Fortinet white logo
Fortinet white logo

Handbook

Generate Traffic Statistics

Generate Traffic Statistics

Traffic statistics overview

The traffic statistics are the maximum value (rate or count) measured by the counter for each parameter, in each direction in each Service Protection Policy during the observation period. The system saves data points every five minutes. During a 1-hour period, for example, there are 12, 5-minute observation periods. FortiDDoS saves a data point for each 5-minute interval. If you choose a 1-hour period, the system generates the maximum value across these 12 periods of 5-minute intervals.

The statistics are used to establish the configured minimum threshold and ultimately the absolute maximum rate limit.

Generating traffic statistics

You can generate traffic statistics based on the following observation periods:

  • Past 1 hour
  • Past 8 hours
  • Past 1 day
  • Past 1 week – recommended for enterprise customers
  • Past 1 month – recommended for ISP/Hosting customers
  • Past 1 year
  • Past 10 minutes – CLI only, normally used for PoC or training

Use a time period that is representative of typical traffic volume and has had no attacks.

Before you begin:

• You must have Read-Write permission for Protection Profile settings.

• Note that the FortiDDoS is accessed when you generate traffic statistics or set system recommended thresholds. Do not perform multiple operations simultaneously.

To generate traffic statistics:
  1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Threshold Settings > System Recommendation, and click Generate Statistics
  2. Select the time period from the drop-down list.
  3. Select Generate Statistics.
  4. It takes several minutes for the process to complete. Click Refresh to track the status. The process is complete when the status shows "Available" and a timestamp.

Note: VM platform maintains a single resource to store traffic data for each of TCP Ports (1024-65535), URL(1024-65535), UDP ports (10240-65535) & ICMP type Code (40:0-255:255). So, it is possible to see one single entry in Traffic statistics data for these ports in VM platforms only.

To configure using the CLI:

execute generate-traffic-stats spp <rule_name> <report_period> 1h|8h|1d|1w|1m|1y|600s

Displaying traffic statistics

You can review the statistics that are the basis of the system recommended thresholds.

Before you begin:

• You must have generated traffic statistics as described above.

• You must have Read-Write permission for Protection Profile settings.

To display traffic statistics
  1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Threshold Settings > System Recommendation.
  2. Select the type of statistics from the drop-down list.
  3. Select the time period from the drop-down list.

Note: By default, the system does not display parameters with counts lower than the default low threshold value (i.e. 500). Disable the Do not show values below low threshold option if you want to see these low counts

Merging traffic statistics

Expert use

Merging traffic statistics applies to a specific network configuration where:

  • One FortiDDoS is installed on each of 2 or more ISP links

  • There are multiple subnets that are /24 or larger

  • Traffic is "load-balanced" across ISPs using BGP or any other means of distributing subnets across links

  • FortiDDoS systems are installed in HA mode (recommended) or standalone mode

Because each FortiDDoS will see different traffic, thresholds for each system may be substantially different. If one link fails, the combined traffic will be processed through one FortiDDoS. As a result, we may have false-positive drops because the thresholds no longer match the actual traffic.

This procedure merges (sums) the traffic statistics from both systems on the primary HA system which then synchronizes them to the secondary system. Combining traffic statistics has little impact on DDoS mitigation since attacks for any single parameter are always many times larger than the eventual threshold set from the traffic statistics.

Note: Synchronizing the merged traffic statistics on two standalone (non-HA) systems requires additional steps and is not recommended. If required, please contact Fortinet Customer Service & Support.

Prerequisites:

  • Read/write access

  • Service Protection Profiles and SPP Policies (subnets) have been configured

  • System has been learning traffic for at least one week

  • FortiDDoS are in HA pair (preferred and used in the following steps)

Procedure from the Primary FortiDDoS:

  1. Generate traffic statistics for each Service Protection Profile as detailed above. When the Primary system generates traffic statistics, the secondary system will also generate traffic statistics.
  2. Log in to the secondary FortiDDoS and confirm that traffic statistics exist for each SPP
  3. On the secondary FortiDDoS, go to the System>Maintenance>Traffic Statistics Management tab
  4. Select:
    1. The Backup radio button
    2. The correct period you used to create traffic statistics
    3. Slide SPP Only to off (black) unless you are an expert user
  5. Click Backup to save this file on your PC
  6. Log on to the primary FortiDDoS and go to System>Maintenance>Traffic Statistics Management
  7. Select:
    1. The Merge radio button
    2. The correct Period to match the backup file you have
    3. Slide SPP Only to off (black) unless you are an expert user
  8. Select Choose File and select the Backup file you saved from the secondary system
  9. The primary system will confirm the upload. If the file fails to load, check if the SPP and the Traffic Statistics Periods match between Primary and Secondary FortiDDoS systems.
  10. Proceed with displaying traffic statistics and managing thresholds on the primary FortiDDoS as seen above. Once the system-recommended thresholds are complete on the Primary FortiDDoS, they will be automatically applied to the Secondary FortiDDoS.

