Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff

Created on ‎10-19-2020 11:40 PM

Article Id 196685

Technical Tip: Information about 'Count' field in anomaly log

Description
This articles describes the anomaly logs and count field in the logs.

Solution
In the below dos policy setting 'icmp_flood' DoS attack threshold is set to 2  ICMP packet for testing.
If FortiGate receives more then 2 ICMP packet on port1 interface IP per second ii is going to drop any packet after 2nd ICMP packet.
# config firewall DoS-policy
    edit 1
        set name "test"
        set interface "port1"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        # config anomaly
            edit "icmp_flood"
                set status enable
                set log enable   <-----
                set action block
                set threshold 2  <-----
            next
        end
    next
end
At 2020/10/20 05:21:23, there DoS policy blocked the traffic and count shows as 1, this means FortiGate has blocked the ICMP traffic from srcip=172.26.137.5 to dstip=10.5.20.125 once which is represented by count.
date=2020-10-20 time=05:21:23 eventtype="anomaly" level="alert" vd="root" srcip=172.26.137.5 dstip=10.5.20.125 srcintf="port1"
srcintfrole="undefined" sessionid=0 action="clear_session" proto=1 service="PING" count=1 attack="icmp_flood" policyid=1
policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 3 > threshold 2" crscore=50 craction=4096 crlevel="critical"
Since this is a continues attack on FortiGate IP, when next DoS-policy log is generated, @date=2020-10-20 time=05:21:57 total number of times FortiGate blocked the ICMP traffic from srcip=172.26.137.5 to dstip=10.5.20.125 is 16 times which is represented by count.
date=2020-10-20 time=05:21:57 eventtype="anomaly" level="alert" vd="root" srcip=172.26.137.5 dstip=10.5.20.125 srcintf="port1"
srcintfrole="undefined" sessionid=0 action="clear_session" proto=1 service="PING" count=16 attack="icmp_flood" policyid=1
policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID16777316" msg="anomaly: icmp_flood, 3 > threshold 2, repeats 16 times" crscore=50





Related document.

Related Articles

Technical Tip: How to configure IPv4 DOS policy

4796
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.