Description
This article describes how to set the threat weight and how it is calculated.
Scope
FortiGate v6.0.0 onwards.
Solution
Where to define threat score:
In the threat weight configuration, we can define the level and score for the level as per requirement between (1-100), below are the default level and score value.
level:
low : 5
medium : 10
high : 30
critical : 50
The IPS signatures, web categories, Malware, and Applications are all assigned a severity that is associated with a threat weight (or score).
It is possible to view the configuration details by running the below commands:
show full-configuration log threat-weight
get log threat-weight
What are all the aspects taken into consideration for threat scores:
The threat score value that appears in FortiView is the final accumulated score, which is 'score_value_for_category * number_of_incidents'.
For example:
If a URL Category is high and under config level 'high' is set to 30 and the Number of incidents is 200, then score value = 30, incident = 200 hence 30 * 200 = 6000. Threat Score will be calculated for both Blocked/Allowed traffic
It is possible to disable specific threat-weight calculations you can achieve it, below is just an example. It is possible to do it for all the parameters visible in show full-configuration log threat-weight.
config log threat-weight
set blocked-connection disable
end
This command enables/disables threat-weight calculation within logs, so it does not affect actual behavior, check the below lins:
For info on threat ID 13107:
Technical Tip: Threat 131072 is seen in logs when traffic is denied by a firewall policy
Here is an example of a failed connection threat score 5:
