Fortinet white logo
Fortinet white logo

Handbook

Configuring reports

Configuring reports

The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.

Top attack categories are ranked by drop count (highest to lowest).

Reports display the top 10 items in each table that are fewer than the top 20 shown in Dashboard > Top Attacks > SPP.

Combining SPPs in one report will show the top 10 for the combined group.

To show more information, create separate reports for mission-critical or low-rate SPPs like DNS servers.

The following attack categories are available within any Report:

  • Top Attacks - Drop count by DDoS attack event type.
  • Top ACL Attacks - Drop count by ACL rules and Global ACL rules.
  • Top Attackers - Drop count by Source IP address.
  • Top Attacked Subnets - Drop count by Protected Subnet.
  • Top ACL Subnets - Drop count by ACLs associated with Protected Subnets.
  • Top Attacked Protocols - Drop count by Protocol.
  • Top Attacked TCP Ports - Drop count by TCP port.
  • Top Attacked UDP Ports - Drop count by UDP port.
  • Top Attacked ICMP Type Codes - Drop count by ICMP Type / Code.
  • Top Attacked HTTP URLs - Drop count by HTTP URL (hash index).
  • Top Attacked HTTP Methods - Drop count by HTTP method.
  • Top Attacked HTTP Hosts - Drop count by Host header (hash index).
  • Top Attacked HTTP Referers - Drop count by Referer header (hash index).
  • Top Attacked HTTP Cookies - Drop count by Cookie header (hash index).
  • Top Attacked HTTP User Agents - Drop count by User-Agent header (hash index).
  • Top Attacked HTTP Servers - Drop count by HTTP server IP address.
  • Top Attacked Destinations - Drop count by Destination IP address.
  • Top Attacked SPPs - Drop count by SPPs.
  • Top Attacked ACL SPPs - Drop count by ACL SPPs.
  • Top Attacked DNS Servers - Drop count by DNS server IP address (destination Port 53).
  • Top Attacked DNS Anomalies - Drop count due to anomalies by DNS server IP address (destination port 53).

Top Event Reports:

  • Top Successful Logins
  • Top Failed Logins

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
  • You must have enabled local logging for system events if you want to generate system event reports.
  • If you intend to email reports, you must have configured Log & Report > Alert Email Settings.
To configure Reports:
  1. Go to Log & Report > Report Configuration and do one of the following:
    • Click Create New.
    • Select an existing Report from the list and click Clone. Cloning an existing report will make it easier to create new reports that include many attack categories.

  2. Configure or reconfigure the Report according to the table below.

Setting

Description

Name Required. Characters a-Z and "-" or "_" only.
Report Title Optional.
Report Type

Global or SPP.

Global = all SPPs. Note: There is an extra Report option when Global is selected to include the Global ACL table.

SPP = Selected (any/all) SPPs

SPP Report Settings

SPP

Select an or all of the SPPs displayed in the right-hand menu to include in the report.

Global and Common Report Settings

DDos Event Subtype Select at least one.
Event Subtype Optional.
Format

Format of the report:

  • HTML – Report saved as a web page
  • PDF - Report saved in PDF format
  • Word - Report saved in RTF format
Direction Inbound (default) or outbound.

Period

Last:

  • Hour
  • 12 Hours
  • 24 Hours
  • 7 Days
  • 14 Days
  • 30 Days
  • 30 Days
  • Month
  • Year

On Schedule

Enable if you want to make it a regular report.

Schedule types:

  • Daily — Select the hour each day when you want the report to run
  • Weekdays — Select the day(s) of the week when you want the report to run
  • Dates — Select the day(s) of the month when you want the report to run
  • Hourly — Report will run every hour 7x24

On Threshold Violation

When enabled and the aggregate drop count entered in the field for the selected SPP(s) or Global is exceeded, the Report will be generated for the last 5-minutes only. The intent of this Report is to alert users of differing sized attacks. While FortiDDoS is mitigating autonomously, users may want to know if they are seeing small, medium or large attacks. Set the drop Threshold in 3 different reports at perhaps 100,000, 1,000,000 and 10,000,000, for example.

Email settings

If you want to email the reports, complete the email fields:

  • Email subject
  • Email body (optional)
  • Email attachment name (optional)
  • Recipient 1, 2, 3 - you will need to use aliases to send to more than 3 recipients.

To configure with CLI:

config log report

edit DailyLastMonth

set title "FortiDDoS Report"

set ddos-event-subtype top_attacks top_acl_attacks top_attackers

top_attacked_http_methods top_attacked_tcp_ports top_attacked_udp_

ports top_attacked_icmp_type_codes

set event-subtype top_successful_logins top_failed_logins

set direction

set period-relative

set email-subject "Report_111"

set email-body "This is a report generated by FortiDDoS"

set email-attachname FDD_111_report

set recipient1 admin@abc.com

next

end

Configuring reports

Configuring reports

The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.

