Skip to main content
robdog
robdog
New Member
June 29, 2018
Question

Email alert on high upload

  • June 29, 2018
  • 1 reply
  • 7779 views

Hi All,

 

Is there any way to configure fortianalyzer so that it can report on high user uploads. For example 1gb+

 

Cheers,

    1 reply

    chall_FTNT
    Staff
    chall_FTNT
    Staff
    June 29, 2018

    Depends on how you define "upload".

    FortiGates are unaware of direction & do not record a direction when creating and sending log to the FortiAnalyzer.

     

    However, if you understand "upload" as a POST method issued over HTTP/HTTPS, then theoretically it should be possible to design a dataset that measures bandwidth per user associated with POSTs.  But usually logs don't indicate the HTTP method used.  I've heard of a case where DLP was used and a custom signature to identify POSTs.

    robdog
    robdogAuthor
    New Member
    July 3, 2018

    Hi Chall,

     

    Thank you for your response. Basically, I want to alert on any anomaly in egress traffic out of the business.

     

    For example, if a rouge employee decides to upload a production database to a 3rd part file sharing website.

     

    Do you think it would be possible to design a data set or use DLP to achieve this? 

    chall_FTNT
    Staff
    chall_FTNT
    Staff
    July 3, 2018

    You can certainly create a DLP filter which matches filesize exceeding a certain value.  And you could alert on logs which match that condition.  I'm not sure if that meets your requirements.

     

    Otherwise, you could use a DOS sensor to track high traffic volume from specific IPs.

    Terms & ConditionsAccessibility statement