Fortinet black logo

Handbook

7.0.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Using the DDoS attack log table

Using the DDoS attack log table

The DDoS Attack Log table displays the attack event records for all SPPs and Global ACLs. The DDoS Attack Log table is updated every 1-5 minutes. Note while logs will be reported on the 0,5,10-minute, etc. interval, logs are aggregated which can take 2 minutes, so expect 0, 5, 10 to appear at 2, 7, 12-minutes, etc.

The log table contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events and/or the oldest, smallest events under control of the Log Purge Settings.

Note: The GUI will display a maximum of 900,000 logs from most recent timestamp, backwards. If you filter (for inbound, for example), the filter searches the entire 1M-2M database and displays the latest up to 900k logs.

Before you begin:

  • You must have a minimum of Read access.
To view the logs:

  1. Go to Log & Report > Log Access > Logs > DDoS Attack Log

    Each row shows 1 Attack event:

  2. Further detail is shown by clicking the Detail icon at the right of each row as shown below:
To filter the logs

  1. You can add multiple filters from any of the selections below

  2. Filters are not persistent and will clear when you leave the Attack Log page.

  1. Use the top checkboxes to filter by type of event. When all checkboxes are disabled (default) all logs are shown.

  2. Use the three pulldown menus marked “All” to filter by:

    • Direction (Inbound / Outbound)

    • SPP

    • Operating Mode (Detection / Prevention)

  3. Use the plus (+) icon to filter on the following parameters:

    Timestamp | SPP Name | Associated Port | ICMP Type Code | IP Source | Protected IP | Protocol

    Each parameter may provide additional options as shown below.

  4. Use the Search bar for free-form text searches of the Event Type:

Downloading Attack Logs

The Download button will download up to 100,000 filtered or unfiltered Attack Logs (from newest to oldest) in CSV format.

DDoS Attack Log Fields

ColumnExampleDescription
Event ID462380959

Log ID

Timestamp2015-05-05 16:31:00

Log timestamp

SPP ID0

SPP ID

Source IP28.0.0.40

Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).

Protected IP74.255.0.253

Protected IP address.

  • For outbound traffic, Protected IP is the Source IP.
  • For inbound traffic, Protected IP is the Destination IP.
DirectionInbound

Direction: Inbound, Outbound.

  • For TCP, this is the direction of the session/connection.
  • For UDP, this is the direction of the packet.
Protocol6/tcp

Protocol number/name if assigned.
The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.

ICMP type/code0/8

ICMP type/code number

Event TypeSYN flood

Event type

Associated port69Associated port number.
  • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
  • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
Drop Count14

Packets dropped per this event.

Operating ModePrevention

Prevention or Detection Mode depending on the SPP Setting when the log was generated.

Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

Event Detail'500'

Reason string. This will be the hash index for HTTP.

Subnet ID0

Subnet ID

Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

Previous
Next

Using the DDoS attack log table

The DDoS Attack Log table displays the attack event records for all SPPs and Global ACLs. The DDoS Attack Log table is updated every 1-5 minutes. Note while logs will be reported on the 0,5,10-minute, etc. interval, logs are aggregated which can take 2 minutes, so expect 0, 5, 10 to appear at 2, 7, 12-minutes, etc.

The log table contains a maximum of 1 million events (default) to 2 million events depending on Log & Report > LOG CONFIGURATION: Log Purge Settings. If the number of events reaches the maximum allowed, the system deletes the 200,000 oldest events and/or the oldest, smallest events under control of the Log Purge Settings.

Note: The GUI will display a maximum of 900,000 logs from most recent timestamp, backwards. If you filter (for inbound, for example), the filter searches the entire 1M-2M database and displays the latest up to 900k logs.

Before you begin:

  • You must have a minimum of Read access.
To view the logs:

  1. Go to Log & Report > Log Access > Logs > DDoS Attack Log

    Each row shows 1 Attack event:

  2. Further detail is shown by clicking the Detail icon at the right of each row as shown below:
To filter the logs

  1. You can add multiple filters from any of the selections below

  2. Filters are not persistent and will clear when you leave the Attack Log page.

  1. Use the top checkboxes to filter by type of event. When all checkboxes are disabled (default) all logs are shown.

  2. Use the three pulldown menus marked “All” to filter by:

    • Direction (Inbound / Outbound)

    • SPP

    • Operating Mode (Detection / Prevention)

  3. Use the plus (+) icon to filter on the following parameters:

    Timestamp | SPP Name | Associated Port | ICMP Type Code | IP Source | Protected IP | Protocol

    Each parameter may provide additional options as shown below.

  4. Use the Search bar for free-form text searches of the Event Type:

Downloading Attack Logs

The Download button will download up to 100,000 filtered or unfiltered Attack Logs (from newest to oldest) in CSV format.

DDoS Attack Log Fields

ColumnExampleDescription
Event ID462380959

Log ID

Timestamp2015-05-05 16:31:00

Log timestamp

SPP ID0

SPP ID

Source IP28.0.0.40

Source IP address. Reported only for drops where a single source can be identified as non-spoofed (see Source tracking table).

Protected IP74.255.0.253

Protected IP address.

  • For outbound traffic, Protected IP is the Source IP.
  • For inbound traffic, Protected IP is the Destination IP.
DirectionInbound

Direction: Inbound, Outbound.

  • For TCP, this is the direction of the session/connection.
  • For UDP, this is the direction of the packet.
Protocol6/tcp

Protocol number/name if assigned.
The Protocol field may display a blank value if there is traffic from multiple protocols since FPGA does not report a specific protocol in this scenario.

ICMP type/code0/8

ICMP type/code number

Event TypeSYN flood

Event type

Associated port69Associated port number.
  • For TCP, this is the Associated Port of the session or connection (not the traffic direction). If the session originates or terminates on a 'service port' (<10000), all the traffic in any direction will be associated with that Port.
  • For UDP, this is the destination port in the direction of the traffic UNLESS the traffic originates or terminates on a 'service port' (<10000 or a defined UDP Service Port in Global Settings > Settings > UDP Service Ports). In this case, 'Associated Port' will show the service port, regardless of the traffic direction.
Drop Count14

Packets dropped per this event.

Operating ModePrevention

Prevention or Detection Mode depending on the SPP Setting when the log was generated.

Note: Since this indicator was not available prior to 5.2.0, any logs from dates prior to 5.2.0 installation will display “Prevention” no matter what the actual Mode was at that time.

Event Detail'500'

Reason string. This will be the hash index for HTTP.

Subnet ID0

Subnet ID

Note: In the DDoS attack log, a table cell displays ”-” (hyphen or a blank) if data is not collected or invalid or multiple values for the same field occur in the same event.

The table displays most recent records first and the columns Event ID, Timestamp, SPP ID, Direction, Event Type and Drop Count. By default, the DDoS Attack Log table displays 10 years of events or the maximum allowed under Log Purge Settings (Default 1M, max 2M). To view the details of an Event, click the Preview icon at the right end of any line.

See Appendix A: DDoS Attack Log Reference for details on log categories and event types.

Previous
Next