- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Email alert on high upload
Hi All,
Is there any way to configure fortianalyzer so that it can report on high user uploads. For example 1gb+
Cheers,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depends on how you define "upload".
FortiGates are unaware of direction & do not record a direction when creating and sending log to the FortiAnalyzer.
However, if you understand "upload" as a POST method issued over HTTP/HTTPS, then theoretically it should be possible to design a dataset that measures bandwidth per user associated with POSTs. But usually logs don't indicate the HTTP method used. I've heard of a case where DLP was used and a custom signature to identify POSTs.
Fortinet Technical Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chall,
Thank you for your response. Basically, I want to alert on any anomaly in egress traffic out of the business.
For example, if a rouge employee decides to upload a production database to a 3rd part file sharing website.
Do you think it would be possible to design a data set or use DLP to achieve this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can certainly create a DLP filter which matches filesize exceeding a certain value. And you could alert on logs which match that condition. I'm not sure if that meets your requirements.
Otherwise, you could use a DOS sensor to track high traffic volume from specific IPs.
Fortinet Technical Support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can certainly create a DLP filter which matches filesize exceeding a certain value. And you could alert on logs which match that condition. I'm not sure if that meets your requirements.
this would suffice to be perfectly honest, can you advise any documentation on how to do this please?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See Creating/editing a DLP sensor
Fortinet Technical Support