config security waf threshold-based-detection
Use this command to configure Threshold Based Detection policies. FortiADC uses Threshold Based Detection policies to determine whether requests are generated by robots instead of a human by detecting suspicious behavior patterns that exceed the normal threshold defined in the policy. Threshold Based Detection rules are defined by the number of times a type of behavior is allowed to occur within a specified amount of time. Once the number of occurrence exceeds the defined threshold value, an action is triggered in response to detecting the suspicious behavior.
FortiADC supports the following three types of Threshold Based Detection:
- Crawler Detection — Detects web crawlers that are usually used to map out your application structure by monitoring the frequency of HTTP response codes. If the occurrence of a specified HTTP response code exceeds the allowable threshold in the specified time frame, FortiADC will execute the relevant action for the traffic.
- Content Detection — Detects malicious tools that try to download large amounts of content such as text/HTML and application/ XML from your website by monitoring the frequency of download activities. If the occurrence of the download activity exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
- Attack Detection — Detects suspicious attack behavior patterns indicative of a bot attack by monitoring the frequency of attacks detected in specific WAF Attack modules. If the occurrence of specific attacks exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
FortiADC offers Predefined Threshold Based Detection policy configurations you can use to get started.
Predefined Threshold Based Detection policy configurations
|
Name |
Comments |
Predefined settings |
|---|---|---|
| Bot_Detect |
Detect suspicious bot with CAPTCHA action |
Crawler Status — Enabled Response Code — 403,404 Crawler Action — captcha Crawler Severity — Medium Crawler Occurrence Limit — 100 Crawler Occurrence Within — 60 (seconds) Content Scraping Status — Enabled Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON Content Action — captcha Content Severity — Medium Content Occurrence Limit — 100 Content Occurrence Within — 60 (seconds) Attack Detection Status — Enabled Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense Attack Action — captcha Attack Severity — Medium Attack Occurrence Limit — 100 Attack Occurrence Within — 60 (seconds) |
| Content_Scraping_Detect |
Monitor the frequency of illegal content scraping with ALERT action |
Crawler Status — Disabled Content Scraping Status — Enabled Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON Content Action — alert Content Severity — Low Content Occurrence Limit — 100 Content Occurrence Within — 60 (seconds) Attack Detection Status — Disabled |
| Crawler_Detect |
Monitor the frequency of 403 and 404 response codes with ALERT action |
Crawler Status — Enabled Response Code — 403,404 Crawler Action — alert Crawler Severity — Low Crawler Occurrence Limit — 100 Crawler Occurrence Within — 60 (seconds) Content Scraping Status — Disabled Attack Detection Status — Disabled |
| High-Level-Security |
Block all suspicious threshold violations |
Crawler Status — Enabled Response Code — 403,404 Crawler Action — deny Crawler Severity — High Crawler Occurrence Limit — 100 Crawler Occurrence Within — 60 (seconds) Content Scraping Status — Enabled Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON Content Action — deny Content Severity — High Content Occurrence Limit — 100 Content Occurrence Within — 60 (seconds) Attack Detection Status — Enabled Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense
Attack Action — deny Attack Severity — High Attack Occurrence Limit — 100 Attack Occurrence Within — 60 (seconds) |
| Illegal_User_Detect |
Detect illegal user with CAPTCHA action |
Crawler Status — Disabled Content Scraping Status — Disabled Attack Detection Status — Enabled Attack Modules — Brute Force Attack Detection, Credential Stuffing Defense Attack Action — captcha Attack Severity — Medium Attack Occurrence Limit — 100 Attack Occurrence Within — 60 (seconds) |
| Vulnerability_Scan |
Monitor the frequency of web attack signature violations with CAPTCHA action |
Crawler Status — Disabled Content Scraping Status — Disabled Attack Detection Status — Enabled Attack Modules — Web Attack Signature Attack Action — captcha Attack Severity — Medium Attack Occurrence Limit — 100 Attack Occurrence Within — 60 (seconds) |
After you have configured Threshold Based Detection policies, you can select them in WAF profiles.
Before you begin:
- You must have read-write permission for security settings.
