Fortinet black logo

CLI Reference

config security waf threshold-based-detection

Use this command to configure Threshold Based Detection policies. FortiADC uses Threshold Based Detection policies to determine whether requests are generated by robots instead of a human by detecting suspicious behavior patterns that exceed the normal threshold defined in the policy. Threshold Based Detection rules are defined by the number of times a type of behavior is allowed to occur within a specified amount of time. Once the number of occurrence exceeds the defined threshold value, an action is triggered in response to detecting the suspicious behavior.

FortiADC supports the following three types of Threshold Based Detection:

  • Crawler Detection — Detects web crawlers that are usually used to map out your application structure by monitoring the frequency of HTTP response codes. If the occurrence of a specified HTTP response code exceeds the allowable threshold in the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Content Detection — Detects malicious tools that try to download large amounts of content such as text/HTML and application/ XML from your website by monitoring the frequency of download activities. If the occurrence of the download activity exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Attack Detection — Detects suspicious attack behavior patterns indicative of a bot attack by monitoring the frequency of attacks detected in specific WAF Attack modules. If the occurrence of specific attacks exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.

FortiADC offers Predefined Threshold Based Detection policy configurations you can use to get started.

Predefined Threshold Based Detection policy configurations

Name

Comments

Predefined settings

Bot_Detect

Detect suspicious bot with CAPTCHA action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — captcha

Crawler Severity — Medium

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — captcha

Content Severity — Medium

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Content_Scraping_Detect

Monitor the frequency of illegal content scraping with ALERT action

Crawler Status — Disabled

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — alert

Content Severity — Low

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Disabled

Crawler_Detect

Monitor the frequency of 403 and 404 response codes with ALERT action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — alert

Crawler Severity — Low

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Disabled

Attack Detection Status — Disabled

High-Level-Security

Block all suspicious threshold violations

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — deny

Crawler Severity — High

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — deny

Content Severity — High

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

  • Advanced — Data Leak Prevention, SQL/XSS Injection Detection, Cookie Security, CSRF Protection, CORS Protection, JSON Validation, OpenAPI Validation, XML Protection, API Gateway

Attack Action — deny

Attack Severity — High

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Illegal_User_Detect

Detect illegal user with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Brute Force Attack Detection, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Vulnerability_Scan

Monitor the frequency of web attack signature violations with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

After you have configured Threshold Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have read-write permission for security settings.

Syntax

config security waf threshold-based-detection

edit <name>

set crawler-status {enable|disable}

set response-code <integer>

set crawler-action <datasource>

set crawler-severity {high|medium|low}

set crawler-occurrence-limit <integer>

set crawler-occurrence-within <integer>

set content-scraping-status {enable|disable}

set content-type [text/html|text/plain|text/xml|application/xml|application/soap+xml|application/json]

set content-action <datasource>

set content-severity {high|medium|low}

set content-occurrence-limit <integer>

set content-occurrence-within <integer>

set attack-detection-status {enable|disable}

set attack-modules [web-attack-signature|http-protocol-constraint|sql-xss-injection-detection|url-protection|xml-validation|json-validation|openapi-validation|cookie-security|csrf-protection|brute-force-login|data-leak-prevention|input-validation|credential-stuffing-defense|http-header-security|api-gateway|cors-protection]

set attack-action <datasource>

set attack-severity {high|medium|low}

set attack-occurrence-limit <integer>

set attack-occurrence-within <integer>

set comment <string>

next

end

crawler-status

Enable/Disable Crawler Detection. This is disabled by default.

response-code

The response-code option is available if crawler-status is enabled.

Specify the 3 digit HTTP response code(s) to check. Enter as a single code (e.g. 403), multiple codes (e.g. 403,404), or as a range (e.g. 500-503). Range: 100-599.

crawler-action

The crawler-action option is available if crawler-status is enabled.

Select the action profile to apply when a web crawler bot is detected. See config security waf action.

The default action is alert.

crawler-severity

The crawler-severity option is available if crawler-status is enabled.

Select the event severity to log when a web crawler bot is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

crawler-occurrence-limit

The crawler-occurrence-limit option is available if crawler-status is enabled.

