Integrating Advanced Bot Protection into the Fortinet Security Fabric

After your Advanced Bot Protection Application has been created, you can integrate it with Fortinet Fabric devices to deploy Advanced Bot Protection for the Application traffic.

The FortiAppSec Cloud system is designed to seamlessly integrate with your existing infrastructure, supporting various products in the Fortinet Security Fabric.

Currently, the following Fortinet products are supported for integration:

• FortiADC — See FortiADC Integration for detailed steps on how to set up the ABP integration with FortiADC.
• FortiWeb — See FortiWeb Integration for detailed steps on how to set up the ABP integration with FortiWeb.

The ABP integration with FortiADC/FortiWeb works by using client information collected by JavaScript insertion, which allow the client and FortiADC/FortiWeb (via Fabric connector) to communicate with the Advanced Bot Protection Cloud for data telemetry information (such as headers and device fingerprinting). Once the FortiADC/FortiWeb is connected with ABP, an Advanced Bot Protection policy can be configured to apply to the server policy. The FortiADC/FortiWeb reports the telemetry data to ABP which then inspects the HTTP/S request to determine if the client is a human or a bot, and sends instructions back to FortiADC/FortiWeb to initiate an action against the request (such as block, CAPTCHA, or allow).

For instructions on how to enable using Advanced Bot Protection as a module within WAF, refer to Advanced Bot Protection.

Before you begin:

• You must have access to the Fortinet connector device and have read-write permission for security settings.
• Ensure the account used to register for the ABP license matches the account information from your Fortinet Support Contract. Otherwise, the connector device will not be able to connect to ABP.
• You must have created a ABP Application and have obtained its Application ID.

FortiADC Integration

Login to FortiADC and follow the steps below to integrate ABP with FortiADC.
For more details about the ABP integration with FortiADC, see the FortiADC Handbook on Advanced Bot Protection.

Step 1: Enable the Advanced Bot Protection Fabric Connector

FortiADC is pre-configured to connect to the ABP server, so you only need to enable the connection via the Advanced Bot Protection Fabric connector.

1. Go to Security Fabric > Fabric Connectors.
2. Under Other Fortinet Products section, locate the Advanced Bot Protection connector.
3. Enable the Advanced Bot Protection connector. Once the connector is enabled, the connection status will display.
   The Advanced Bot Protection connector is ready when the status is Connected.
   
4. The and icons indicate whether the Advanced Bot Protection connector has successfully connected to the ABP server. Hover over the Advanced Bot Protection connector to see the status details. The table below lists the possible connection statuses for the Advanced Bot Protection connector.
   

   Icon	ABP connector status	Guidelines
   	Connected	The (Undefined variable: Deployment Guide.ProductName) is successfully connected to to the ABP server.
   	Account license invalid	The ABP license is not valid. Please verify your license details or contact Fortinet Support.
   	Couldn't connect to server	Unable to connect to the ABP server. Please check your network settings.
   	Couldn't resolve hostname	Unable to resolve the hostname of the ABP server. Please check your network settings.
   	No available SN cert	The device does not have an available SN certificate. Please check your local certificate.
   	No available CA cert	The device does not have an available CA certificate. Please check your CA certificate.
   	Problem with the local certificate	An error occurred with the remote server certificate. Please check your local certificate.
   	SSL peer certificate or SSH remote key was not OK	An error occurred with the remote server certificate involving the SSL peer certificate or SSH remote key. Please check your local certificate.

Once the Advanced Bot Protection fabric connector is successfully connected, the Advanced Bot Protection module becomes available under the Web Application Firewall menu in the GUI.

Step 2: Configure an Advanced Bot Protection policy

Connect your ABP Application to the FortiADC Advanced Bot Protection policy by using the Application ID. Through the Application ID, the FortiADC will have access to the Pre-Provisioned resources to apply to the specified protected URLs and JavaScript insertion locations to collect client information for bot detection.

1. Go to Web Application Firewall > Advanced Bot Protection.
2. In the Advanced Bot Protection tab, click Create New to display the configuration editor.
   
3. Configure the following Advanced Bot Protection settings:

   Setting	Description
   Name	Specify a name for the Advanced Bot Protection policy. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces. The configuration name cannot be edited once it has been saved.
   Status	Enable/disable the status of this Advanced Bot Protection policy. Status must be enabled to display Advanced Bot Protection configuration options.
   Application ID	Specify the Application ID assigned to your ABP Application. The Application ID is used to bind this Advanced Bot Protection policy to the ABP Application. To obtain the ID, go to Application page of ABP, locate your ABP Application and copy the ID from the Application ID column.
   Action	Specify a WAF action object to apply when a bot is detected. You can specify a predefined or user-defined WAF action profile. Predefined WAF actions: alert — WAF policies will allow the traffic to pass and log the event. block — WAF policies will drop the current attack session by HTTP 403 message and block the attacker (according the attacker’s IP address) for 1 hour, and log the event. captcha — WAF policies will allow the traffic to pass if the client successfully fulfills the CAPTCHA request, and log the event. deny — WAF policies will the drop current attack session by HTTP 403 message, and log the event. silent-deny — WAF policies will drop the current attack session by HTTP 403 message, without logging the event. The default action is alert.
   Severity	Select the event severity to log when a bot is detected: High — Log as high severity events. Medium — Log as a medium severity events. Low — Log as low severity events. The default is Low.
   Exception Name	Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

4. Optionally, click Verify to validate the inputted Application ID against multiple parameters to ensure the connection between FortiADC and the ABP Application is successfully established.
   
