Technical Tip: How to view logs that exceed the threshold limits stipulated in DoS policy settings

There are different types of L3 and L4 DoS anomalies and threshold values pre-defined by Fortinet.

These values should be studied based on each environment, but it is always recommended to keep the values set to the default and in monitor mode at the first configuration and adjust them based on the logs generated in the 'anomaly' menu. Follow these steps to view the logs:

From v7.2.x, the Anomaly log is visible under Log & Report -> Security Events -> Summary/ Log.

To view the log, choose Logs at the top to be redirected to the logs page:

DoS anomalies logs generated

The same can be collected via the CLI, utilizing the commands below:

execute log filter category 7
execute log display

4 logs found.
4 logs returned.

Available categories:

0: traffic
1: event
2: utm-virus
3: utm-webfilter
4: utm-ips
5: utm-emailfilter
7: utm-anomaly
8: utm-voip
9: utm-dlp
10: utm-app-ctrl
12: utm-waf
15: utm-dns
16: utm-ssh
17: utm-ssl
19: utm-file-filter
20: utm-icap
22: utm-sctp-filter

Related articles:

Technical Tip: Denial of Service (DoS) anomalies explained

Technical Tip: DoS attack log according to action set on DoS policy

Technical Tip: How to view security log in firmware 7.2.x