Specify the maximum number of responses that can be received from the specified response-code within the time frame (set in crawler-occurrence-limit). If the limit is exceeded, the specified crawler-action will be triggered. Default: 100, Range: 1-100000.

crawler-occurrence-within

The crawler-occurrence-within option is available if crawler-status is enabled.

Specify the time span during which to count how many times a response is received from the specified response-code. Default: 60 seconds, Range: 1-600 seconds.

content-scraping-status

Enable/disable Content Detection. This is disabled by default.

content-type

The content-type option is available if content-scraping-status is enabled.

Select one or more content type to monitor for content scraping:

  • text/html
  • text/plain
  • text/xml
  • application/xml
  • application/soap+xml
  • application/json

content-action

The content-action option is available if content-scraping-status is enabled.

Select the action profile to apply when a content scraping bot is detected. See config security waf action..

The default action is alert.

content-severity

The content-severity option is available if content-scraping-status is enabled.

Select the event severity to log when a content scraping bot is detected:

  • High — Log as high severity events.
  • Medium — Log as a medium severity events.
  • Low — Log as low severity events.

The default is low.

content-occurrence-limit

The content-occurrence-limit option is available if content-scraping-status is enabled.

Specify the maximum number of responses that can be received from the specified content-type within the time frame (set in content-occurrence-within). If the limit is exceeded, the specified content-action will be triggered. Default: 100, Range: 1-100000.

content-occurrence-within

The content-occurrence-within option is available if content-scraping-status is enabled.

Specify the time span during which to count how many times a response is received from the specified content-type. Default: 60 seconds, Range: 1-600 seconds.

attack-detection-status

Enable/disable Attack Detection. This is disabled by default.

attack-modules

The attack-modules option is available if attack-detection-status is enabled.

Select one or more attack modules to monitor for bot attacks:

  • web-attack-signature
  • http-protocol-constraint
  • sql-xss-injection-detection
  • url-protection
  • xml-validation
  • json-validation
  • openapi-validation
  • cookie-security
  • csrf-protection
  • brute-force-login
  • data-leak-prevention
  • input-validation
  • credential-stuffing-defense
  • http-header-security
  • api-gateway
  • cors-protection

attack-action

The attack-action option is available if attack-detection-status is enabled.

Select the action profile to apply when a bot attack is detected. See config security waf action.

The default action is alert.

attack-severity

The attack-severity option is available if attack-detection-status is enabled.

Select the event severity to log when a bot attack is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

attack-occurrence-limit

The attack-occurrence-limit option is available if attack-detection-status is enabled.

Specify the maximum number of responses that can be received from the specified attack-modules within the time frame (set in attack-occurrence-within). If the limit is exceeded, the specified attack-action will be triggered. Default: 100, Range: 1-100000.

attack-occurrence-within

The attack-occurrence-within option is available if attack-detection-status is enabled.

Specify the time span during which to count how many times a response is received from the specified attack-modules. Default: 60 seconds, Range: 1-600 seconds.

comment

Optionally, enter comments about the Threshold Based Detection policy.

Example

config security waf threshold-based-detection

edit "attack_1"

set crawler-status enable

set response-code 404

set crawler-action alert

set crawler-severity low

set crawler-occurrence-limit 1

set crawler-occurrence-within 60

set content-scraping-status enable

set content-type text/html

set content-action alert

set content-severity low

set content-occurrence-limit 1

set content-occurrence-within 60

set attack-detection-status enable

set attack-modules url-protection

set attack-action alert

set attack-severity low

set attack-occurrence-limit 2

set attack-occurrence-within 60

next

end

Use this command to configure Threshold Based Detection policies. FortiADC uses Threshold Based Detection policies to determine whether requests are generated by robots instead of a human by detecting suspicious behavior patterns that exceed the normal threshold defined in the policy. Threshold Based Detection rules are defined by the number of times a type of behavior is allowed to occur within a specified amount of time. Once the number of occurrence exceeds the defined threshold value, an action is triggered in response to detecting the suspicious behavior.

