Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 7.2.1 Handbook
    7.2.1
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring a Threshold Based Detection policy

    Configuring a Threshold Based Detection policy

    Using Threshold Based Detection policies, FortiADC can determine whether requests are generated by robots instead of a human by detecting suspicious behavior patterns that exceed the normal threshold defined in the policy. Threshold Based Detection rules are defined by the number of times a type of behavior is allowed to occur within a specified amount of time. Once the number of occurrence exceeds the defined threshold value, an action is triggered in response to detecting the suspicious behavior.

    FortiADC supports the following three types of Threshold Based Detection:

    • Crawler Detection — Detects web crawlers that are usually used to map out your application structure by monitoring the frequency of HTTP response codes. If the occurrence of a specified HTTP response code exceeds the allowable threshold in the specified time frame, FortiADC will execute the relevant action for the traffic.
    • Content Detection — Detects malicious tools that try to download large amounts of content such as text/HTML and application/ XML from your website by monitoring the frequency of download activities. If the occurrence of the download activity exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
    • Attack Detection — Detects suspicious attack behavior patterns indicative of a bot attack by monitoring the frequency of attacks detected in specific WAF Attack modules. If the occurrence of specific attacks exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.

    FortiADC offers Predefined Threshold Based Detection policy configurations that can be applied as is or used as a template for customization.

    After you have configured Threshold Based Detection policies, you can select them in WAF profiles.

    Before you begin:
    • You must have Read-Write permission for Security settings.
    To configure a Threshold Based Detection policy:
    1. Go to Web Application Firewall > Threshold Based Detection.
    2. In the Threshold Based Detection tab, click Create New to display the configuration editor.
    3. Configure the following Biometrics Based Detection settings:

      Setting

      Description

      Name

      Specify a name for the Threshold Based Detection rule. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

      The configuration name cannot be edited once it has been saved.

      Comments

      Optionally, enter comments about the Threshold Based Detection policy.

      Crawler Detection
      Crawler StatusEnable/Disable Crawler Detection. This is disabled by default.
      Response CodeSpecify the 3 digit HTTP response code(s) to check. Enter as a single code (e.g. 403), multiple codes (e.g. 403,404), or as a range (e.g. 500-503). Range: 100-599.
      Crawler Action

      Select the action profile to apply when a web crawler bot is detected. See Configuring WAF Action objects.

      The default action is alert.

      Crawler Severity

      Select the event severity to log when a web crawler bot is detected:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is low.

      Crawler Occurrence Limit

      Specify the maximum number of responses that can be received from the specified Response Code within the time frame (set in Crawler Occurrence Within). If the limit is exceeded, the specified Crawler Action will be triggered. Default: 100, Range: 1-100000.

      Crawler Occurrence Within

      Specify the time span during which to count how many times a response is received from the specified Response Code. Default: 60 seconds, Range: 1-600 seconds.

      Content Detection

      Content Scraping Status

      Enable/disable Content Detection. This is disabled by default.

      Content Type

      Select one or more content type to monitor for content scraping:

      • Text/HTML
      • Text/Plain
      • Text/XML
      • Application/XML
      • Application/Soap+XML
      • Application/JSON

      Content Action

      Select the action profile to apply when a content scraping bot is detected. See Configuring WAF Action objects.

      The default action is alert.

      Content Severity

      Select the event severity to log when a content scraping bot is detected:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is low.

      Content Occurrence Limit

      Specify the maximum number of responses that can be received from the specified Content Type within the time frame (set in Content Occurrence Within). If the limit is exceeded, the specified Content Action will be triggered. Default: 100, Range: 1-100000.

      Content Occurrence Within

      Specify the time span during which to count how many times a response is received from the specified Content Type. Default: 60 seconds, Range: 1-600 seconds.

      Attack Detection

      Attack Detection Status

      Enable/disable Attack Detection. This is disabled by default.

