topic Log Forwarding for Flood event in General Topics

Log Forwarding for Flood event

abryantgca — Fri, 17 Nov 2017 17:35:10 GMT

I'm familiar with the process of setting up a log forwarding profile and attaching it to a security rule. But how would this work for alerting on a flood event? In a flood the attacker IP is 0.0.0.0 and the victim IP is 0.0.0.0. This won't match any of our rules.

Re: Log Forwarding for Flood event

BPry — Fri, 17 Nov 2017 20:23:09 GMT

@abryantgca,

Since you could be talking about two different things.

1) DoS Protection Profile Flood.

Since the flood is recorded as a threat with a Severity rating of critical it will fall under whatever your log-forwarding profile has for that, you just need to make sure that the log-forwarding profile is assigned to the DoS Protection Profile associated with the flood.

2) Zone Protection Profile

This setting is actually pulled from the Log Setting configured for the different Zones. Within your Zones configuration you'll have an option to set a Log Setting, this is your log forwarding profile.

Re: Log Forwarding for Flood event

abryantgca — Fri, 17 Nov 2017 20:28:34 GMT

Thanks for clarifying, it was the Zone Protection. That worked.