FortiADC supports the following three types of Threshold Based Detection:

  • Crawler Detection — Detects web crawlers that are usually used to map out your application structure by monitoring the frequency of HTTP response codes. If the occurrence of a specified HTTP response code exceeds the allowable threshold in the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Content Detection — Detects malicious tools that try to download large amounts of content such as text/HTML and application/ XML from your website by monitoring the frequency of download activities. If the occurrence of the download activity exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.
  • Attack Detection — Detects suspicious attack behavior patterns indicative of a bot attack by monitoring the frequency of attacks detected in specific WAF Attack modules. If the occurrence of specific attacks exceeds the allowable threshold within the specified time frame, FortiADC will execute the relevant action for the traffic.

FortiADC offers Predefined Threshold Based Detection policy configurations you can use to get started.

Predefined Threshold Based Detection policy configurations

Name

Comments

Predefined settings

Bot_Detect

Detect suspicious bot with CAPTCHA action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — captcha

Crawler Severity — Medium

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — captcha

Content Severity — Medium

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Content_Scraping_Detect

Monitor the frequency of illegal content scraping with ALERT action

Crawler Status — Disabled

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — alert

Content Severity — Low

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Disabled

Crawler_Detect

Monitor the frequency of 403 and 404 response codes with ALERT action

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — alert

Crawler Severity — Low

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Disabled

Attack Detection Status — Disabled

High-Level-Security

Block all suspicious threshold violations

Crawler Status — Enabled

Response Code — 403,404

Crawler Action — deny

Crawler Severity — High

Crawler Occurrence Limit — 100

Crawler Occurrence Within — 60 (seconds)

Content Scraping Status — Enabled

Content Type — Text/HTML, Text/Plain, Text/XML, Application/XML, Application/Soap+XML, Application/JSON

Content Action — deny

Content Severity — High

Content Occurrence Limit — 100

Content Occurrence Within — 60 (seconds)

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature, Input Validation, Brute Force Attack Detection, URL Protection, HTTP Protocol Constraint, Credential Stuffing Defense

  • Advanced — Data Leak Prevention, SQL/XSS Injection Detection, Cookie Security, CSRF Protection, CORS Protection, JSON Validation, OpenAPI Validation, XML Protection, API Gateway

Attack Action — deny

Attack Severity — High

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Illegal_User_Detect

Detect illegal user with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Brute Force Attack Detection, Credential Stuffing Defense

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

Vulnerability_Scan

Monitor the frequency of web attack signature violations with CAPTCHA action

Crawler Status — Disabled

Content Scraping Status — Disabled

Attack Detection Status — Enabled

Attack Modules — Web Attack Signature

Attack Action — captcha

Attack Severity — Medium

Attack Occurrence Limit — 100

Attack Occurrence Within — 60 (seconds)

After you have configured Threshold Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have read-write permission for security settings.

Syntax

config security waf threshold-based-detection

edit <name>

set crawler-status {enable|disable}

set response-code <integer>

set crawler-action <datasource>

set crawler-severity {high|medium|low}

set crawler-occurrence-limit <integer>

set crawler-occurrence-within <integer>

set content-scraping-status {enable|disable}

set content-type [text/html|text/plain|text/xml|application/xml|application/soap+xml|application/json]

set content-action <datasource>

set content-severity {high|medium|low}

set content-occurrence-limit <integer>

set content-occurrence-within <integer>

set attack-detection-status {enable|disable}

set attack-modules [web-attack-signature|http-protocol-constraint|sql-xss-injection-detection|url-protection|xml-validation|json-validation|openapi-validation|cookie-security|csrf-protection|brute-force-login|data-leak-prevention|input-validation|credential-stuffing-defense|http-header-security|api-gateway|cors-protection]

set attack-action <datasource>

set attack-severity {high|medium|low}

set attack-occurrence-limit <integer>

set attack-occurrence-within <integer>

set comment <string>

next

end

crawler-status

Enable/Disable Crawler Detection. This is disabled by default.

response-code

The response-code option is available if crawler-status is enabled.

Specify the 3 digit HTTP response code(s) to check. Enter as a single code (e.g. 403), multiple codes (e.g. 403,404), or as a range (e.g. 500-503). Range: 100-599.

crawler-action

The crawler-action option is available if crawler-status is enabled.

