Managing baseline traffic statistics

This section includes the following information:

• Baseline traffic statistics overview
• Generating baseline traffic statistics
• Displaying baseline traffic statistics

Baseline traffic statistics overview

The baseline traffic statistics are the maximum value (rate or count) measured by the counter during the observation period. The system saves data points every five minutes. During a 1-hour period, for example, there are 12, 5-minute observation periods. FortiDDoS saves a data point for each 5-minute interval. If you choose a 1-hour period, the system generates the maximum value across these 12 periods of 5-minute intervals.

The baseline statistics are used to establish the configured minimum threshold and ultimately the absolute maximum rate limit. Figure  40 illustrates the relationship between the baseline statistics, threshold settings, and monitor graphs.

In Figure  40:

1. The generated baseline statistic for the most-active-source threshold is 9774 packets/second.
2. The generated baseline statistic is multiplied by the Layer 3 percentage adjustment on the System Recommendation page. The default is 300%.
3. The product of the baseline and the percentage adjustment determines the configured minimum threshold. 9774x 300% = 29322 packets/second.
4. The configured minimum threshold is displayed on its monitor graph.
5. On the monitor graph, the estimated threshold is the top line. The estimated threshold can go no higher than the product of the configured minimum threshold and the adaptive limit. 29322 * 150% = 43983 packets/second.

Figure  40:  Relationship baseline traffic statistics-thresholds

Generating baseline traffic statistics

You can generate baseline traffic statistics based on the following observation periods:

• Past 1 hour
• Past 8 hours
• Past 1 day
• Past 1 week
• Past 1 month
• Past 1 year

Use a time period that is representative of typical traffic volume and has had no attacks.

Before you begin:

• You must have Read-Write permission for Protection Profile settings.
• Note that the FortiDDoS hardware is accessed when you generate traffic statistics or set system recommended thresholds. Do not perform multiple operations simultaneously.

To generate baseline traffic statistics:

1. Go to Protection Profiles > Traffic Statistics> Generate.
2. Select the SPP you want to configure from the drop-down list.
3. Select the time period from the drop-down list.
4. Select Generate.
5. Save the configuration.
6. It takes about ten minutes for the process to complete. Click Refresh to track the status. The process is complete when the status shows "Available" and a timestamp.

To configure with the CLI, use a command sequence similar to the following: config spp edit <spp_name> config ddos spp threshold-report set generate {enable | disable} set report-period {last-hour | last-8-hours | last-24-hours | last-week | last-month | last-year} end

Displaying baseline traffic statistics

You can review the statistics that are the basis of the system recommended thresholds.

Before you begin:

• You must have generated the report. See Generating baseline traffic statistics.
• You must have Read-Write permission for Protection Profile settings.

To display baseline traffic statistics

1. Go to Protection Profiles > Traffic Statistics > Details.
2. Select the SPP of interest from the drop-down list.
3. Select the type of statistics from the drop-down list.
4. Select the time period from the drop-down list.

Note: By default, the system does not display parameters with counts lower than the following.

Clear the Do not show values below low threshold option if you want to see these low counts.