FortiDDoS
What is Discovered and Monitored
| Protocol | Information Discovered | Metrics Collected | Used For |
|---|---|---|---|
| Syslog | Host Name, Access IP, Vendor/Model | Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks, | Security Monitoring |
Event Types
In ADMIN > Device Support > Event, search for "FortiDDoS" to see the event types associated with this device.
Rules
There are many IPS correlation rules for this device under Rules > Security > Exploits.
Reports
There are many reports for this device under Reports > Function > Security.
Configuration
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
| Setting | Value |
|---|---|
| Name | <set name> |
| Device Type | Fortinet FortiDDos |
| Access Protocol | See Access Credentials |
| Port | See Access Credentials |
| Password config | See Password Configuration |
Syslog
FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device's product documentation.
Example Syslog
Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00
type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0
dropCount=312
devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2
evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1
sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0
level=Notice