Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robdog
New Contributor II

Email alert on high upload

Hi All,

 

Is there any way to configure fortianalyzer so that it can report on high user uploads. For example 1gb+

 

Cheers,

5 REPLIES 5
chall_FTNT
Staff
Staff

Depends on how you define "upload".

FortiGates are unaware of direction & do not record a direction when creating and sending log to the FortiAnalyzer.

 

However, if you understand "upload" as a POST method issued over HTTP/HTTPS, then theoretically it should be possible to design a dataset that measures bandwidth per user associated with POSTs.  But usually logs don't indicate the HTTP method used.  I've heard of a case where DLP was used and a custom signature to identify POSTs.

Chris Hall
Fortinet Technical Support
robdog
New Contributor II

Hi Chall,

 

Thank you for your response. Basically, I want to alert on any anomaly in egress traffic out of the business.

 

For example, if a rouge employee decides to upload a production database to a 3rd part file sharing website.

 

Do you think it would be possible to design a data set or use DLP to achieve this? 

chall_FTNT

You can certainly create a DLP filter which matches filesize exceeding a certain value.  And you could alert on logs which match that condition.  I'm not sure if that meets your requirements.

 

Otherwise, you could use a DOS sensor to track high traffic volume from specific IPs.

Chris Hall
Fortinet Technical Support
robdog
New Contributor II

You can certainly create a DLP filter which matches filesize exceeding a certain value.  And you could alert on logs which match that condition.  I'm not sure if that meets your requirements.

 

this would suffice to be perfectly honest, can you advise any documentation on how to do this please?

chall_FTNT

See Creating/editing a DLP sensor

Chris Hall
Fortinet Technical Support
Labels
Top Kudoed Authors