Syntax
config security waf threshold-based-detection
edit <name>
set crawler-status {enable|disable}
set response-code <integer>
set crawler-action <datasource>
set crawler-severity {high|medium|low}
set crawler-occurrence-limit <integer>
set crawler-occurrence-within <integer>
set content-scraping-status {enable|disable}
set content-type [text/html|text/plain|text/xml|application/xml|application/soap+xml|application/json]
set content-action <datasource>
set content-severity {high|medium|low}
set content-occurrence-limit <integer>
set content-occurrence-within <integer>
set attack-detection-status {enable|disable}
set attack-modules [web-attack-signature|http-protocol-constraint|sql-xss-injection-detection|url-protection|xml-validation|json-validation|openapi-validation|cookie-security|csrf-protection|brute-force-login|data-leak-prevention|input-validation|credential-stuffing-defense|http-header-security|api-gateway|cors-protection]
set attack-action <datasource>
set attack-severity {high|medium|low}
set attack-occurrence-limit <integer>
set attack-occurrence-within <integer>
set comment <string>
next
end
|
crawler-status |
Enable/Disable Crawler Detection. This is disabled by default. |
|
response-code |
The response-code option is available if crawler-status is enabled. Specify the 3 digit HTTP response code(s) to check. Enter as a single code (e.g. 403), multiple codes (e.g. 403,404), or as a range (e.g. 500-503). Range: 100-599. |
|
crawler-action |
The crawler-action option is available if crawler-status is enabled. Select the action profile to apply when a web crawler bot is detected. See config security waf action. The default action is alert. |
|
crawler-severity |
The crawler-severity option is available if crawler-status is enabled. Select the event severity to log when a web crawler bot is detected:
The default is low. |
|
crawler-occurrence-limit |
The crawler-occurrence-limit option is available if crawler-status is enabled. Specify the maximum number of responses that can be received from the specified response-code within the time frame (set in crawler-occurrence-limit). If the limit is exceeded, the specified crawler-action will be triggered. Default: 100, Range: 1-100000. |
|
crawler-occurrence-within |
The crawler-occurrence-within option is available if crawler-status is enabled. Specify the time span during which to count how many times a response is received from the specified response-code. Default: 60 seconds, Range: 1-600 seconds. |
|
content-scraping-status |
Enable/disable Content Detection. This is disabled by default. |
|
content-type |
The content-type option is available if content-scraping-status is enabled. Select one or more content type to monitor for content scraping:
|
|
content-action |
The content-action option is available if content-scraping-status is enabled. Select the action profile to apply when a content scraping bot is detected. See config security waf action.. The default action is alert. |
|
content-severity |
The content-severity option is available if content-scraping-status is enabled. Select the event severity to log when a content scraping bot is detected:
The default is low. |
|
content-occurrence-limit |
The content-occurrence-limit option is available if content-scraping-status is enabled. Specify the maximum number of responses that can be received from the specified content-type within the time frame (set in content-occurrence-within). If the limit is exceeded, the specified content-action will be triggered. Default: 100, Range: 1-100000. |
|
content-occurrence-within |
The content-occurrence-within option is available if content-scraping-status is enabled. Specify the time span during which to count how many times a response is received from the specified content-type. Default: 60 seconds, Range: 1-600 seconds. |
|
attack-detection-status |
Enable/disable Attack Detection. This is disabled by default. |
|
attack-modules |
The attack-modules option is available if attack-detection-status is enabled. Select one or more attack modules to monitor for bot attacks:
|
|
attack-action |
The attack-action option is available if attack-detection-status is enabled. Select the action profile to apply when a bot attack is detected. See config security waf action. The default action is alert. |
|
attack-severity |
The attack-severity option is available if attack-detection-status is enabled. Select the event severity to log when a bot attack is detected:
The default is low. |
|
attack-occurrence-limit |
The attack-occurrence-limit option is available if attack-detection-status is enabled. Specify the maximum number of responses that can be received from the specified attack-modules within the time frame (set in attack-occurrence-within). If the limit is exceeded, the specified attack-action will be triggered. Default: 100, Range: 1-100000. |
|
attack-occurrence-within |
The attack-occurrence-within option is available if attack-detection-status is enabled. Specify the time span during which to count how many times a response is received from the specified attack-modules. Default: 60 seconds, Range: 1-600 seconds. |
|
comment |
Optionally, enter comments about the Threshold Based Detection policy. |
Example
config security waf threshold-based-detection
edit "attack_1"
set crawler-status enable
set response-code 404
set crawler-action alert
set crawler-severity low
set crawler-occurrence-limit 1
set crawler-occurrence-within 60
set content-scraping-status enable
set content-type text/html
set content-action alert
set content-severity low
set content-occurrence-limit 1
set content-occurrence-within 60
set attack-detection-status enable
set attack-modules url-protection
set attack-action alert
set attack-severity low
set attack-occurrence-limit 2
set attack-occurrence-within 60
next
end