Technical Tip: How to enable DoS logs in FortiGate

GUI:

Navigate to Policy & Objects -> IPV4 DoS Policy, select the DoS Policy, enable logging in the Anomalies (i.e tcp_syn_flood, tcp_port_scan, icmp_flood).

CLI:

config firewall DoS-policy

    edit 1

        set name "DOS"

        set interface "port2"

        set srcaddr "all"

        set dstaddr "all"

        set service "ALL"

        config anomaly

            edit "tcp_syn_flood"

                set status enable

                set log enable

                set action block

                set threshold 2000

            next

            edit "tcp_port_scan"

                set status enable

                set log enable

                set action block

                set threshold 1000

            next

            edit "tcp_src_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

            edit "tcp_dst_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

            edit "udp_flood"

                set status enable

                set log enable

                set action block

                set threshold 2000

            next

            edit "udp_scan"

                set status enable

                set log enable

                set action block

                set threshold 2000

            next

            edit "udp_src_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

            edit "udp_dst_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

            edit "icmp_flood"

                set status enable

                set log enable

                set action block

                set threshold 50

            next

            edit "icmp_sweep"

                set status enable

                set log enable

                set action block

                set threshold 100

            next

            edit "icmp_src_session"

                set status enable

                set log enable

                set action block

                set threshold 300

            next

            edit "icmp_dst_session"

                set status enable

                set log enable

                set action block

                set threshold 1000

            next

            edit "ip_src_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

            edit "ip_dst_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

            edit "sctp_flood"

                set status enable

                set log enable

                set action block

                set threshold 2000

            next

            edit "sctp_scan"

                set status enable

                set log enable

                set action block

                set threshold 1000

            next

            edit "sctp_src_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

            edit "sctp_dst_session"

                set status enable

                set log enable

                set action block

                set threshold 5000

            next

        end

    next

end

To view the DoS log, navigate to Security Events -> Logs and select the subtype as Anomaly:

Related article:

Technical Tip: How to configure IPv4 DOS policy