Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Staff
Staff

Created on ‎07-14-2020 02:46 AM Edited on ‎01-30-2024 03:06 AM By Community Manager

Article Id 198465

Technical Tip: DoS attack log according to action set on DoS policy

Description
This article shows examples of DoS attack log according to action set on DoS policy.

Solution
Below are the 2 examples of DoS attack on UDP flood and action taken by FortiGate according to actions configured.

1) If DoS Policy is enabled with threshold 2000(packets per second), make sure the logging is enabled.



 
 
The log’s action will be showing 'detected' as highlighted below since action set to monitor only.
date=2020-07-02 time=10:32:34 idseq=177346285139919301 itime="2020-07-02 10:31:38" euid=3 epid=101 dsteuid=0 dstepid=3116 logver=60 logid=0720018432 type="utm" subtype="anomaly" level="alert" sessionid=0 attackid=285212772 severity="critical" srcip=2.2.2.2 dstip=1.1.1.1 srcport=443 dstport=50216 srcintf="VLAN_114" action="detected" proto=17 service="udp/50216" ref="http://www.fortinet.com/ids/VID285212772" count=1345 msg="anomaly: udp_flood, 2001 > threshold 2000, repeats 1234 times" attack="udp_flood" eventtype="anomaly" crscore=50 crlevel="critical" policyid=1 threat="udp_flood" threatlevel=4 threattype="ips" policytype="DoS-policy" srccountry="United States" srcintfrole="wan" eventtime=1593657154 devid="FG12345678901234" vd="root" dtime="2020-07-02 10:32:34" itime_t=1593657098 devname="FG12345678901234" cve=
2) If DoS Policy is enabled with threshold 2000(packets per second), make sure the logging is enabled.
 
 
 
 
The log ‘s action will be showing 'clear_session' as highlighted below since action set to 'Block'.
date=2020-07-02 time=10:32:34 idseq=177346285139919301 itime="2020-07-02 10:31:38" euid=3 epid=101 dsteuid=0 dstepid=3116 logver=60 logid=0720018432 type="utm" subtype="anomaly" level="alert" sessionid=0 attackid=285212772 severity="critical" srcip=2.2.2.2 dstip=1.1.1.1 srcport=443 dstport=50216 srcintf="VLAN_114" action="clear_session" proto=17 service="udp/50216" ref="http://www.fortinet.com/ids/VID285212772" count=1345 msg="anomaly: udp_flood, 2001 > threshold 2000, repeats 1234 times" attack="udp_flood" eventtype="anomaly" crscore=50 crlevel="critical" policyid=1 threat="udp_flood" threatlevel=4 threattype="ips" policytype="DoS-policy" srccountry="United States" srcintfrole="wan" eventtime=1593657154 devid="FG12345678901234" vd="root" dtime="2020-07-02 10:32:34" itime_t=1593657098 devname="FG12345678901234" cve=

 

12714
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.