Fortinet white logo
Fortinet white logo

CLI Reference

config security waf fingerprint-based-detection

config security waf fingerprint-based-detection

Use this command to configure Fingerprint Based Detection policies. Fingerprint Based Detection detects the client's fingerprint using multiple characteristics to ascertain whether an access request originates from a human or a bot. Using the Fingerprint Based Detection policy, FortiADC collects and monitors the behavioral fingerprint information, such as WebDriver, WindowsProperties and MimeTypesConsistent, with JavaScript enabled on the client browser. The collected information forms the client fingerprint that is then checked against known automation tools and frameworks to determine whether the requests are generated by automation tools such as Headless Chrome, Selenium or Electron.

After you have configured Fingerprint Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have read-write permission for security settings.

Syntax

config security waf biometrics-based-detection

edit <name>

set ignore-js-check {enable|disable}

set fingerprint-detectors [chrome_headless|selenium|electron|others]

set bot-effective-time <integer>

set js-request-url <string>

set action <datasource>

set severity {high|medium|low}

set exception <datasource>

config url-list

edit <No.>

set host-status {enable/disable}

set host <string>

set request-url <string>

next

end

next

end

ignore-js-check

Enable/disable redirect to a warning page to enable JavaScript. This is disabled by default.

  • Disable — FortiADC will check if JavaScript is enabled on the client browser. If JavaScript is not enabled, then FortiADC will redirect to a warning page to let the user enable JavaScript. If the client does not enable JavaScript, Fingerprint Based Detection cannot be activated.
  • Enable — FortiADC will not check if JavaScript is enabled on the client browser. If JavaScript is enabled on the client browser, behavioral fingerprint information can be collected normally and FortiADC can determine if it is a bot or not. But if JavaScript is disabled on the client browser, Fingerprint Based Detection cannot be activated.

fingerprint-detectors

Select one or more fingerprint detectors:

  • chrome_headless — Headless Chrome
  • selenium — Selenium
  • electron — Electron
  • others — includes SlimerJS and CefSharp

All fingerprint detectors are preselected by default. If the configuration is saved with no Fingerprint Detectors selected, it will default to the preselected.

bot-effective-time

Specify the time interval before FortiADC tests and verifies a bot again, once a bot has been detected. Default: 5 Range: 1-60 minute(s).

js-request-url

Specify the URL to use to insert JavaScript code to the client browser. Default: /fadc_client/fp_detect.js.

action

Select the action profile to apply when a bot is detected. See config security waf action.

The default action is alert.

severity

Select the event severity to log when a bot is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

exception

Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

config url-list

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

The host option is available if host-status is enabled.

Specify the HTTP Host header. If Host Status is enabled, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

request-url

The literal URL, such as /index.php, or a regular expression, such as ^/*.php that the HTTP request must contain in order to match the rule. Multiple URLs are supported.

Example

config security waf biometrics-based-detection

edit "Test"

set ignore-js-check disable

set fingerprint-detectors chrome_headless selenium electron others

set bot-effective-time 1

set js-request-url /fadc_client/fp_detect.js

set action deny

set severity low

set exception IP_exception

config url-list

edit 1

set host-status disable

set request-url .*

next

end

next

end

config security waf fingerprint-based-detection

config security waf fingerprint-based-detection

Use this command to configure Fingerprint Based Detection policies. Fingerprint Based Detection detects the client's fingerprint using multiple characteristics to ascertain whether an access request originates from a human or a bot. Using the Fingerprint Based Detection policy, FortiADC collects and monitors the behavioral fingerprint information, such as WebDriver, WindowsProperties and MimeTypesConsistent, with JavaScript enabled on the client browser. The collected information forms the client fingerprint that is then checked against known automation tools and frameworks to determine whether the requests are generated by automation tools such as Headless Chrome, Selenium or Electron.

After you have configured Fingerprint Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have read-write permission for security settings.

Syntax

config security waf biometrics-based-detection

edit <name>

set ignore-js-check {enable|disable}

set fingerprint-detectors [chrome_headless|selenium|electron|others]

set bot-effective-time <integer>

set js-request-url <string>

set action <datasource>

set severity {high|medium|low}

set exception <datasource>

config url-list

edit <No.>

set host-status {enable/disable}

set host <string>

set request-url <string>

next

end

next

end

ignore-js-check

Enable/disable redirect to a warning page to enable JavaScript. This is disabled by default.

  • Disable — FortiADC will check if JavaScript is enabled on the client browser. If JavaScript is not enabled, then FortiADC will redirect to a warning page to let the user enable JavaScript. If the client does not enable JavaScript, Fingerprint Based Detection cannot be activated.
  • Enable — FortiADC will not check if JavaScript is enabled on the client browser. If JavaScript is enabled on the client browser, behavioral fingerprint information can be collected normally and FortiADC can determine if it is a bot or not. But if JavaScript is disabled on the client browser, Fingerprint Based Detection cannot be activated.

fingerprint-detectors

Select one or more fingerprint detectors:

  • chrome_headless — Headless Chrome
  • selenium — Selenium
  • electron — Electron
  • others — includes SlimerJS and CefSharp

All fingerprint detectors are preselected by default. If the configuration is saved with no Fingerprint Detectors selected, it will default to the preselected.

bot-effective-time

Specify the time interval before FortiADC tests and verifies a bot again, once a bot has been detected. Default: 5 Range: 1-60 minute(s).

js-request-url

Specify the URL to use to insert JavaScript code to the client browser. Default: /fadc_client/fp_detect.js.

action

Select the action profile to apply when a bot is detected. See config security waf action.

The default action is alert.

severity

Select the event severity to log when a bot is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

exception

Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

config url-list

host-status

If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

host

The host option is available if host-status is enabled.

Specify the HTTP Host header. If Host Status is enabled, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

request-url

The literal URL, such as /index.php, or a regular expression, such as ^/*.php that the HTTP request must contain in order to match the rule. Multiple URLs are supported.

Example

config security waf biometrics-based-detection

edit "Test"

set ignore-js-check disable

set fingerprint-detectors chrome_headless selenium electron others

set bot-effective-time 1

set js-request-url /fadc_client/fp_detect.js

set action deny

set severity low

set exception IP_exception

config url-list

edit 1

set host-status disable

set request-url .*

next

end

next

end