before the data offset (while parsing options)
    • Length field in LSRR/SSRR option is other than (3+(n*4)) where n takes value greater than or equal to 1
    • Pointer in LSRR/SSRR is other than (n*4) where n takes value greater than or equal to 1
    • For IP Options length less than 3
    • Reserved flag set
    • More fragments and Don't Fragment Flags both set

Layer 4

Aggregate

Aggregate graphs showing all anomaly drops due to Layer 4:

  • Header
  • State

Header

Anomaly drops due to (IP and TCP Profile Strict Anomalies options):

  • TCP checksum errors
  • UDP checksum errors
  • ICMP Checksum errors
  • TCP Invalid Flag Combination –Invalid TCP flag combinations such as SYN-PSH-RST
  • (other) Anomaly Detected, including:
    • Other header anomalies, such as incomplete packet
    • Urgent flag is set then the urgent pointer must be non-zero
    • SYN or FIN or RST is set for fragmented packets
    • Data offset is less than 5 for a TCP packet
    • End of packet is detected before the 20 bytes of TCP header
    • EOP before the data offset indicated data offset
    • Length field in Window scale option other than 3 in a TCP packet
    • Missing UDP payload
    • Missing ICMP payload
    • SYN with payload (TCP Profile option)
  • Invalid ICMPv4 Type/Code via Protocol 1 (ICMP Profile option) – Invalidates (makes anomalies) the >64,000 available ICMP Types/Codes that are not IETF/IANA ratified and in-use.
  • Invalid ICMPv6 Type/Code via Protocol 58 (ICMP Profile option) – Invalidates (makes anomalies) the >64,000 available ICMP Types/Codes that are not IETF/IANA ratified and in-use.

State

Anomaly drops due to (TCP Profile options):

  • Foreign Packets (Out-of-State) – (TCP Profile Foreign Packet Validation option)
  • Forward Transmission Not Within Window - Packets outside the receiver’s windows (TCP Profile Sequence Validation option)
  • Reverse Transmission Not Within Window - Packets outside the receiver’s windows (TCP Profile Sequence Validation option)
  • TCP State Transition - Packets that violate the TCP Protocol state transition rules or sequence numbers (TCP Profile State Transition Validation option)
  • Foreign Packets (Aggressive aging and Slow Connections) – Packets no longer in active sessions due to aggressive aging or slow connection blocking (TCP Profile option)
  • Aggressive Aging (Concurrent Connection per Source Flood) - Packets no longer in active sessions due to aggressive aging based on Concurrent Connections per Source Threshold and Aggressive Aging Feature Control > High Concurrent Connection per Source (TCP Profile option)

Layer 7

Aggregate

Aggregate of drops due to anomalies for:

  • HTTP
  • SSL
  • DNS
  • NTP
  • DTLS
  • QUIC
  • Video Conference

HTTP Header

HTTP Anomaly Drops (HTTP Profile options) for:

  • Known Method - Drops packets if the METHOD matches with any of the eight known OpCodes selected as not allowed in the HTTP Profile (GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
  • Unknown Method – Drops packets whose METHOD is outside the 8 known Methods (any Method that is not: GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT)
  • Invalid HTTP Version - packets with an invalid HTTP version
  • Range Present - packets with a header range request
  • Incomplete HTTP Request - HTTP requests that do not end in the correct end-of-packet information.

SSL

SSL/TLS Anomaly Drops (SSL/TLS Profile options) for:

  • SSL Renegotiation – packets dropped due to excessive numbers of renegotiation requests over time as configured in the SSL/TLS Profile
  • SSL Protocol errors
  • SSL Version errors
  • SSL Cipher suite errors
  • SSL Incomplete Request errors

DNS

DNS Anomaly Drops (DNS Profile Options) for:

  • Header
  • Query
  • Response
  • Buffer Overflow
  • Exploit
  • Info
  • Data

NTP

NTP Anomaly Drops (NTP Profile Options) for:

  • Header
  • State

DTLS

DTLS Anomaly Drops for:

  • State (DTLS Profile: Protocol option)

QUIC

QUIC Anomaly Drops for:

  • Strict (QUIC Profile: Strict Anomalies Check)

  • Initial Packet Size (QUIC Profile: Initial Packet Check)

  • Version (QUIC Profile: Version Check)

Video Conference

Video Conference Anomaly Drops:

  • Zoom UDP Strict (anomalies)