Fortinet white logo
Fortinet white logo

Handbook

Configuring a Threshold Based Detection policy

Configuring a Threshold Based Detection policy

Using Threshold Based Detection policies, FortiADC can determine whether requests are generated by robots instead of a human by detecting suspicious behavior patterns that exceed the normal threshold defined in the policy. Threshold Based Detection rules are defined by the number of times a type of behavior is allowed to occur within a specified amount of time. Once the number of occurrence exceeds the defined threshold value, an action is triggered in response to detecting the suspicious behavior.

FortiADC supports the following three types of Threshold Based Detection:

  • Crawler Detection — Detects web crawlers that are usually used to map out your application structure by monitoring the frequency of HTTP response codes. If the occurrence of a specified HTTP response code exceeds the allowable threshold in the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Content Detection — Detects malicious tools that try to download large amounts of content such as text/HTML and application/ XML from your website by monitoring the frequency of download activities. If the occurrence of the download activity exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Attack Detection — Detects suspicious attack behavior patterns indicative of a bot attack by monitoring the frequency of attacks detected in specific WAF Attack modules. If the occurrence of specific attacks exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.

FortiADC offers Predefined Threshold Based Detection policy configurations that can be applied as is or used as a template for customization.

After you have configured Threshold Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have Read-Write permission for Security settings.
To configure a Threshold Based Detection policy:
  1. Go to Web Application Firewall > Threshold Based Detection.
  2. In the Threshold Based Detection tab, click Create New to display the configuration editor.
  3. Configure the following Biometrics Based Detection settings:

    Setting

    Description

    Name

    Specify a name for the Threshold Based Detection rule. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    The configuration name cannot be edited once it has been saved.

    Comments

    Optionally, enter comments about the Threshold Based Detection policy.

    Crawler Detection
    Crawler StatusEnable/Disable Crawler Detection. This is disabled by default.
    Response CodeSpecify the 3 digit HTTP response code(s) to check. Enter as a single code (e.g. 403), multiple codes (e.g. 403,404), or as a range (e.g. 500-503). Range: 100-599.
    Crawler Action

    Select the action profile to apply when a web crawler bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Crawler Severity

    Select the event severity to log when a web crawler bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is low.

    Crawler Occurrence Limit

    Specify the maximum number of responses that can be received from the specified Response Code within the time frame (set in Crawler Occurrence Within). If the limit is exceeded, the specified Crawler Action will be triggered. Default: 100, Range: 1-100000.

    Crawler Occurrence Within

    Specify the time span during which to count how many times a response is received from the specified Response Code. Default: 60 seconds, Range: 1-600 seconds.

    Content Detection

    Content Scraping Status

    Enable/disable Content Detection. This is disabled by default.

    Content Type

    Select one or more content type to monitor for content scraping:

    • Text/HTML
    • Text/Plain
    • Text/XML
    • Application/XML
    • Application/Soap+XML
    • Application/JSON

    Content Action

    Select the action profile to apply when a content scraping bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Content Severity

    Select the event severity to log when a content scraping bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is low.

    Content Occurrence Limit

    Specify the maximum number of responses that can be received from the specified Content Type within the time frame (set in Content Occurrence Within). If the limit is exceeded, the specified Content Action will be triggered. Default: 100, Range: 1-100000.

    Content Occurrence Within

    Specify the time span during which to count how many times a response is received from the specified Content Type. Default: 60 seconds, Range: 1-600 seconds.

    Attack Detection

    Attack Detection Status

    Enable/disable Attack Detection. This is disabled by default.

    Attack Modules

    Select one or more attack modules to monitor for bot attacks:

    • Web Attack Signature
    • Input Validation
    • Brute Force Attack Detection
    • URL Protection
    • HTTP Protocol Constraint
    • Credential Stuffing Defense

    Click Advanced to expand the selection list:

    • Data Leak Prevention
    • SQL/XSS Injection Detection
    • Cookie Security
    • CSRF Protection
    • CORS Protection
    • JSON Validation
    • OpenAPI Validation
    • XML Protection
    • API Gateway

    Attack Action

    Select the action profile to apply when a bot attack is detected. See Configuring WAF Action objects.

