Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.1
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Configuring remote log server settings for DDoS attack log

    Configuring remote log server settings for DDoS attack log

    The DDoS attack log remote server configuration applies to security event data. You configure individual remote log server configurations for each SPP.

    You can set up two remote DDoS Attack Log Remote syslog servers per SPP.

    Before you begin:

    • You must have Read-Write permission for Log & Report settings.

    See also: Configuring remote log server settings for event logs.

    To configure remote log settings for the Attack Log Remote:
    1. Go to Log & Report > Log Configuration > Attack Log Remote.
    2. Click Add.
    3. Complete the configuration as described in the table below.
    4. Save the configuration.

    Attack Log remote logging configuration page

    Attack Log remote logging configuration guidelines

    Settings Guidelines
    Name Configuration name.
    Status Select to enable sending DDoS attack logs to a remote server.

    Global ACL

    Select to send Global ACL attack logs to the remote server. If this option is enabled, the SPP field is hidden.

    Configure up to 2 remote servers.
    SPP

    Select an SPP whose logs are sent to the remote server.

    Configure up to 2 remote servers.
    Address IP address of the FortiManager / FortiAnalyzer / syslog server.
    Port Listening port number of the FortiManager / FortiAnalyzer/syslog server. Usually this is UDP port 514.

    Attack syslog formats

    The following example shows a DDoS attack syslog message:

    Oct 10 10:56:00 170.30.100.162 devid=FI-1KB3913000….

    DDoS attack syslog fields

    The following example shows a DDoS attack syslog message:

    Oct 10 10:56:00 170.30.100.162 devid=FI-1KB3913000012 date=2018-10-10 time=10:56:00 tz=PDT type=attack spp=2 evecode=2 evesubcode=87 description="HTTP Method flood from source" dir=1 protocol=6 sip=41.1.61.9 dip=41.20.0.20 dport=80 dropcount=72 subnet_id=7 facility=Local0 level=Notice direction=inbound spp_name="2Two" subnet_name="Seven"

    Field Example
    (from the sample message above)    		 Details
    Syslog send timestamp Oct 10 10:56:00 Local FortiDDoS time
    Syslog client IP address 170.30.100.162 FortiDDoS Source Management Port
    FortiDDoS device ID devid=FI-1KB3913000012 Serial Number of the FortiDDoS
    Log datestamp date=2018-10-10 FortiDDoS local date
    Log timestamp time=10:56:00 FortiDDoS local time
    Log time zone tz=PDT FortiDDoS local time zone
    Log type type=attack Attack or Event Log
    SPP ID spp=2 Name of the FortiDDoS Service Protection Profile
    Event code evecode=2 See the Appendix – DDoS Attack Log Reference
    Event subcode evesubcode=87 See the Appendix – DDoS Attack Log Reference
    Event type description="HTTP Method flood from source" Event name - see the Appendix – DDoS Attack Log Reference
    Direction ID (1=inbound, 0=outbound) dir=1 Direction of attack traffic - see 'Direction' below for textual direction.
    Protocol protocol=6 Layer 3 Protocol
    Source IP address sip=41.1.61.9 Only included if non-spoofed Source IP address
    Protected IP address dip=41.20.0.20 Protected IP address included in the FortiDDoS SPP Policies
    Associated port dport=80 TCP or UDP Port under attack if applicable
    Drop count dropcount=72 Number of dropped packets over 1-minute (Interrupt) or 5-minutes (Periodic) - see the Appendix – DDoS Attack Log Reference.
    Subnet ID subnet_id=7 Index number of the SPP Policy where the Protected IP is contained - see 'Subnet name' below.
    Facility facility=Local0 Defined by the customer in SNMP configuration
    Level level=Notice Default severity level
    Direction direction=inbound Textual direction of the attack traffic
    SPP name spp_name="2Two" Service Protection Profile name that contains the SPP Policy/subnet that further contains the Protected IP address under attack
    Subnet name subnet_name="Seven" Configured name of the SPP Policy/subnet

    To configure with the CLI:

    config log setting ddos-attack-log-remote

    To configure with the CLI:

    #config log setting ddos-attack-log-remote

    (ddos-attack-lo~-)#edit <name> Name of log server e.g. FAZ-GL

    (FAZ-GL)# set status {enable | disable }

    (FAZ-GL)# set ip-address <172.30.153.105>

    (FAZ-GL)# set port <514>

    (FAZ-GL)# set global <enable | disable > Set to send Global ACL logs to the remote server. NOTE this setting is mutually exclusive with the next setting. If Global is set, create a new configuration of other SPPs

    (FAZ-GL)# set spp < SPP Name >

    For FortiAnalyzer:

    (FAZ-GL)# set fortianalyzer {enable | disable}

    (FAZ-GL)# set encrypt-traffic-to-fortianalyzer {enable | disable} FortiAnalyzer OFTP

    For other Syslog Servers

    (FAZ-GL)# set proto {udp | tcp }

    For UDP – no additional setting results in RFC3164-compliant syslogs

    (FAZ-GL)# set rfc-5424 {enable | disable} results in RFC5424-compliant syslogs

    For TCP

    (FAZ-GL)# set tcp_framing {transparent | octet_counted } Set to server requirements

    end
    Previous
    Next

    Configuring remote log server settings for DDoS attack log

    Configuring remote log server settings for DDoS attack log

    The DDoS attack log remote server configuration applies to security event data. You configure individual remote log server configurations for each SPP.

