Single-packet attack logs

This help contains the following topics:

Introduction
vSystem support information
Restrictions and guidelines
Manage single-packet attack logs
- Import logs
- Export logs

Introduction

Single-packet attacks are also known as malformed packet attacks. An attacker typically launches single-packet attacks by using the following methods:

An attacker sends defective packets to a device, which causes the device to malfunction or crash.
An attacker sends normal packets to a device, which interrupts connections or probes network topologies.
An attacker sends a large number of forged packets to a target device, which consumes network bandwidth and causes denial of service (DoS).

To configure the device to output a log when it detects a packet with a specific signature, perform the following operations:

Enable logging for single-packet attack events when you configure an attack defense policy on the Objects > APP Security > Attack Defense Policies page.
Enable log collection for the Attack defense | Single-packet attack log service on the System > Log Settings > Storage Space Settings page.

By default, log aggregation for single-packet attack events is enabled. The device aggregates multiple logs generated during a period of time and outputs one log. Logs that are aggregated must have the following attributes in common:

Security zone where the attacks are detected.
Attack type.
Attack prevention action.
Source and destination IP addresses.
VPN instance (VRF) to which the victim IP address belongs.

You can disable log aggregation for single-packet attack events on the System > Log Settings > Advanced Settings page. As a best practice, do not disable log aggregation if single-packet attacks frequently occur. A large number of logs will consume the display resources.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Restrictions and guidelines

Only one log operation (import, export, or clear) is allowed at a time.
Only one user can perform a log operation at a time. When you import, export, or clear logs, make sure no one else is performing a log operation.

Manage single-packet attack logs

Import logs

Click the Monitor tab.
In the navigation pane, select Security Logs > Single-Packet Attack Logs.
Click Import.
In the dialog box that opens, click OK.
Select a log file, and enter the password for the log file. The password was set when the file was exported.

Export logs

Click the Monitor tab.
In the navigation pane, select Security Logs > Single-Packet Attack Logs.
Click on a column header, specify the search criteria to display the logs to be exported, and then click Apply.
Click Export.

On the page that opens, configure the log export settings.

Table-1 Log export configuration items

Item	Description
Set password	Enter a password for encrypting the log files. This password is required when you view or import the exported log files.
Logs per file	Set the maximum number of log entries in each log file. If the number of log entries to be exported is smaller than or equal to the specified number, the device exports all log entries to one file. If the number of log entries to be exported is greater than the specified number, the device exports the log entries to multiple files.

Item

Description

Set password

Enter a password for encrypting the log files. This password is required when you view or import the exported log files.

Logs per file

Set the maximum number of log entries in each log file.

If the number of log entries to be exported is smaller than or equal to the specified number, the device exports all log entries to one file.
If the number of log entries to be exported is greater than the specified number, the device exports the log entries to multiple files.

Click Export to export the log files to your local PC.