Top attack categories are ranked by drop count (highest to lowest).

Reports display the top 10 items in each table that are fewer than the top 20 shown in Dashboard > Top Attacks > SPP.

Combining SPPs in one report will show the top 10 for the combined group.

To show more information, create separate reports for mission-critical or low-rate SPPs like DNS servers.

The following attack categories are available within any Report:

  • Top Attacks - Drop count by DDoS attack event type.
  • Top ACL Attacks - Drop count by ACL rules and Global ACL rules.
  • Top Attackers - Drop count by Source IP address.
  • Top Attacked Subnets - Drop count by Protected Subnet.
  • Top ACL Subnets - Drop count by ACLs associated with Protected Subnets.
  • Top Attacked Protocols - Drop count by Protocol.
  • Top Attacked TCP Ports - Drop count by TCP port.
  • Top Attacked UDP Ports - Drop count by UDP port.
  • Top Attacked ICMP Type Codes - Drop count by ICMP Type / Code.
  • Top Attacked HTTP URLs - Drop count by HTTP URL (hash index).
  • Top Attacked HTTP Methods - Drop count by HTTP method.
  • Top Attacked HTTP Hosts - Drop count by Host header (hash index).
  • Top Attacked HTTP Referers - Drop count by Referer header (hash index).
  • Top Attacked HTTP Cookies - Drop count by Cookie header (hash index).
  • Top Attacked HTTP User Agents - Drop count by User-Agent header (hash index).
  • Top Attacked HTTP Servers - Drop count by HTTP server IP address.
  • Top Attacked Destinations - Drop count by Destination IP address.
  • Top Attacked SPPs - Drop count by SPPs.
  • Top Attacked ACL SPPs - Drop count by ACL SPPs.
  • Top Attacked DNS Servers - Drop count by DNS server IP address (destination Port 53).
  • Top Attacked DNS Anomalies - Drop count due to anomalies by DNS server IP address (destination port 53).

Top Event Reports:

  • Top Successful Logins
  • Top Failed Logins

Before you begin:

  • You must have Read-Write permission for Log & Report settings.
  • You must have enabled local logging for system events if you want to generate system event reports.
  • If you intend to email reports, you must have configured Log & Report > Alert Email Settings.
To configure Reports:
  1. Go to Log & Report > Report Configuration and do one of the following:
    • Click Create New.
    • Select an existing Report from the list and click Clone. Cloning an existing report will make it easier to create new reports that include many attack categories.

  2. Configure or reconfigure the Report according to the table below.

Setting

Description

Name Required. Characters a-Z and "-" or "_" only.
Report Title Optional.
Report Type

Global or SPP.

Global = all SPPs. Note: There is an extra Report option when Global is selected to include the Global ACL table.

SPP = Selected (any/all) SPPs

SPP Report Settings

SPP

Select an or all of the SPPs displayed in the right-hand menu to include in the report.

Global and Common Report Settings

DDos Event Subtype Select at least one.
Event Subtype Optional.
Format

Format of the report:

  • HTML – Report saved as a web page
  • PDF - Report saved in PDF format
  • Word - Report saved in RTF format
Direction Inbound (default) or outbound.

Period

Last:

  • Hour
  • 12 Hours
  • 24 Hours
  • 7 Days
  • 14 Days
  • 30 Days
  • 30 Days
  • Month
  • Year

On Schedule

Enable if you want to make it a regular report.

Schedule types:

  • Daily — Select the hour each day when you want the report to run
  • Weekdays — Select the day(s) of the week when you want the report to run
  • Dates — Select the day(s) of the month when you want the report to run
  • Hourly — Report will run every hour 7x24

On Threshold Violation

When enabled and the aggregate drop count entered in the field for the selected SPP(s) or Global is exceeded, the Report will be generated for the last 5-minutes only. The intent of this Report is to alert users of differing sized attacks. While FortiDDoS is mitigating autonomously, users may want to know if they are seeing small, medium or large attacks. Set the drop Threshold in 3 different reports at perhaps 100,000, 1,000,000 and 10,000,000, for example.

Email settings

If you want to email the reports, complete the email fields:

  • Email subject
  • Email body (optional)
  • Email attachment name (optional)
  • Recipient 1, 2, 3 - you will need to use aliases to send to more than 3 recipients.

To configure with CLI:

config log report

edit DailyLastMonth

set title "FortiDDoS Report"

set ddos-event-subtype top_attacks top_acl_attacks top_attackers

top_attacked_http_methods top_attacked_tcp_ports top_attacked_udp_

ports top_attacked_icmp_type_codes

set event-subtype top_successful_logins top_failed_logins

set direction

set period-relative

set email-subject "Report_111"

set email-body "This is a report generated by FortiDDoS"

set email-attachname FDD_111_report

set recipient1 admin@abc.com

next

end