Configuring reports
The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.
Top attack categories are ranked by drop count (highest to lowest).
Reports display the top 10 items in each table that are fewer than the top 20 shown in Dashboard > Top Attacks > SPP. Combining SPPs in one report will show the top 10 for the combined group. To show more information, create separate reports for mission-critical or low-rate SPPs like DNS servers. |
The following attack categories are available within any Report:
- Top Attacks - Drop count by DDoS attack event type.
- Top ACL Attacks - Drop count by ACL rules and Global ACL rules.
- Top Attackers - Drop count by Source IP address.
- Top Attacked Subnets - Drop count by Protected Subnet.
- Top ACL Subnets - Drop count by ACLs associated with Protected Subnets.
- Top Attacked Protocols - Drop count by Protocol.
- Top Attacked TCP Ports - Drop count by TCP port.
- Top Attacked UDP Ports - Drop count by UDP port.
- Top Attacked ICMP Type Codes - Drop count by ICMP Type / Code.
- Top Attacked HTTP URLs - Drop count by HTTP URL (hash index).
- Top Attacked HTTP Methods - Drop count by HTTP method.
- Top Attacked HTTP Hosts - Drop count by Host header (hash index).
- Top Attacked HTTP Referers - Drop count by Referer header (hash index).
- Top Attacked HTTP Cookies - Drop count by Cookie header (hash index).
- Top Attacked HTTP User Agents - Drop count by User-Agent header (hash index).
- Top Attacked HTTP Servers - Drop count by HTTP server IP address.
- Top Attacked Destinations - Drop count by Destination IP address.
- Top Attacked SPPs - Drop count by SPPs.
- Top Attacked ACL SPPs - Drop count by ACL SPPs.
- Top Attacked DNS Servers - Drop count by DNS server IP address (destination Port 53).
- Top Attacked DNS Anomalies - Drop count due to anomalies by DNS server IP address (destination port 53).
Top Event Reports:
- Top Successful Logins
- Top Failed Logins
Before you begin:
- You must have Read-Write permission for Log & Report settings.
- You must have enabled local logging for system events if you want to generate system event reports.
- If you intend to email reports, you must have configured Log & Report > Alert Email Settings.
To configure Reports:
- Go to Log & Report > Report Configuration and do one of the following:
- Click Create New.
Select an existing Report from the list and click Clone. Cloning an existing report will make it easier to create new reports that include many attack categories.
- Configure or reconfigure the Report according to the table below.
Setting |
Description |
---|---|
Name | Required. Characters a-Z and "-" or "_" only. |
Report Title | Optional. |
Report Type |
Global or SPP. Global = all SPPs. Note: There is an extra Report option when Global is selected to include the Global ACL table. SPP = Selected (any/all) SPPs
|
SPP Report Settings |
|
SPP |
Select an or all of the SPPs displayed in the right-hand menu to include in the report.
|
Global and Common Report Settings |
|
DDos Event Subtype | Select at least one. |
Event Subtype | Optional. |
Format |
Format of the report:
|
Direction | Inbound (default) or outbound. |
Period |
Last:
|
On Schedule |
Enable if you want to make it a regular report. Schedule types:
|
On Threshold Violation |
When enabled and the aggregate drop count entered in the field for the selected SPP(s) or Global is exceeded, the Report will be generated for the last 5-minutes only. The intent of this Report is to alert users of differing sized attacks. While FortiDDoS is mitigating autonomously, users may want to know if they are seeing small, medium or large attacks. Set the drop Threshold in 3 different reports at perhaps 100,000, 1,000,000 and 10,000,000, for example. |
Email settings |
If you want to email the reports, complete the email fields:
|
To configure with CLI: config log report edit DailyLastMonth set title "FortiDDoS Report" set ddos-event-subtype top_attacks top_acl_attacks top_attackers top_attacked_http_methods top_attacked_tcp_ports top_attacked_udp_ ports top_attacked_icmp_type_codes set event-subtype top_successful_logins top_failed_logins set direction set period-relative set email-subject "Report_111" set email-body "This is a report generated by FortiDDoS" set email-attachname FDD_111_report set recipient1 admin@abc.com next end |