Fortinet Document Library

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Download PDF
Copy Link

Configuring an Advanced Protection policy

The Advanced Protection policy includes the following rules:

  • Content Scraping—Checks HTTP response header. If the traffic matches the occurrence limit and is over the specified percentage match, it detects web scraping, then executes the relevant actions for the traffic.

  • HTTP Response Code—Checks HTTP response code. If the traffic matches the occurrence limit and is over the specified percentage match, it detects web scraping, then executes the relevant actions for the traffic.

To configure an Advanced Protection policy:
  1. Go to Web Application Firewall>Common Attacks Detection.
  2. Click the Advanced Protection tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Advanced Protection configuration.

    Note

    If you want to drop a large number of packets when traffic match the rules, you should set action to “block” instead of “deny."

  5. Save the configuration.

Advanced Protection configuration

Settings Guidelines

Name

Enter a unique Advanced Protection policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

Note: Once saved, the name of an Advanced Protection policy cannot be changed.

Content Scraping

Content Type

Specify a Content Type for the Content Scraping rule: 

  • text/html
  • text/plain
  • text/xml
  • application/xml
  • application/soap+xml
  • application/json

Occurrence Limit

Sets the condition for the limit of the number of responses received from the specified type. If the number of responses received within the time frame (set in Occurrence Within) from the specified type is above this limit, this condition is fulfilled.

Occurrence Within

Sets the time span during which to count how many times a response is received from the specified type.

Percentage Match

Sets the condition for what percentage of the traffic received is from the specified type, during the given time frame. If the specified type, compared to all traffic, is received above this Percentage Match, this condition is fulfilled.

Default is 0, indicating that this condition is disabled by default.

Action

Select which action FortiADC takes when the conditions are fulfilled for Content Scraping.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Advanced Protection:

  • Low
  • Medium
  • High

The default value is Low.

HTTP Response Code

Response Code

Specify a Response Code for the HTTP Response Code rule.

Occurrence Limit

Sets the condition for the limit of the number of responses received from the specified type. If the number of responses received within the time frame (set in Occurrence Within) from the specified type is above this limit, this condition is fulfilled.

Occurrence Within

Sets the time span during which to count how many times a response is received from the specified type.

Percentage Match

Sets the condition for what percentage of the traffic received is from the specified type, during the given time frame. If the specified type, compared to all traffic, is received above this Percentage Match, this condition is fulfilled.

Default is 0, indicating that this condition is disabled by default.

Action

Select which action FortiADC takes when the conditions are fulfilled for HTTP Response Code.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low.

Configuring an Advanced Protection policy

The Advanced Protection policy includes the following rules:

  • Content Scraping—Checks HTTP response header. If the traffic matches the occurrence limit and is over the specified percentage match, it detects web scraping, then executes the relevant actions for the traffic.

  • HTTP Response Code—Checks HTTP response code. If the traffic matches the occurrence limit and is over the specified percentage match, it detects web scraping, then executes the relevant actions for the traffic.

To configure an Advanced Protection policy:
  1. Go to Web Application Firewall>Common Attacks Detection.
  2. Click the Advanced Protection tab.
  3. Click Create New to display the configuration editor.
  4. Complete the configuration as described in Advanced Protection configuration.

    Note

    If you want to drop a large number of packets when traffic match the rules, you should set action to “block” instead of “deny."

  5. Save the configuration.

Advanced Protection configuration

Settings Guidelines

Name

Enter a unique Advanced Protection policy name. Valid characters are A-Z, a-z, 0-9, _, and -. No space is allowed.

Note: Once saved, the name of an Advanced Protection policy cannot be changed.

Content Scraping

Content Type

Specify a Content Type for the Content Scraping rule: 

  • text/html
  • text/plain
  • text/xml
  • application/xml
  • application/soap+xml
  • application/json

Occurrence Limit

Sets the condition for the limit of the number of responses received from the specified type. If the number of responses received within the time frame (set in Occurrence Within) from the specified type is above this limit, this condition is fulfilled.

Occurrence Within

Sets the time span during which to count how many times a response is received from the specified type.

Percentage Match

Sets the condition for what percentage of the traffic received is from the specified type, during the given time frame. If the specified type, compared to all traffic, is received above this Percentage Match, this condition is fulfilled.

Default is 0, indicating that this condition is disabled by default.

Action

Select which action FortiADC takes when the conditions are fulfilled for Content Scraping.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

When FortiADC records violations of this rule in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiADC uses when using Advanced Protection:

  • Low
  • Medium
  • High

The default value is Low.

HTTP Response Code

Response Code

Specify a Response Code for the HTTP Response Code rule.

Occurrence Limit

Sets the condition for the limit of the number of responses received from the specified type. If the number of responses received within the time frame (set in Occurrence Within) from the specified type is above this limit, this condition is fulfilled.

Occurrence Within

Sets the time span during which to count how many times a response is received from the specified type.

Percentage Match

Sets the condition for what percentage of the traffic received is from the specified type, during the given time frame. If the specified type, compared to all traffic, is received above this Percentage Match, this condition is fulfilled.

Default is 0, indicating that this condition is disabled by default.

Action

Select which action FortiADC takes when the conditions are fulfilled for HTTP Response Code.

  • Alert—Accept the request and generate an alert email, log message, or both.
  • Deny—Block the request (or reset the connection).
  • Block—Block subsequent requests from the client for a number of seconds. Also configure Block Period.
  • Silent-deny—Deny without log.

The default value is Alert.

Severity

  • High—Log as high severity events.
  • Medium—Log as a medium severity events.
  • Low—Log as low severity events.

The default is low.