Built-in Threat Report Analysis

Si600 · ‎07-15-2024

I don't want to keep spamming this forum, but at the moment I can't find the documentation to help me, is there a sensible course I could do to learn how to see what our Fortis are doing?

Regardless. I'm using the Built-in Threat Report to see if anything had happened and, clearly, yes it has. However, it's not clear what it has happened to. Specifically Intrusion 2, udp_flood, how do I match it up to the Victim IP and the Intrusion Source IP?

Is this the right report to be using, and how can I tune it to get better or more meaningful results? I feel I'm asking silly questions that I could easily RTFM the answer.

Cheers,

Simon.

AEK · ‎07-15-2024

As per my experience UDP flood is just due to DNS traffic (false positive).

You can confirm by directly viewing your FG Anomaly logs.

AEK

pdelapena · ‎07-15-2024

Hi @Si600 ,

If you have configured DoS policies, have you tried checking your Anomaly logs? That should give some information where the udp_flood attacks are coming from.

Regards,

Best regards,
Pau

Si600 · ‎07-30-2024

I'll be honest, I haven't configured anything on this at all, it's been done by my predecessor. DoS policies don't seem to be configured, or at at least, the section the manual says they go in is empty.

Built-in Threat Report Analysis

Nominate a Forum Post for Knowledge Article Creation