Fortinet black logo

Handbook

7.0.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Using Traffic Monitor Layer 3/4/7 graphs

Using Traffic Monitor Layer 3/4/7 graphs

Use the Layer 3 graphs to monitor trends in Layer 3 traffic parameter rates and drops.

Customize the graph with the following viewing parameters: SPP, Linear/Logarithmic Y-Axis, Direction, Reporting Period (1-hr to 1-yr).

Most graphs in this group will show Inbound/Outbound and Ingress/Egress. Remember Inbound Ingress is from the Internet to FortiDDoS and Inbound Egress is from FortiDDoS to your network. Any divergence of Ingress and Egress traffic on the graph indicated that the system is dropping packets (real, in Prevention mode or virtually in Detection Mode).

If Ingress and Egress traffic diverges, you will also see Drop Counts on this graph if the drop reason is directly related to this graph. You may see Ingress/Egress divergence on a graph but no drops. This indicates that the traffic on this graph was affected by drops on another graph. For example, a high rate of Layer 3 Anomalies may affect a Layer 3 Protocol graph but the drops will be shown on the Anomalies graphs.

If you are uncertain about what is causing the drops, use the Dashboard > Top Attacks page to find the actual attack vector and then choose the appropriate graph.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

On graphs with many subgraphs all graph labels may not show at once. If so, the right side of the label section will show a scroll bar in the legend section to display further graph labels:

On pages with multiple graphs, you can scroll to see all graphs or you can use the +/- icon at the top-left of each graph name to hide that graph. The pages always open with all graphs showing.

Estimated Thresholds

FortiDDoS sets Thresholds by learning traffic, creating Traffic Statistics Reports and from them creating System Recommended Thresholds shown on the top left of the graph (Threshold: 20,000, as shown in the graph below, for example).

For selected “Scalar” parameters, the system then calculates a continuously adaptive, machine-learned Estimated Threshold which automatically adjusts the System Recommended Threshold, based on historical traffic, traffic trend and “seasonality”. Action is taken by the system only when traffic exceeds the higher of the System Recommended Threshold or the Estimated Adaptive Threshold. Estimated Adaptive Thresholds are by default limited to 150% of the System Recommended Threshold to prevent excess traffic. The 150% limit is user-modifiable in System Recommendations.

Both the Adaptive and Estimated Thresholds can be seen on Scalar graphs. The Adaptive Threshold field information will change depending on the following:

If the Estimated Threshold is:

  • Below the System Recommended Threshold rate: Adaptive Threshold will show the same rate as the System Recommended Threshold.

  • Above the System Recommended Threshold but below max Adaptive Threshold: Adaptive Threshold will show the same rate as the Estimated Threshold.

  • At or above max Adaptive Threshold: Adaptive Threshold will show its maximum.

In all cases, you can assume that mitigation begins when traffic rates cross the Adaptive Threshold rate shown.

Note 1: The Estimated and/or Adaptive Threshold is recalculated every 5 minutes, so the Adaptive Threshold displayed is from the most recent 5-minute period. When looking at older periods, Adaptive Threshold may not match what you expect from the Estimated Threshold compared to Threshold and Max Adaptive Threshold. The tool-tip numbers below are illustrative only.

Note 2: There is no requirement to understand this in detail. The system is automatically adapting the Thresholds over time but not so much that any attacks will be missed.

Below, the Most Active Source Threshold is 20,000 and thus the Max Adaptive Threshold is 1.5x 20,000 = 30,000. The cursor tool tip Estimated Threshold is 1,333 which is lower than the Threshold (20,000) so the Adaptive Threshold is shown as the same as the Threshold (20,000).

Below, the UDP Threshold is 3,942 and thus the Max Adaptive Threshold is 1.5x 3,942 = 5,913. The graph Estimated Threshold is 4,864 which is higher than the Threshold (3,942) but smaller than the Max Adaptive Threshold (5,913) so 4,864 is displayed as the Adaptive Threshold, and used as the Threshold by the system.

Below, the SYN Threshold is 7,761 so the Max Adaptive Threshold is 1.5x 7,761 or 11,641. The graph Estimated Threshold is 12,460 which is higher than the Max Adaptive Threshold, so the Adaptive Threshold is limited to and shown as 11,641.