      Attack Modules

      Select one or more attack modules to monitor for bot attacks:

      • Web Attack Signature
      • Input Validation
      • Brute Force Attack Detection
      • URL Protection
      • HTTP Protocol Constraint
      • Credential Stuffing Defense

      Click Advanced to expand the selection list:

      • Data Leak Prevention
      • SQL/XSS Injection Detection
      • Cookie Security
      • CSRF Protection
      • CORS Protection
      • JSON Validation
      • OpenAPI Validation
      • XML Protection
      • API Gateway

      Attack Action

      Select the action profile to apply when a bot attack is detected. See Configuring WAF Action objects.

      The default action is alert.

      Attack Severity

      Select the event severity to log when a bot attack is detected:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is Low.

      Attack Occurrence Limit

      Specify the maximum number of responses that can be received from the specified Attack Module within the time frame (set in Attack Occurrence Within). If the limit is exceeded, the specified Attack Action will be triggered. Default: 100, Range: 1-100000.

      Attack Occurrence Within

      Specify the time span during which to count how many times a response is received from the specified Attack Module. Default: 60 seconds, Range: 1-600 seconds.

    4. Click Save.
      The newly configured Threshold Based Detection policy is added to the Threshold Based Detection page.
    Predefined Threshold Based Detection policy configurations

    You can apply any of the predefined Threshold Based Detection policies in WAF profiles or you can clone a predefined configuration to use as a template to define your own policy.

    Name

    Comments

    Predefined settings
    Bot_Detect

    Detect suspicious bot with CAPTCHA action

    Crawler Status — Enabled

    Response Code — 403,404

    Crawler Action — captcha

    Crawler Severity — Medium

    Crawler Occurrence Limit — 100

    Crawler Occurrence Within — 60 (seconds)

    Content Scraping Status — Enabled

    Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

    Content Action — captcha

    Content Severity — Medium

    Content Occurrence Limit — 100

    Content Occurrence Within — 60 (seconds)

    Attack Detection Status — Enabled

    Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

    Attack Action — captcha

    Attack Severity — Medium

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Content_Scraping_Detect

    Monitor the frequency of illegal content scraping with ALERT action

    Crawler Status — Disabled

    Content Scraping Status — Enabled

    Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

    Content Action — alert

    Content Severity — Low

    Content Occurrence Limit — 100

    Content Occurrence Within — 60 (seconds)

    Attack Detection Status — Disabled

    Crawler_Detect

    Monitor the frequency of 403 and 404 response codes with ALERT action

    Crawler Status — Enabled

    Response Code — 403,404

    Crawler Action — alert

    Crawler Severity — Low

    Crawler Occurrence Limit — 100

    Crawler Occurrence Within — 60 (seconds)

    Content Scraping Status — Disabled

    Attack Detection Status — Disabled

    High-Level-Security

    Block all suspicious threshold violations

    Crawler Status — Enabled

    Response Code — 403,404

    Crawler Action — deny

    Crawler Severity — High

    Crawler Occurrence Limit — 100

    Crawler Occurrence Within — 60 (seconds)

    Content Scraping Status — Enabled

    Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

    Content Action — deny

    Content Severity — High

    Content Occurrence Limit — 100

    Content Occurrence Within — 60 (seconds)

    Attack Detection Status — Enabled

    Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

    • Advanced — Data Leak Prevention, SQL/XSS Injection Detection, Cookie Security, CSRF Protection, CORS Protection, JSON Validation, OpenAPI Validation, XML Protection, API Gateway

    Attack Action — deny

    Attack Severity — High

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Illegal_User_Detect

    Detect illegal user with CAPTCHA action

    Crawler Status — Disabled

    Content Scraping Status — Disabled

    Attack Detection Status — Enabled

    Attack Modules — Brute Force Attack Detection, Credential Stuffing Defense

    Attack Action — captcha

    Attack Severity — Medium

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Vulnerability_Scan

    Monitor the frequency of web attack signature violations with CAPTCHA action

    Crawler Status — Disabled

    Content Scraping Status — Disabled

    Attack Detection Status — Enabled

    Attack Modules — Web Attack Signature

    Attack Action — captcha

    Attack Severity — Medium

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Previous
    Next

    Configuring a Threshold Based Detection policy

    Configuring a Threshold Based Detection policy

    Using Threshold Based Detection policies, FortiADC can determine whether requests are generated by robots instead of a human by detecting suspicious behavior patterns that exceed the normal threshold defined in the policy. Threshold Based Detection rules are defined by the number of times a type of behavior is allowed to occur within a specified amount of time. Once the number of occurrence exceeds the defined threshold value, an action is triggered in response to detecting the suspicious behavior.