Generate Traffic Statistics

Generate Traffic Statistics

Traffic statistics overview

The traffic statistics are the maximum value (rate or count) measured by the counter for each parameter, in each direction in each Service Protection Policy during the observation period. The system saves data points every five minutes. During a 1-hour period, for example, there are 12, 5-minute observation periods. FortiDDoS saves a data point for each 5-minute interval. If you choose a 1-hour period, the system generates the maximum value across these 12 periods of 5-minute intervals.

The statistics are used to establish the configured minimum threshold and ultimately the absolute maximum rate limit.

Generating traffic statistics

You can generate traffic statistics based on the following observation periods:

  • Past 1 hour
  • Past 8 hours
  • Past 1 day
  • Past 1 week – recommended for enterprise customers
  • Past 1 month – recommended for ISP/Hosting customers
  • Past 1 year
  • Past 10 minutes – CLI only, normally used for PoC or training

Use a time period that is representative of typical traffic volume and has had no attacks.

Before you begin:

• You must have Read-Write permission for Protection Profile settings.

• Note that the FortiDDoS is accessed when you generate traffic statistics or set system recommended thresholds. Do not perform multiple operations simultaneously.

To generate traffic statistics:
  1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Threshold Settings > System Recommendation, and click Generate Statistics
  2. Select the time period from the drop-down list.
  3. Select Generate Statistics.
  4. It takes several minutes for the process to complete. Click Refresh to track the status. The process is complete when the status shows "Available" and a timestamp.

Note: VM platform maintains a single resource to store traffic data for each of TCP Ports (1024-65535), URL(1024-65535), UDP ports (10240-65535) & ICMP type Code (40:0-255:255). So, it is possible to see one single entry in Traffic statistics data for these ports in VM platforms only.

To configure using the CLI:

execute generate-traffic-stats spp <rule_name> <report_period> 1h|8h|1d|1w|1m|1y|600s

Displaying traffic statistics

You can review the statistics that are the basis of the system recommended thresholds.

Before you begin:

• You must have generated traffic statistics as described above.

• You must have Read-Write permission for Protection Profile settings.

To display traffic statistics
  1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Threshold Settings > System Recommendation.
  2. Select the type of statistics from the drop-down list.
  3. Select the time period from the drop-down list.

Note: By default, the system does not display parameters with counts lower than the default low threshold value (i.e. 500). Disable the Do not show values below low threshold option if you want to see these low counts

Merging traffic statistics

Expert use

Merging traffic statistics applies to a specific network configuration where:

  • One FortiDDoS is installed on each of 2 or more ISP links

  • There are multiple subnets that are /24 or larger

  • Traffic is "load-balanced" across ISPs using BGP or any other means of distributing subnets across links

  • FortiDDoS systems are installed in HA mode (recommended) or standalone mode

Because each FortiDDoS will see different traffic, thresholds for each system may be substantially different. If one link fails, the combined traffic will be processed through one FortiDDoS. As a result, we may have false-positive drops because the thresholds no longer match the actual traffic.

This procedure merges (sums) the traffic statistics from both systems on the primary HA system which then synchronizes them to the secondary system. Combining traffic statistics has little impact on DDoS mitigation since attacks for any single parameter are always many times larger than the eventual threshold set from the traffic statistics.

Note: Synchronizing the merged traffic statistics on two standalone (non-HA) systems requires additional steps and is not recommended. If required, please contact Fortinet Customer Service & Support.

Prerequisites:

  • Read/write access

  • Service Protection Profiles and SPP Policies (subnets) have been configured

  • System has been learning traffic for at least one week

  • FortiDDoS are in HA pair (preferred and used in the following steps)

Procedure from the Primary FortiDDoS:

  1. Generate traffic statistics for each Service Protection Profile as detailed above. When the Primary system generates traffic statistics, the secondary system will also generate traffic statistics.
  2. Log in to the secondary FortiDDoS and confirm that traffic statistics exist for each SPP
  3. On the secondary FortiDDoS, go to the System>Maintenance>Traffic Statistics Management tab
  4. Select:
    1. The Backup radio button
    2. The correct period you used to create traffic statistics
    3. Slide SPP Only to off (black) unless you are an expert user
  5. Click Backup to save this file on your PC
  6. Log on to the primary FortiDDoS and go to System>Maintenance>Traffic Statistics Management
  7. Select:
    1. The Merge radio button
    2. The correct Period to match the backup file you have
    3. Slide SPP Only to off (black) unless you are an expert user
  8. Select Choose File and select the Backup file you saved from the secondary system
  9. The primary system will confirm the upload. If the file fails to load, check if the SPP and the Traffic Statistics Periods match between Primary and Secondary FortiDDoS systems.
  10. Proceed with displaying traffic statistics and managing thresholds on the primary FortiDDoS as seen above. Once the system-recommended thresholds are complete on the Primary FortiDDoS, they will be automatically applied to the Secondary FortiDDoS.