Using Logs and Reports : Configuring reports
 
Configuring reports
The report generator enables you to configure report profiles that can be run on demand or automatically according to a schedule you specify. The report generator is typically used to generate reports that can be distributed to subscribers or similar stakeholders who do not have administrative access to the FortiDDoS system. You can configure profiles that include system event data, DDoS attack data, or both.
Top attack reports are ranked by drop count (highest to lowest).
The following attack reports are available:
Top Attacks—Drop count by DDoS attack type.
Top ACL Attacks—Drop count by ACL rules.
Top Attackers—Drop count by Source IP address.
Top Attacked Destinations—Drop count by Destination IP address.
Top Attacked HTTP Servers—Drop count by HTTP server IP address.
Top Attacked Subnets—Drop count by subnet.
Top Attacked Protocols—Drop count by protocol.
Top Attacked TCP Ports—Drop count by TCP port.
Top Attacked UDP Ports—Drop count by UDP port.
Top Attacked ICMP Type Codes—Drop count by ICMP type code.
Top Attacked HTTP Methods—Drop count by HTTP method.
Top Attacked HTTP URLs—Drop count by HTTP URL (hash index).
Top Attacked HTTP Hosts—Drop count by Host header (hash index).
Top Attacked HTTP Referers—Drop count by Referer header (hash index).
Top Attacked HTTP Cookies—Drop count by Cookie header (hash index).
Top Attacked HTTP User Agents—Drop count by User-Agent header (hash index).
Before you begin:
You must have enabled local logging for system events if you want to generate system event reports.
You must have Read-Write permission for Log & Report settings.
To configure alert email settings:
1. Go to Log & Report > Report Configuration > Report Configuration.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in Table 65.
4. Save the configuration.
After you save the configuration, the profile is added to the report profile list. You can edit and delete profiles, and you can select them to generate on demand reports.
Figure 102: Report configuration page
 
Figure 103: Report profile list
 
Table 65: Report configuration guidelines
Settings
Guidelines
Report Config
Name
Name for the configuration. Spaces are not valid.
Type
On Schedule—Run the report according to the schedule settings (below)
On Demand—Run the report upon saving the configuration.
Title
Title displayed at the top of the report.
Description
Description for the configuration.
Properties
Company Name
Company name displayed in the report.
Header Comment
Page header to appear on reports with page format, like PDF or MS Word.
Footer Comment
Page footer to appear on reports with page format:
Report Title—Use the report title in the footer.
Custom—Use the specified string in the footer.
Title Page Logo
Logo to appear on the title page of the report:
No Logo
Custom—Upload a logo file.
Note: The report generator supports GIF, JPG, and PNG files. The Windows output format also supports WMF files.
Header Logo
Logo to appear in the page header on reports with page format:
No Logo
Custom—Upload a logo file.
Report Scope
Time Period
Select a time period. Not Used means all available data is included in the report, regardless of time period. Absolute means you specify precise dates and hours. The other options are self-explanatory.
Direction
Inbound
Outbound
Note: Shift-click to select both inbound and outbound.
Report Type
Report Type
Select Event Activity and DDoS Attack Activity queries to include in the report.
System Event Activity queries are based on the system event log. DDoS Attack Activity queries are based on the DDoS attack log.
For DDoS Attack Activity queries, you can specify whether to include all SPPs, one or more specified SPPs, one or more SPP policies, or the default subnet. Shift-click to select multiple SPPs or SPP policies.
Report Format
Top values in ranked reports (first variable)
In ranked reports, (“top x” report types, such as Top Attack Type), you can specify how many items from the top rank are included in the report. For example, you can set the Top Attack URLs report to include up to 30 of the top x denied URLs. The remaining results are combined under “Others.”
Note: Reports that do not include “Top” in their name display all results. Changing the ranked reports values does not affect these reports.
Top values in ranked reports (second variable)
Some ranked reports rank two aspects. For example, the Top Sources By Top Destination report ranks top source IP addresses for each of the top destination IP addresses. For these double-ranked reports, you can also configure the rank threshold of the second aspect.
Include Summary Information
Select to include a report summary page.
Include Table of Contents
Select to include a table of contents.
Schedule
Schedule
If configuring a scheduled report, use the controls to specify when to run the report.
Output
File Output,
Email Output
HTML
Text
PDF
MS Word
MHT (MIME HTML)