    FortiADC supports the following three types of Threshold Based Detection:

    • Crawler Detection — Detects web crawlers that are usually used to map out your application structure by monitoring the frequency of HTTP response codes. If the occurrence of a specified HTTP response code exceeds the allowable threshold in the specified time frame, FortiADC will execute the relevant action for the traffic.
    • Content Detection — Detects malicious tools that try to download large amounts of content such as text/HTML and application/ XML from your website by monitoring the frequency of download activities. If the occurrence of the download activity exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
    • Attack Detection — Detects suspicious attack behavior patterns indicative of a bot attack by monitoring the frequency of attacks detected in specific WAF Attack modules. If the occurrence of specific attacks exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.

    FortiADC offers Predefined Threshold Based Detection policy configurations that can be applied as is or used as a template for customization.

    After you have configured Threshold Based Detection policies, you can select them in WAF profiles.

    Before you begin:
    • You must have Read-Write permission for Security settings.
    To configure a Threshold Based Detection policy:
    1. Go to Web Application Firewall > Threshold Based Detection.
    2. In the Threshold Based Detection tab, click Create New to display the configuration editor.
    3. Configure the following Biometrics Based Detection settings:

      Setting

      Description

      Name

      Specify a name for the Threshold Based Detection rule. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

      The configuration name cannot be edited once it has been saved.

      Comments

      Optionally, enter comments about the Threshold Based Detection policy.

      Crawler Detection
      Crawler StatusEnable/Disable Crawler Detection. This is disabled by default.
      Response CodeSpecify the 3 digit HTTP response code(s) to check. Enter as a single code (e.g. 403), multiple codes (e.g. 403,404), or as a range (e.g. 500-503). Range: 100-599.
      Crawler Action

      Select the action profile to apply when a web crawler bot is detected. See Configuring WAF Action objects.

      The default action is alert.

      Crawler Severity

      Select the event severity to log when a web crawler bot is detected:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is low.

      Crawler Occurrence Limit

      Specify the maximum number of responses that can be received from the specified Response Code within the time frame (set in Crawler Occurrence Within). If the limit is exceeded, the specified Crawler Action will be triggered. Default: 100, Range: 1-100000.

      Crawler Occurrence Within

      Specify the time span during which to count how many times a response is received from the specified Response Code. Default: 60 seconds, Range: 1-600 seconds.

      Content Detection

      Content Scraping Status

      Enable/disable Content Detection. This is disabled by default.

      Content Type

      Select one or more content type to monitor for content scraping:

      • Text/HTML
      • Text/Plain
      • Text/XML
      • Application/XML
      • Application/Soap+XML
      • Application/JSON

      Content Action

      Select the action profile to apply when a content scraping bot is detected. See Configuring WAF Action objects.

      The default action is alert.

      Content Severity

      Select the event severity to log when a content scraping bot is detected:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is low.

      Content Occurrence Limit

      Specify the maximum number of responses that can be received from the specified Content Type within the time frame (set in Content Occurrence Within). If the limit is exceeded, the specified Content Action will be triggered. Default: 100, Range: 1-100000.

      Content Occurrence Within

      Specify the time span during which to count how many times a response is received from the specified Content Type. Default: 60 seconds, Range: 1-600 seconds.

      Attack Detection

      Attack Detection Status

      Enable/disable Attack Detection. This is disabled by default.

      Attack Modules

      Select one or more attack modules to monitor for bot attacks:

      • Web Attack Signature
      • Input Validation
      • Brute Force Attack Detection
      • URL Protection
      • HTTP Protocol Constraint
      • Credential Stuffing Defense

      Click Advanced to expand the selection list:

      • Data Leak Prevention
      • SQL/XSS Injection Detection
      • Cookie Security
      • CSRF Protection
      • CORS Protection
      • JSON Validation
      • OpenAPI Validation
      • XML Protection
      • API Gateway

      Attack Action

      Select the action profile to apply when a bot attack is detected. See Configuring WAF Action objects.

