Fortinet black logo

Handbook

Configuring brute force attack detection

Configuring brute force attack detection

Brute Force Attack Detection policies can prevent too many login tests. If an HTTP client tries to log into a server via FortiADC and fails too many times, Brute Force Attack Detection policies can stop it.

Before you begin:

  • You must have Read-Write permission for Security settings.

After you have configured Brute Force Attack Detection policies, you can select them in WAF profiles.

To configure a Brute Force Attack Detection policy:

  1. Go to Web Application Firewall > Common Attacks Detection.
  2. Click the Brute Force Attack Detection tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration.

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    Status

    On | OFF. If On, this policy will be activated, otherwise it is inactive.

    Action

    Alert—Allow the traffic and log the event.

    Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

    Block—Drop the traffic, and for a period of time all the traffic from the same IP will be dropped.

    Slient-deny—Drop the traffic, send a 403 Forbidden to the client.

    The default is alert.

    Severity

    High—Log as high severity events.

    Medium—Log as medium severity events.

    Low—Log as low severity events.

    The default is low.

    Exception

    Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

    Comments

    A string to describe the purpose of the configuration.

  5. Save the configuration.
  6. Edit the new saved configuration.
  7. Find “Match Condition” and click Create New.
  8. Complete the configuration.

    Host Status

    On | OFF;

    If On, Host Pattern will be shown and needed.

    The default is OFF.

    Host Pattern

    Matching string for host name. Regular expressions are supported.

    URL Pattern

    Matching string. Regular expressions are supported. The input string must start with "/".

    Login Failed Code

    Matching failed code (HTTP response code). 0 means it does not match this code.

    The default is 0.

    IP Access Limit

    1-65535. Specify the number of consecutive login failures.

    Note: If a pair of HTTP request/response match all the settings above (Host Pattern if Host Status is On, URL Pattern and Login Failed Code if it isn’t 0), this is a login failure.

  9. Save the configuration.

    Note

    You can add multiple match condition rules by repeating steps 6-9.

  10. Save the configuration.

Configuring brute force attack detection

Brute Force Attack Detection policies can prevent too many login tests. If an HTTP client tries to log into a server via FortiADC and fails too many times, Brute Force Attack Detection policies can stop it.

Before you begin:

  • You must have Read-Write permission for Security settings.

After you have configured Brute Force Attack Detection policies, you can select them in WAF profiles.

To configure a Brute Force Attack Detection policy:

  1. Go to Web Application Firewall > Common Attacks Detection.
  2. Click the Brute Force Attack Detection tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration.

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    Status

    On | OFF. If On, this policy will be activated, otherwise it is inactive.

    Action

    Alert—Allow the traffic and log the event.

    Deny—Drop the traffic, send a 403 Forbidden to the client, and log the event.

    Block—Drop the traffic, and for a period of time all the traffic from the same IP will be dropped.

    Slient-deny—Drop the traffic, send a 403 Forbidden to the client.

    The default is alert.

    Severity

    High—Log as high severity events.

    Medium—Log as medium severity events.

    Low—Log as low severity events.

    The default is low.

    Exception

    Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

    Comments

    A string to describe the purpose of the configuration.

  5. Save the configuration.
  6. Edit the new saved configuration.
  7. Find “Match Condition” and click Create New.
  8. Complete the configuration.

    Host Status

    On | OFF;

    If On, Host Pattern will be shown and needed.

    The default is OFF.

    Host Pattern

    Matching string for host name. Regular expressions are supported.

    URL Pattern

    Matching string. Regular expressions are supported. The input string must start with "/".

    Login Failed Code

    Matching failed code (HTTP response code). 0 means it does not match this code.

    The default is 0.

    IP Access Limit

    1-65535. Specify the number of consecutive login failures.

    Note: If a pair of HTTP request/response match all the settings above (Host Pattern if Host Status is On, URL Pattern and Login Failed Code if it isn’t 0), this is a login failure.

  9. Save the configuration.

    Note

    You can add multiple match condition rules by repeating steps 6-9.

  10. Save the configuration.