Previous
Next

Using Traffic Monitor Layer 3/4/7 graphs

Use the Layer 3 graphs to monitor trends in Layer 3 traffic parameter rates and drops.

Customize the graph with the following viewing parameters: SPP, Linear/Logarithmic Y-Axis, Direction, Reporting Period (1-hr to 1-yr).

Most graphs in this group will show Inbound/Outbound and Ingress/Egress. Remember Inbound Ingress is from the Internet to FortiDDoS and Inbound Egress is from FortiDDoS to your network. Any divergence of Ingress and Egress traffic on the graph indicated that the system is dropping packets (real, in Prevention mode or virtually in Detection Mode).

If Ingress and Egress traffic diverges, you will also see Drop Counts on this graph if the drop reason is directly related to this graph. You may see Ingress/Egress divergence on a graph but no drops. This indicates that the traffic on this graph was affected by drops on another graph. For example, a high rate of Layer 3 Anomalies may affect a Layer 3 Protocol graph but the drops will be shown on the Anomalies graphs.

If you are uncertain about what is causing the drops, use the Dashboard > Top Attacks page to find the actual attack vector and then choose the appropriate graph.

Placing the cursor on the Monitor graph will display a tool-tip with additional information.

On graphs with many subgraphs all graph labels may not show at once. If so, the right side of the label section will show a scroll bar in the legend section to display further graph labels:

On pages with multiple graphs, you can scroll to see all graphs or you can use the +/- icon at the top-left of each graph name to hide that graph. The pages always open with all graphs showing.

Estimated Thresholds

FortiDDoS sets Thresholds by learning traffic, creating Traffic Statistics Reports and from them creating System Recommended Thresholds shown on the top left of the graph (Threshold: 20,000, as shown in the graph below, for example).

For selected “Scalar” parameters, the system then calculates a continuously adaptive, machine-learned Estimated Threshold which automatically adjusts the System Recommended Threshold, based on historical traffic, traffic trend and “seasonality”. Action is taken by the system only when traffic exceeds the higher of the System Recommended Threshold or the Estimated Adaptive Threshold. Estimated Adaptive Thresholds are by default limited to 150% of the System Recommended Threshold to prevent excess traffic. The 150% limit is user-modifiable in System Recommendations.

Both the Adaptive and Estimated Thresholds can be seen on Scalar graphs. The Adaptive Threshold field information will change depending on the following:

If the Estimated Threshold is:

  • Below the System Recommended Threshold rate: Adaptive Threshold will show the same rate as the System Recommended Threshold.

  • Above the System Recommended Threshold but below max Adaptive Threshold: Adaptive Threshold will show the same rate as the Estimated Threshold.

  • At or above max Adaptive Threshold: Adaptive Threshold will show its maximum.

In all cases, you can assume that mitigation begins when traffic rates cross the Adaptive Threshold rate shown.

Note 1: The Estimated and/or Adaptive Threshold is recalculated every 5 minutes, so the Adaptive Threshold displayed is from the most recent 5-minute period. When looking at older periods, Adaptive Threshold may not match what you expect from the Estimated Threshold compared to Threshold and Max Adaptive Threshold. The tool-tip numbers below are illustrative only.

Note 2: There is no requirement to understand this in detail. The system is automatically adapting the Thresholds over time but not so much that any attacks will be missed.

Below, the Most Active Source Threshold is 20,000 and thus the Max Adaptive Threshold is 1.5x 20,000 = 30,000. The cursor tool tip Estimated Threshold is 1,333 which is lower than the Threshold (20,000) so the Adaptive Threshold is shown as the same as the Threshold (20,000).

Below, the UDP Threshold is 3,942 and thus the Max Adaptive Threshold is 1.5x 3,942 = 5,913. The graph Estimated Threshold is 4,864 which is higher than the Threshold (3,942) but smaller than the Max Adaptive Threshold (5,913) so 4,864 is displayed as the Adaptive Threshold, and used as the Threshold by the system.

Below, the SYN Threshold is 7,761 so the Max Adaptive Threshold is 1.5x 7,761 or 11,641. The graph Estimated Threshold is 12,460 which is higher than the Max Adaptive Threshold, so the Adaptive Threshold is limited to and shown as 11,641.

Previous
Next