Select the action profile to apply when a web crawler bot is detected. See config security waf action.

The default action is alert.

crawler-severity

The crawler-severity option is available if crawler-status is enabled.

Select the event severity to log when a web crawler bot is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

crawler-occurrence-limit

The crawler-occurrence-limit option is available if crawler-status is enabled.

Specify the maximum number of responses that can be received from the specified response-code within the time frame (set in crawler-occurrence-limit). If the limit is exceeded, the specified crawler-action will be triggered. Default: 100, Range: 1-100000.

crawler-occurrence-within

The crawler-occurrence-within option is available if crawler-status is enabled.

Specify the time span during which to count how many times a response is received from the specified response-code. Default: 60 seconds, Range: 1-600 seconds.

content-scraping-status

Enable/disable Content Detection. This is disabled by default.

content-type

The content-type option is available if content-scraping-status is enabled.

Select one or more content type to monitor for content scraping:

  • text/html
  • text/plain
  • text/xml
  • application/xml
  • application/soap+xml
  • application/json

content-action

The content-action option is available if content-scraping-status is enabled.

Select the action profile to apply when a content scraping bot is detected. See config security waf action..

The default action is alert.

content-severity

The content-severity option is available if content-scraping-status is enabled.

Select the event severity to log when a content scraping bot is detected:

  • High — Log as high severity events.
  • Medium — Log as a medium severity events.
  • Low — Log as low severity events.

The default is low.

content-occurrence-limit

The content-occurrence-limit option is available if content-scraping-status is enabled.

Specify the maximum number of responses that can be received from the specified content-type within the time frame (set in content-occurrence-within). If the limit is exceeded, the specified content-action will be triggered. Default: 100, Range: 1-100000.

content-occurrence-within

The content-occurrence-within option is available if content-scraping-status is enabled.

Specify the time span during which to count how many times a response is received from the specified content-type. Default: 60 seconds, Range: 1-600 seconds.

attack-detection-status

Enable/disable Attack Detection. This is disabled by default.

attack-modules

The attack-modules option is available if attack-detection-status is enabled.

Select one or more attack modules to monitor for bot attacks:

  • web-attack-signature
  • http-protocol-constraint
  • sql-xss-injection-detection
  • url-protection
  • xml-validation
  • json-validation
  • openapi-validation
  • cookie-security
  • csrf-protection
  • brute-force-login
  • data-leak-prevention
  • input-validation
  • credential-stuffing-defense
  • http-header-security
  • api-gateway
  • cors-protection

attack-action

The attack-action option is available if attack-detection-status is enabled.

Select the action profile to apply when a bot attack is detected. See config security waf action.

The default action is alert.

attack-severity

The attack-severity option is available if attack-detection-status is enabled.

Select the event severity to log when a bot attack is detected:

  • high — Log as high severity events.
  • medium — Log as a medium severity events.
  • low — Log as low severity events.

The default is low.

attack-occurrence-limit

The attack-occurrence-limit option is available if attack-detection-status is enabled.

Specify the maximum number of responses that can be received from the specified attack-modules within the time frame (set in attack-occurrence-within). If the limit is exceeded, the specified attack-action will be triggered. Default: 100, Range: 1-100000.

attack-occurrence-within

The attack-occurrence-within option is available if attack-detection-status is enabled.

Specify the time span during which to count how many times a response is received from the specified attack-modules. Default: 60 seconds, Range: 1-600 seconds.

comment

Optionally, enter comments about the Threshold Based Detection policy.

Example

config security waf threshold-based-detection

edit "attack_1"

set crawler-status enable

set response-code 404

set crawler-action alert

set crawler-severity low

set crawler-occurrence-limit 1

set crawler-occurrence-within 60

set content-scraping-status enable

set content-type text/html

set content-action alert

set content-severity low

set content-occurrence-limit 1

set content-occurrence-within 60

set attack-detection-status enable

set attack-modules url-protection

set attack-action alert

set attack-severity low

set attack-occurrence-limit 2

set attack-occurrence-within 60

next

end