FortiDDoS
- What is Discovered and Monitored
- Event Types
- Rules
- Reports
- Configuration
- Settings for Access Credentials
- Example Syslog
What is Discovered and Monitored
| Protocol | Information Discovered | Metrics Collected | Used For |
|---|---|---|---|
| Syslog | Host Name, Access IP, Vendor/Model | Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks, | Security Monitoring |
Event Types
In ADMIN > Device Support > Event Types, search for "FortiDDoS" to see the event types associated with this device.
Rules
There are many IPS correlation rules for this device under RESOURCES > Rules > Security > Exploits.
Reports
There are many reports for this device under RESOURCES > Reports > Function > Security.
Configuration
Syslog
FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device's product documentation by taking the following steps:
FortiDDOS documentation available here: https://help.fortinet.com/fddos/4-7-0/index.htm#fortiddos/Configuring_remote_log_server_settings_for_event_l.htm
-
Navigate to Log & Report > Event Log Remote.
-
Click Add.
-
Complete the configuration.
-
Click Save.
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
| Setting | Value |
|---|---|
| Name | <set name> |
| Device Type | Fortinet FortiDDos |
| Access Protocol | See Access Credentials |
| Port | See Access Credentials |
| Password config | See Password Configuration |
Example Syslog
Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00
type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0
dropCount=312
devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2
evesubcode=61 description="Excessive Concurrent Connections Per Source flood" dir=1
sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0
level=Notice