Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.3
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Using the DDoS attack log table

    Using the DDoS attack log table

    The DDoS Attack Log table displays the attack event records for all SPPs and Global ACLs. The DDoS Attack Log table is updated every 1-5 minutes. Note while logs will be reported on the 0,5,10-minute, etc. interval, logs are aggregated which can take 2 minutes, so expect 0, 5, 10 to appear at 2, 7, 12-minutes, etc.

    The log table contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events and/or the oldest, smallest events under control of the Log Purge Settings.

    Note: The GUI will display a maximum of 900,000 logs from most recent timestamp, backwards. If you filter (for inbound, for example), the filter searches the entire 1M-2M database and displays the latest up to 900k logs.

    Before you begin:

    • You must have a minimum of Read access.
    To view the logs:

    1. Go to Log & Report > Log Access > Logs > DDoS Attack Log

      Each row shows 1 Attack event:

    2. Further detail is shown by clicking the Detail icon at the right of each row as shown below:
    To filter the logs

    1. You can add multiple filters from any of the selections below

    2. Filters are not persistent and will clear when you leave the Attack Log page.

    1. Use the top checkboxes to filter by type of event. When all checkboxes are disabled (default) all logs are shown.

    2. Use the three pulldown menus marked “All” to filter by:

      • Direction (Inbound / Outbound)

      • SPP

      • Operating Mode (Detection / Prevention)

    3. Place the cursor on the row you are interested in and any of the following columns:

      Timestamp | SPP Name | Associated Port | ICMP Type/Code | IP Source | Protected IP | Protocol.

      Right click for filter options. For example:

      Note: Not all the columns shown above are displayed by default. You can add and remove columns by placing the cursor on the left side of the far-left Event ID column header. Right click for column selection and table reset to default options.

    4. Use the Search bar for free-form text searches of the Event Type:

    5. Right-click in the Event Type column to filter for only those events or exclude those events.

    6. Right-click in the Timestamp column to filter for event at or near this time:

    Downloading Attack Logs

    The Download button will download up to 100,000 filtered or unfiltered Attack Logs (from newest to oldest) in CSV format.

    DDoS Attack Log Fields

    ColumnDescriptionExample
    Event ID

    Log ID

    		462380959
    Timestamp

    Log timestamp

    		2015-05-05 16:31:00
    SPP Name

    User configured SPP Name

    		Web-Servers
    Source IP

    Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).

    		28.0.0.40
    Protected IP

    Protected IP address.

    • For inbound traffic, Protected IP is the Destination IP.
    • For outbound traffic, Protected IP is the Source IP.
    		74.255.0.253
    Direction

    Direction: Inbound, Outbound.

    • For TCP, this is the direction of the session/connection.
    • For UDP, this is the direction of the packet.
    		Inbound
    Protocol

    Protocol number/name if assigned.
    The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.

    		6/tcp
    ICMP type/code

    ICMP type/code number

    		0/8
    Event Type

    Event type

    		SYN flood
    Associated portAssociated port number.
    • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
    • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
    		69
    Drop Count

    Packets dropped per this event.

    		14
    Operating Mode

    Prevention or Detection Mode depending on the SPP Setting when the log was generated.

    Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

    		Prevention
    Event Detail

    Reason string. This will be the hash index for HTTP.

    		'500'
    Subnet ID

    Subnet ID

    		0

    Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

    The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

    See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

    Previous
    Next

    Using the DDoS attack log table

    Using the DDoS attack log table

    The DDoS Attack Log table displays the attack event records for all SPPs and Global ACLs. The DDoS Attack Log table is updated every 1-5 minutes. Note while logs will be reported on the 0,5,10-minute, etc. interval, logs are aggregated which can take 2 minutes, so expect 0, 5, 10 to appear at 2, 7, 12-minutes, etc.

    The log table contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events and/or the oldest, smallest events under control of the Log Purge Settings.

    Note: The GUI will display a maximum of 900,000 logs from most recent timestamp, backwards. If you filter (for inbound, for example), the filter searches the entire 1M-2M database and displays the latest up to 900k logs.

    Before you begin:

    • You must have a minimum of Read access.
    To view the logs:

    1. Go to Log & Report > Log Access > Logs > DDoS Attack Log

      Each row shows 1 Attack event:

    2. Further detail is shown by clicking the Detail icon at the right of each row as shown below:
    To filter the logs

    1. You can add multiple filters from any of the selections below

    2. Filters are not persistent and will clear when you leave the Attack Log page.

    1. Use the top checkboxes to filter by type of event. When all checkboxes are disabled (default) all logs are shown.

    2. Use the three pulldown menus marked “All” to filter by:

      • Direction (Inbound / Outbound)

      • SPP

      • Operating Mode (Detection / Prevention)

    3. Place the cursor on the row you are interested in and any of the following columns:

      Timestamp | SPP Name | Associated Port | ICMP Type/Code | IP Source | Protected IP | Protocol.

      Right click for filter options. For example:

      Note: Not all the columns shown above are displayed by default. You can add and remove columns by placing the cursor on the left side of the far-left Event ID column header. Right click for column selection and table reset to default options.

    4. Use the Search bar for free-form text searches of the Event Type:

    5. Right-click in the Event Type column to filter for only those events or exclude those events.

    6. Right-click in the Timestamp column to filter for event at or near this time:

    Downloading Attack Logs

    The Download button will download up to 100,000 filtered or unfiltered Attack Logs (from newest to oldest) in CSV format.

    DDoS Attack Log Fields

    ColumnDescriptionExample
    Event ID

    Log ID

    		462380959
    Timestamp

    Log timestamp

    		2015-05-05 16:31:00
    SPP Name

    User configured SPP Name

    		Web-Servers
    Source IP

    Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).

    		28.0.0.40
    Protected IP

    Protected IP address.

    • For inbound traffic, Protected IP is the Destination IP.
    • For outbound traffic, Protected IP is the Source IP.
    		74.255.0.253
    Direction

    Direction: Inbound, Outbound.

    • For TCP, this is the direction of the session/connection.
    • For UDP, this is the direction of the packet.
    		Inbound
    Protocol

    Protocol number/name if assigned.
    The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.

    		6/tcp
    ICMP type/code

    ICMP type/code number

    		0/8
    Event Type

    Event type

    		SYN flood
    Associated portAssociated port number.
    • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
    • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
    		69
    Drop Count

    Packets dropped per this event.

    		14
    Operating Mode

    Prevention or Detection Mode depending on the SPP Setting when the log was generated.

    Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

    		Prevention
    Event Detail

    Reason string. This will be the hash index for HTTP.

    		'500'
    Subnet ID

    Subnet ID

    		0

    Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

    The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

    See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

    Previous
    Next