    You can set up two remote DDoS Attack Log Remote syslog servers per SPP.

    Before you begin:

    • You must have Read-Write permission for Log & Report settings.

    See also: Configuring remote log server settings for event logs.

    To configure remote log settings for the Attack Log Remote:
    1. Go to Log & Report > Log Configuration > Attack Log Remote.
    2. Click Add.
    3. Complete the configuration as described in the table below.
    4. Save the configuration.

    Attack Log remote logging configuration page

    Attack Log remote logging configuration guidelines

    Settings Guidelines
    Name Configuration name.
    Status Select to enable sending DDoS attack logs to a remote server.

    Global ACL

    Select to send Global ACL attack logs to the remote server. If this option is enabled, the SPP field is hidden.

    Configure up to 2 remote servers.
    SPP

    Select an SPP whose logs are sent to the remote server.

    Configure up to 2 remote servers.
    Address IP address of the FortiManager / FortiAnalyzer / syslog server.
    Port Listening port number of the FortiManager / FortiAnalyzer/syslog server. Usually this is UDP port 514.

    Attack syslog formats

    The following example shows a DDoS attack syslog message:

    Oct 10 10:56:00 170.30.100.162 devid=FI-1KB3913000….

    DDoS attack syslog fields

    The following example shows a DDoS attack syslog message:

    Oct 10 10:56:00 170.30.100.162 devid=FI-1KB3913000012 date=2018-10-10 time=10:56:00 tz=PDT type=attack spp=2 evecode=2 evesubcode=87 description="HTTP Method flood from source" dir=1 protocol=6 sip=41.1.61.9 dip=41.20.0.20 dport=80 dropcount=72 subnet_id=7 facility=Local0 level=Notice direction=inbound spp_name="2Two" subnet_name="Seven"

    Field Example
    (from the sample message above)    		 Details
    Syslog send timestamp Oct 10 10:56:00 Local FortiDDoS time
    Syslog client IP address 170.30.100.162 FortiDDoS Source Management Port
    FortiDDoS device ID devid=FI-1KB3913000012 Serial Number of the FortiDDoS
    Log datestamp date=2018-10-10 FortiDDoS local date
    Log timestamp time=10:56:00 FortiDDoS local time
    Log time zone tz=PDT FortiDDoS local time zone
    Log type type=attack Attack or Event Log
    SPP ID spp=2 Name of the FortiDDoS Service Protection Profile
    Event code evecode=2 See the Appendix – DDoS Attack Log Reference
    Event subcode evesubcode=87 See the Appendix – DDoS Attack Log Reference
    Event type description="HTTP Method flood from source" Event name - see the Appendix – DDoS Attack Log Reference
    Direction ID (1=inbound, 0=outbound) dir=1 Direction of attack traffic - see 'Direction' below for textual direction.
    Protocol protocol=6 Layer 3 Protocol
    Source IP address sip=41.1.61.9 Only included if non-spoofed Source IP address
    Protected IP address dip=41.20.0.20 Protected IP address included in the FortiDDoS SPP Policies
    Associated port dport=80 TCP or UDP Port under attack if applicable
    Drop count dropcount=72 Number of dropped packets over 1-minute (Interrupt) or 5-minutes (Periodic) - see the Appendix – DDoS Attack Log Reference.
    Subnet ID subnet_id=7 Index number of the SPP Policy where the Protected IP is contained - see 'Subnet name' below.
    Facility facility=Local0 Defined by the customer in SNMP configuration
    Level level=Notice Default severity level
    Direction direction=inbound Textual direction of the attack traffic
    SPP name spp_name="2Two" Service Protection Profile name that contains the SPP Policy/subnet that further contains the Protected IP address under attack
    Subnet name subnet_name="Seven" Configured name of the SPP Policy/subnet

    To configure with the CLI:

    config log setting ddos-attack-log-remote

    To configure with the CLI:

    #config log setting ddos-attack-log-remote

    (ddos-attack-lo~-)#edit <name> Name of log server e.g. FAZ-GL

    (FAZ-GL)# set status {enable | disable }

    (FAZ-GL)# set ip-address <172.30.153.105>

    (FAZ-GL)# set port <514>

    (FAZ-GL)# set global <enable | disable > Set to send Global ACL logs to the remote server. NOTE this setting is mutually exclusive with the next setting. If Global is set, create a new configuration of other SPPs

    (FAZ-GL)# set spp < SPP Name >

    For FortiAnalyzer:

    (FAZ-GL)# set fortianalyzer {enable | disable}

    (FAZ-GL)# set encrypt-traffic-to-fortianalyzer {enable | disable} FortiAnalyzer OFTP

    For other Syslog Servers

    (FAZ-GL)# set proto {udp | tcp }

    For UDP – no additional setting results in RFC3164-compliant syslogs

    (FAZ-GL)# set rfc-5424 {enable | disable} results in RFC5424-compliant syslogs

    For TCP

    (FAZ-GL)# set tcp_framing {transparent | octet_counted } Set to server requirements

    end
    Previous
    Next