Anomaly; Anomaly List - Fortinet FortiGate FortiGate-3000 Administration Manual

Fortinet fortigate fortigate-3000: user guide
Hide thumbs Also See for FortiGate FortiGate-3000:
Table of Contents

Advertisement

Anomaly

Anomaly
306
!
Caution: Restoring the custom signature list overwrites the existing file.
The FortiGate IPS uses anomaly detection to identify network traffic that does not fit
known or preset traffic patterns. The FortiGate IPS identifies the four statistical
anomaly types for the TCP, UDP, and ICMP protocols.
Flooding
Scan
Source session
limit
Destination
session limit
You can enable or disable logging for each anomaly, and you can control the IPS
action in response to detecting an anomaly. In many cases you can also configure the
thresholds that the anomaly uses to detect traffic patterns that could represent an
attack.
Note: It is important to know the normal and expected traffic on your network before changing
the default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could miss some attacks.
You can also use the command line interface (CLI) to configure session control based
on source and destination network address. See
page
309.
The anomaly detection list can be updated only when the FortiGate firmware image is
upgraded.

Anomaly list

Figure 148:The Anomaly list
Name
Enable
Logging
If the number of sessions targeting a single destination in one second is
over a threshold, the destination is experiencing flooding.
If the number of sessions from a single source in one second is over a
threshold, the source is scanning.
If the number of concurrent sessions from a single source is over a
threshold, the source session limit is reached.
If the number of concurrent sessions to a single destination is over a
threshold, the destination session limit is reached.
The anomaly names.
The status of the anomaly. A white check mark in a green circle indicates the
anomaly is enabled. A white X in a grey circle indicates the anomaly is
disabled.
The logging status for each anomaly. A white check mark in a green circle
indicates logging is enabled for the anomaly. A white X in a grey circle
indicates logging is disabled for the anomaly.
01-28006-0010-20041105
"Anomaly CLI configuration" on
IPS
Fortinet Inc.

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents