Hi
I am working on a DDoS alert. I want to detect spikes of incoming traffic.
But I am not sure on how to differentiate incoming from outgoing.
index=fortigate sourcetype=fgt_traffic host="FGT-200"
|search (dest_port=443 OR dest_port=80)
You could filter out the source IPs behind your firewall to get incoming traffic. The actual IPs to use will depend on your environment. Here is an example:
index=fortigate sourcetype=fgt_traffic host="FGT-200" (dest_port=443 OR dest_port=80) srcip!=203.0.113.0/24 srcip!=192.168.15.0/24