    The default action is alert.

    Attack Severity

    Select the event severity to log when a bot attack is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is Low.

    Attack Occurrence Limit

    Specify the maximum number of responses that can be received from the specified Attack Module within the time frame (set in Attack Occurrence Within). If the limit is exceeded, the specified Attack Action will be triggered. Default: 100, Range: 1-100000.

    Attack Occurrence Within

    Specify the time span during which to count how many times a response is received from the specified Attack Module. Default: 60 seconds, Range: 1-600 seconds.

  4. Click Save.
    The newly configured Threshold Based Detection policy is added to the Threshold Based Detection page.
Predefined Threshold Based Detection policy configurations

You can apply any of the predefined Threshold Based Detection policies in WAF profiles or you can clone a predefined configuration to use as a template to define your own policy.

Name

Comments

Predefined settings

Bot_Detect

Detect suspicious bot with CAPTCHA action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — captcha

Crawler Severity — Medium

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — captcha

Content Severity — Medium

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Content_Scraping_Detect

Monitor the frequency of illegal content scraping with ALERT action

Crawler Status — Disabled

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — alert

Content Severity — Low

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Disabled

Crawler_Detect

Monitor the frequency of 403 and 404 response codes with ALERT action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — alert

Crawler Severity — Low

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Disabled

Attack Detection Status — Disabled

High-Level-Security

Block all suspicious threshold violations

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — deny

Crawler Severity — High

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — deny

Content Severity — High

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

  • Advanced — Data Leak Prevention, SQL/XSS Injection Detection, Cookie Security, CSRF Protection, CORS Protection, JSON Validation, OpenAPI Validation, XML Protection, API Gateway

Attack Action — deny

Attack Severity — High

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Illegal_User_Detect

Detect illegal user with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Brute Force Attack Detection, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Vulnerability_Scan

Monitor the frequency of web attack signature violations with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Configuring a Threshold Based Detection policy

Configuring a Threshold Based Detection policy

Using Threshold Based Detection policies, FortiADC can determine whether requests are generated by robots instead of a human by detecting suspicious behavior patterns that exceed the normal threshold defined in the policy. Threshold Based Detection rules are defined by the number of times a type of behavior is allowed to occur within a specified amount of time. Once the number of occurrence exceeds the defined threshold value, an action is triggered in response to detecting the suspicious behavior.

FortiADC supports the following three types of Threshold Based Detection:

  • Crawler Detection — Detects web crawlers that are usually used to map out your application structure by monitoring the frequency of HTTP response codes. If the occurrence of a specified HTTP response code exceeds the allowable threshold in the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Content Detection — Detects malicious tools that try to download large amounts of content such as text/HTML and application/ XML from your website by monitoring the frequency of download activities. If the occurrence of the download activity exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Attack Detection — Detects suspicious attack behavior patterns indicative of a bot attack by monitoring the frequency of attacks detected in specific WAF Attack modules. If the occurrence of specific attacks exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.

FortiADC offers Predefined Threshold Based Detection policy configurations that can be applied as is or used as a template for customization.

After you have configured Threshold Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have Read-Write permission for Security settings.
To configure a Threshold Based Detection policy:
  1. Go to Web Application Firewall > Threshold Based Detection.
  2. In the Threshold Based Detection tab, click Create New to display the configuration editor.
  3. Configure the following Biometrics Based Detection settings:

    Setting

    Description

    Name

    Specify a name for the Threshold Based Detection rule. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    The configuration name cannot be edited once it has been saved.

    Comments

    Optionally, enter comments about the Threshold Based Detection policy.

    Crawler Detection
    Crawler StatusEnable/Disable Crawler Detection. This is disabled by default.
    Response CodeSpecify the 3 digit HTTP response code(s) to check. Enter as a single code (e.g. 403), multiple codes (e.g. 403,404), or as a range (e.g. 500-503). Range: 100-599.
    Crawler Action

    Select the action profile to apply when a web crawler bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Crawler Severity

    Select the event severity to log when a web crawler bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is low.