      The default action is alert.

      Attack Severity

      Select the event severity to log when a bot attack is detected:

      • High — Log as high severity events.
      • Medium — Log as a medium severity events.
      • Low — Log as low severity events.

      The default is Low.

      Attack Occurrence Limit

      Specify the maximum number of responses that can be received from the specified Attack Module within the time frame (set in Attack Occurrence Within). If the limit is exceeded, the specified Attack Action will be triggered. Default: 100, Range: 1-100000.

      Attack Occurrence Within

      Specify the time span during which to count how many times a response is received from the specified Attack Module. Default: 60 seconds, Range: 1-600 seconds.

    4. Click Save.
      The newly configured Threshold Based Detection policy is added to the Threshold Based Detection page.
    Predefined Threshold Based Detection policy configurations

    You can apply any of the predefined Threshold Based Detection policies in WAF profiles or you can clone a predefined configuration to use as a template to define your own policy.

    Name

    Comments

    Predefined settings
    Bot_Detect

    Detect suspicious bot with CAPTCHA action

    Crawler Status — Enabled

    Response Code — 403,404

    Crawler Action — captcha

    Crawler Severity — Medium

    Crawler Occurrence Limit — 100

    Crawler Occurrence Within — 60 (seconds)

    Content Scraping Status — Enabled

    Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

    Content Action — captcha

    Content Severity — Medium

    Content Occurrence Limit — 100

    Content Occurrence Within — 60 (seconds)

    Attack Detection Status — Enabled

    Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

    Attack Action — captcha

    Attack Severity — Medium

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Content_Scraping_Detect

    Monitor the frequency of illegal content scraping with ALERT action

    Crawler Status — Disabled

    Content Scraping Status — Enabled

    Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

    Content Action — alert

    Content Severity — Low

    Content Occurrence Limit — 100

    Content Occurrence Within — 60 (seconds)

    Attack Detection Status — Disabled

    Crawler_Detect

    Monitor the frequency of 403 and 404 response codes with ALERT action

    Crawler Status — Enabled

    Response Code — 403,404

    Crawler Action — alert

    Crawler Severity — Low

    Crawler Occurrence Limit — 100

    Crawler Occurrence Within — 60 (seconds)

    Content Scraping Status — Disabled

    Attack Detection Status — Disabled

    High-Level-Security

    Block all suspicious threshold violations

    Crawler Status — Enabled

    Response Code — 403,404

    Crawler Action — deny

    Crawler Severity — High

    Crawler Occurrence Limit — 100

    Crawler Occurrence Within — 60 (seconds)

    Content Scraping Status — Enabled

    Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

    Content Action — deny

    Content Severity — High

    Content Occurrence Limit — 100

    Content Occurrence Within — 60 (seconds)

    Attack Detection Status — Enabled

    Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

    • Advanced — Data Leak Prevention, SQL/XSS Injection Detection, Cookie Security, CSRF Protection, CORS Protection, JSON Validation, OpenAPI Validation, XML Protection, API Gateway

    Attack Action — deny

    Attack Severity — High

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Illegal_User_Detect

    Detect illegal user with CAPTCHA action

    Crawler Status — Disabled

    Content Scraping Status — Disabled

    Attack Detection Status — Enabled

    Attack Modules — Brute Force Attack Detection, Credential Stuffing Defense

    Attack Action — captcha

    Attack Severity — Medium

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Vulnerability_Scan

    Monitor the frequency of web attack signature violations with CAPTCHA action

    Crawler Status — Disabled

    Content Scraping Status — Disabled

    Attack Detection Status — Enabled

    Attack Modules — Web Attack Signature

    Attack Action — captcha

    Attack Severity — Medium

    Attack Occurrence Limit — 100

    Attack Occurrence Within — 60 (seconds)
    Previous
    Next