- Table of Contents
-
- 06-System
- 01-High availability group
- 02-VRRP
- 03-Track
- 04-BFD
- 05-NQA
- 06-Basic log settings
- 07-Session log settings
- 08-NAT log settings
- 09-AFT log settings
- 10-Threat log settings
- 11-Application audit log settings
- 12-URL filtering log settings
- 13-Bandwidth alarm logs
- 14-Attack defense log settings
- 15-NetShare log settings
- 16-Report settings
- 17-Session settings
- 18-Signature upgrade
- 19-Software upgrade
- 20-License management
- 21-Administrators
- 22-Date and time
- 23-Configuration management
- 24-Packet capture
- 25-Webpage Diagnosis
- 26-Packet trace
- 27-Fast Internet Access
- 28-SNMP
- 29-IRF
- 30-IRF advanced settings
- 30-IRF advanced settings(only for F50X0-D and F5000-AK5X5 firewalls)
- 31-Contexts
- 31-Contexts(only for F50X0-D and F5000-AK5X5 firewalls)
- 32-About
- 33-MAC address learning through a Layer 3 device
- 34-Bandwidth management logs
- 35-Configuration log settings
- 36-Context rate limit logging
- 37-Heartbeat log settings
- 38-Diagnostic Info
- 39-IP access logs
- 40-IP reputation log settings
- 41-IPsec diagnosis
- 42-Load balancing logging
- 43-Load balancing test
- 44-MAC authentication online users
- 45-Packet capture
- 45-Packet capture(only for F50X0-D and F5000-AK5X5 firewalls)
- 46-Ping
- 47-Reboot
- 48-Security policy log
- 49-Tracert
- 50-WAF log settings
- Related Documents
-
Title | Size | Download |
---|---|---|
14-Attack defense log settings | 27.90 KB |
Attack defense log settings
This help contains the following topics:
¡ Log aggregation for single-packet attack events
Introduction
Log aggregation for single-packet attack events
When you enable logging for single-packet attacks, the device generates logs when it detects single-packet attacks. The log generation and output require more system resources if single-packet attacks frequently occur. You can enable Log aggregation for single-packet attacks to save system resources. This feature aggregates multiple logs generated during a period of time and sends one log. Logs that are aggregated must have the following attributes in common:
· Attacks are detected on the same interface or security zone or are destined for the device.
· Attack type.
· Attack defense action.
· Source and destination IP addresses.
· VRF to which the victim IP address belongs.
Blacklist logging
With logging enabled for the blacklist feature, the system outputs logs in the following situations:
· A blacklist entry is manually added.
· A blacklist entry is dynamically added by the scanning attack detection feature.
· A blacklist entry is manually deleted.
· A blacklist entry ages out.
A blacklist log records the following information:
· Source IP address of the blacklist entry.
· Remote IP address of the DS-Lite tunnel.
· VRF name.
· Reason for adding or deleting the blacklist entry.
· Aging time for the blacklist entry.
Log buffer and log file
The device provides separate log buffers and log files for the blacklist module and the attack defense module. To enable outputting logs of service modules to their log buffers and log files, select the Output to log buffer option on the basic settings page for the syslog.
Logs are saved in the log file buffer before they are saved to the log file. After the system saves logs to the log file, the log file buffer is cleared.
When the maximum capacity of the log file is reached, the system replaces the oldest logs with new logs.