Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Staff
Staff

Created on ‎07-14-2020 02:46 AM Edited on ‎02-25-2025 05:04 AM By Moderator

Article Id 198465

Technical Tip: DoS attack log according to action set on DoS policy

Description


This article describes examples of DoS attack logs according to actions set on DoS policy.

 

Scope

 

FortiGate.


Solution


Below are the 2 examples of DoS attacks on UDP flood and actions taken by FortiGate according to actions configured.

 

  1. If the DoS Policy is enabled with a threshold of 2000 (packets per second), make sure the logging is enabled.

 
The log’s action will be showing 'detected' as highlighted below since the action is set to monitor only.
 
date=2020-07-02 time=10:32:34 idseq=177346285139919301 itime="2020-07-02 10:31:38" euid=3 epid=101 dsteuid=0 dstepid=3116 logver=60 logid=0720018432 type="utm" subtype="anomaly" level="alert" sessionid=0 attackid=285212772 severity="critical" srcip=2.2.2.2 dstip=1.1.1.1 srcport=443 dstport=50216 srcintf="VLAN_114" action="detected" proto=17 service="udp/50216" ref="http://www.fortinet.com/ids/VID285212772" count=1345 msg="anomaly: udp_flood, 2001 > threshold 2000, repeats 1234 times" attack="udp_flood" eventtype="anomaly" crscore=50 crlevel="critical" policyid=1 threat="udp_flood" threatlevel=4 threattype="ips" policytype="DoS-policy" srccountry="United States" srcintfrole="wan" eventtime=1593657154 devid="FG12345678901234" vd="root" dtime="2020-07-02 10:32:34" itime_t=1593657098 devname="FG12345678901234" cve=
 
  1. If the DoS Policy is enabled with a threshold of 2000 (packets per second), make sure the logging is enabled.
     
 
The log's action will be showing 'clear_session' as highlighted below since the action is set to 'Block'.
The action 'clear_session' in a DoS log indicates that the session associated with the detected anomaly has been terminated or cleared by the system. This action is taken to mitigate the impact of the anomaly and prevent further exploitation of the network resources.
 
date=2020-07-02 time=10:32:34 idseq=177346285139919301 itime="2020-07-02 10:31:38" euid=3 epid=101 dsteuid=0 dstepid=3116 logver=60 logid=0720018432 type="utm" subtype="anomaly" level="alert" sessionid=0 attackid=285212772 severity="critical" srcip=2.2.2.2 dstip=1.1.1.1 srcport=443 dstport=50216 srcintf="VLAN_114" action="clear_session" proto=17 service="udp/50216" ref="http://www.fortinet.com/ids/VID285212772" count=1345 msg="anomaly: udp_flood, 2001 > threshold 2000, repeats 1234 times" attack="udp_flood" eventtype="anomaly" crscore=50 crlevel="critical" policyid=1 threat="udp_flood" threatlevel=4 threattype="ips" policytype="DoS-policy" srccountry="United States" srcintfrole="wan" eventtime=1593657154 devid="FG12345678901234" vd="root" dtime="2020-07-02 10:32:34" itime_t=1593657098 devname="FG12345678901234" cve=
 
Related article:
17171
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.