Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
randomcatperson
New Contributor

What does 'Count' mean in FortiAnalyzer Threat Log View?

Hi,

I'm trying to understand what is specifically meant by 'Count' in the table produced by a threat log view in FortiAnalzyer.

 

https://docs.fortinet.com/document/fortianalyzer/6.4.2/administration-guide/523678/managing-a-compro... says "Threat Count: The total number of logs with threats". For the attached example log view example, does 'count' in this instance mean that we received 123,181 packets from 154.49.100.154 & 121,306 from 52.114.23.99 in this one time (DDoS style)?

Or were there this many packets received over the whole month (custom time range), total?

What is confusing is it has a 'Date/Time' and also has a specific service (UDP/64916 & UDP/10716) which makes me think this is all at once, rather than across the entire time frame.

Any assistance with clarifying exactly what is meant by 'Count' here would be greatly appreciated.

 

3 REPLIES 3
randomcatperson
New Contributor

/bump

randomcatperson

Fortinet customer service came back with:

"'Count' means the number of times the same threat was being detected and the date/time will be the latest one for the last count updated."

 

I've asked them to further clarify as follows:

"Can you please clarify the meaning a bit deeper? Say, with a udp_flood Threat, does that mean if the 'count' shows 20,000 & the DoS policy is set to the default threshold of 2000, that we would've received 40,000,000 packets (20,000 count x 2,000 pps)? Or is it that we received a total number of packets equal to 20,000 - which technically violated the threshold 10 times?"

randomcatperson

CrazyCatMan wrote:

I've asked them to further clarify as follows:

"Can you please clarify the meaning a bit deeper? Say, with a udp_flood Threat, does that mean if the 'count' shows 20,000 & the DoS policy is set to the default threshold of 2000, that we would've received 40,000,000 packets (20,000 count x 2,000 pps)? Or is it that we received a total number of packets equal to 20,000 - which technically violated the threshold 10 times?"

Fortinet's reply to the above:

"Is it that we received a total number of packets equal to 20,000 - which technically only violated the threshold 10 times?"

- This is correct, we have received the total number of packets equal to 20,000 and we have violated the thresholds only 10 times.

Labels
Top Kudoed Authors