   The Advanced Bot Protection policy can only function if the Application ID is valid and the connection to the ABP server is successfully established. FortiADC validates multiple parameters, including if the Application ID is available, the ABP server connectivity, if the ABP license is valid. There are two types of messages as differentiated by text color: green text indicates a positive status where all required parameters are validated successfully; and red text that indicate one or more parameters did not pass validation.

   The following table describes some common verification results.

   Verification status message	Guidelines
   Success (green)	All required parameters pass validation; application ID is available, ABP server certificate is valid, network connectivity is good, etc.
   Application not found (red)	The Application ID does not exist. This could be an input error.
   Account license invalid (red)	The ABP license is not valid. Please verify your license details or contact Fortinet Support.
   Couldn't connect to server (red)	Unable to connect to the ABP server. Please check your network settings.
   Couldn't resolve hostname (red)	Unable to resolve the hostname of the ABP server. Please check your network settings.
   No available SN cert (red)	The device does not have an available SN certificate. Please check your local certificate.
   No available CA cert (red)	The device does not have an available CA certificate. Please check your CA certificate.
   Problem with the local certificate	An error occurred with the remote server certificate. Please check your local certificate.
   SSL peer certificate or SSH remote key was not OK	An error occurred with the remote server certificate involving the SSL peer certificate or SSH remote key. Please check your local certificate.

5. Click Save.
   Once the Advanced Bot Protection policy is saved, you can reference it in a WAF Profile configuration.

It is strongly recommended to verify the Application ID and ABP server connection prior to completing the Advanced Bot Protection policy configuration. Even though this is an optional step, it is helpful to diagnose any potential issues and apply fixes early. When the Advanced Bot Protection policy is created, an internal verification is automatically conducted to verify the status of the Application ID and ABP server connection. If the Application ID is not valid, or any other validation parameters has failed, the Advanced Bot Protection policy will fail to function and the system will log the failure to send the ABP policy.

Step 3: Apply the Advanced Bot Protection policy in a WAF profile and virtual server policy

After configuring the Advanced Bot Protection policy, apply it in a WAF profile. Then, apply the WAF profile that references the Advanced Bot Protection policy to a virtual server to activate Advanced Bot Protection for server load balancing.

1. Go to Web Application Firewall > WAF Profile.
   The configuration page displays the WAF Profile tab.
2. Edit an existing WAF Profile configuration, or click Create New to create a new WAF Profile to apply the Advanced Bot Protection policy.
3. Under the Bot Mitigation section, select the Advanced Bot Protection policy you have previously configured and click Save to commit.
   
4. Go to Server Load Balance > Virtual Server.
   The configuration page displays the Virtual Server tab.
5. Edit an existing Virtual Server configuration or click Create New > Advanced to create a new virtual server configuration to apply the WAF profile that references the Advanced Bot Protection policy.
6. Click the Security tab and select the WAF Profile configuration that references the Advanced Bot Protection policy. Click Save to commit.
   

Once the Advanced Bot Protection Policy is applied to the WAF Profile and referenced in a virtual server, whenever HTTP/S requests are made on the protected Application, FortiADC will report to ABP the telemetry data collected from the client via JavaScript insertion. Each HTTP/S request is inspected and ABP will determine if the client is a human or a bot and will send instructions back to FortiADC to initiate an action against the request (such as block, CAPTCHA, or allow). FortiADC will log each security action triggered by the Advanced Bot Protection.

The FortiADC Advanced Bot Protection policy does not activate until the ABP Application is fully analyzed and Pre-Provisioned to protect the Application. Pre-Provisioning is required to identify all URLs that should be protected in your Application domain (such as login URLs), and the locations to which JavaScript need to be inserted to collect client information. Without these resources, FortiADC will not be able to insert the necessary JavaScript for bot detection. Pre-Provisioning is triggered upon creating the Application, and requires 2 to 3 days to complete. During this process, your ABP Application will be in Pending status until Pre-Provisioning is complete. When the Application status is Ready, Advanced Bot Protection can be activated in your FortiADC.

FortiWeb Integration

Login to FortiWeb and follow the steps below to integrate ABP with FortiWeb.
For more details about the ABP integration with FortiWeb, see the FortiWeb Handbook on Advanced Bot Protection.

Step 1: Enable Advanced Bot Protection

FortiWeb is pre-configured to connect to the ABP server, so you only need to enable the connection via the Advanced Bot Protection Fabric connector.

1. Go to Dashboard > Status.
2. In the System Information widget, click Enable Advanced Bot Protection, then click OK in the pop-up window.
3. Check the status of Advanced Bot Protection in the Licenses widget on the Dashboard > Status page. It should display as Valid.
   

Step 2: Configure an Advanced Bot Protection policy

Connect your ABP Application to the FortiWeb Advanced Bot Protection policy by using the Application ID. Through the Application ID, FortiWeb will receive bot detection suggestions from ABP regarding the traffic of this application, and then take corresponding actions.

1. Go to Bot Mitigation > Advanced Bot Protection.
2. Click Create New to display the configuration editor.
3. Configure the following Advanced Bot Protection settings:
   

   Setting	Description
   Name	Enter a name for the Advanced Bot Protection policy. You can reference it in the Web Protection Profile.
   Application ID	Enter the Application ID assigned to your ABP Application. The Application ID is used to bind this Advanced Bot Protection policy to the ABP Application. To obtain the ID, go to Application page of ABP, locate your ABP Application and copy the ID from the Application ID column.
   Action	Select which action FortiWeb will take when ABP suggests the request is from a bot: Alert — Accept the connection and generate an alert email and/or log message. