Advanced Bot Protection (ABP)
FortiGuard ABP (Advanced Bot Protection) is a Fortinet SaaS advanced bot mitigation solution designed to detect and mitigate sophisticated bots that may be used to conduct malicious attacks on online applications, including data scraping, credential stuffing, DDoS attacks, and fraudulent activities. To safeguard your digital assets, websites, and applications, FortiGuard Advanced Bot Protection employs advanced deep learning algorithms and behavior analysis to identify and block suspicious activities. It analyzes user behavior patterns, device fingerprints, and more to distinguish between genuine users and malicious bots.
The FortiGuard ABP integration with FortiADC works by using client information collected by JavaScript insertion, which allow the client and FortiADC (via Fabric connector) to communicate with the Advanced Bot Protection Cloud for data telemetry information (such as headers and device fingerprinting). Once FortiADC is connected with FortiGuard ABP, you can configure an Advanced Bot Protection policy to apply to Web Application Firewall (WAF) profiles and virtual servers. FortiADC reports the telemetry data to FortiGuard ABP which then inspects the HTTP request to determine if the client is human or a bot and sends instructions back to FortiADC to initiate an action against the request (such as block, CAPTCHA, or allow).
Prerequisites
Before you begin to integrate FortiGuard Advanced Bot Protection and configure Advanced Bot Protection on FortiADC, you must have the following:
Valid FortiGuard Advanced Bot Protection license
FortiGuard ABP is available on a Standalone license which is a Fortinet Support account based license that is verified by the FortiGuard ABP User Portal instead of through FortiGuard. For more information, login to https://fortiabp.forticloud.com/.
Ensure the account used to register for the FortiGuard ABP license matches the account information from your Fortinet Support Contract. Otherwise, the FortiADC will not be able to connect to FortiGuard ABP.
FortiGuard ABP and Fortinet Support utilize a common account management system, allowing you to log into FortiGuard ABP directly using the credentials you have registered in your Fortinet Support contract. Upon logging into FortiGuard ABP with your account, the system will automatically check the validity of your FortiGuard ABP license. This same authentication process is applied when FortiADC sends requests to the FortiGuard ABP system to verify the account's validity to determine whether you can successfully enable FortiGuard ABP in FortiADC.
Note: The Fortinet Support Contract information can be found in System > FortiGuard, under the Support Contract section.
Supported FortiADC hardware, VM, or cloud platform
-
Hardware — All FortiADC hardware models support FortiGuard ABP.
-
VM — All FortiADC VM environments support FortiGuard ABP.
-
Cloud platform — FortiADC instances on cloud platforms with BYOL support FortiGuard ABP (PAYG FortiADC instances do not support FortiGuard ABP).
Supported modes in FortiADC
Server Load Balancing:
-
Layer 7 HTTP/HTTPS/HTTP2
-
Layer 2 HTTP
-
SSLi
-
WCCP
Decompression must be enabled to support JavaScript insertion, which is critical to FortiGuard Advanced Bot Protection functionality. Ensure a Decompression policy is enabled in your HTTP/HTTPS Application Profile to allow JavaScript to be inserted into compressed HTTP/HTTPS web content. To increase performance, most websites utilize HTTP compression to reduce the size of transmitted data. This compressed HTTP/HTTPS content must be decompressed to allow FortiADC to insert the required JavaScript tag to the HTML. If the real server response is not compressed, then decompression is unnecessary. However, if the real server response is compressed then decompression must be enabled, otherwise the JavaScript will fail to insert. |
Virtual Domain:
-
ABP global setting is configured in Global view.
-
ABP policies are configured per VDOM, and functions at the VDOM level.
-
ABP entries are shared by all VDOMs while their status are identified by each VDOM.
High Availability:
-
All HA modes supported: Active-Passive, Active-Active, Active-Active-VRRP.
-
ABP global settings and policies are synchronized.
-
ABP entries are not synchronized.
-
ABP global status is not synchronized. If the secondary node fails to connect to the FortiGuard ABP portal, its status will not be Connected.
Basic configuration
To deploy Advanced Bot Protection on FortiADC, follow the workflow below:
- On FortiADC, enable the Advanced Bot Protection Fabric Connector to connect FortiADC to the FortiGuard Advanced Bot Protection server. For details, see Enabling the Advanced Bot Protection connector.
- On the FortiGuard Advanced Bot Protection User Portal, obtain the Application ID of an existing FortiGuard ABP Application or create a new configuration. This Application ID is required to connect the FortiGuard ABP Application to the FortiADC Advanced Bot Protection policy. For details, see Obtaining the Application ID from the FortiGuard ABP User Portal.
- Configure a FortiADC Advanced Bot Protection policy. For details, see Configuring an Advanced Bot Protection policy.
- Apply the Advanced Bot Protection policy to a WAF profile. For details, see Configuring a WAF Profile.
- Apply the WAF profile that references the Advanced Bot Protection policy to a virtual server to activate Advanced Bot Protection for server load balancing.