    Crawler Occurrence Limit

    Specify the maximum number of responses that can be received from the specified Response Code within the time frame (set in Crawler Occurrence Within). If the limit is exceeded, the specified Crawler Action will be triggered. Default: 100, Range: 1-100000.

    Crawler Occurrence Within

    Specify the time span during which to count how many times a response is received from the specified Response Code. Default: 60 seconds, Range: 1-600 seconds.

    Content Detection

    Content Scraping Status

    Enable/disable Content Detection. This is disabled by default.

    Content Type

    Select one or more content type to monitor for content scraping:

    • Text/HTML
    • Text/Plain
    • Text/XML
    • Application/XML
    • Application/Soap+XML
    • Application/JSON

    Content Action

    Select the action profile to apply when a content scraping bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Content Severity

    Select the event severity to log when a content scraping bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is low.

    Content Occurrence Limit

    Specify the maximum number of responses that can be received from the specified Content Type within the time frame (set in Content Occurrence Within). If the limit is exceeded, the specified Content Action will be triggered. Default: 100, Range: 1-100000.

    Content Occurrence Within

    Specify the time span during which to count how many times a response is received from the specified Content Type. Default: 60 seconds, Range: 1-600 seconds.

    Attack Detection

    Attack Detection Status

    Enable/disable Attack Detection. This is disabled by default.

    Attack Modules

    Select one or more attack modules to monitor for bot attacks:

    • Web Attack Signature
    • Input Validation
    • Brute Force Attack Detection
    • URL Protection
    • HTTP Protocol Constraint
    • Credential Stuffing Defense

    Click Advanced to expand the selection list:

    • Data Leak Prevention
    • SQL/XSS Injection Detection
    • Cookie Security
    • CSRF Protection
    • CORS Protection
    • JSON Validation
    • OpenAPI Validation
    • XML Protection
    • API Gateway

    Attack Action

    Select the action profile to apply when a bot attack is detected. See Configuring WAF Action objects.

    The default action is alert.

    Attack Severity

    Select the event severity to log when a bot attack is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is Low.

    Attack Occurrence Limit

    Specify the maximum number of responses that can be received from the specified Attack Module within the time frame (set in Attack Occurrence Within). If the limit is exceeded, the specified Attack Action will be triggered. Default: 100, Range: 1-100000.

    Attack Occurrence Within

    Specify the time span during which to count how many times a response is received from the specified Attack Module. Default: 60 seconds, Range: 1-600 seconds.

  4. Click Save.
    The newly configured Threshold Based Detection policy is added to the Threshold Based Detection page.
Predefined Threshold Based Detection policy configurations

You can apply any of the predefined Threshold Based Detection policies in WAF profiles or you can clone a predefined configuration to use as a template to define your own policy.

Name

Comments

Predefined settings

Bot_Detect

Detect suspicious bot with CAPTCHA action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — captcha

Crawler Severity — Medium

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — captcha

Content Severity — Medium

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Content_Scraping_Detect

Monitor the frequency of illegal content scraping with ALERT action

Crawler Status — Disabled

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — alert

Content Severity — Low

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Disabled

Crawler_Detect

Monitor the frequency of 403 and 404 response codes with ALERT action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — alert

Crawler Severity — Low

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Disabled

Attack Detection Status — Disabled

High-Level-Security

Block all suspicious threshold violations

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — deny

Crawler Severity — High

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — deny

Content Severity — High

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

  • Advanced — Data Leak Prevention, SQL/XSS Injection Detection, Cookie Security, CSRF Protection, CORS Protection, JSON Validation, OpenAPI Validation, XML Protection, API Gateway

Attack Action — deny

Attack Severity — High

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Illegal_User_Detect

Detect illegal user with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Brute Force Attack Detection, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Vulnerability_Scan

Monitor the frequency of web attack signature violations with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)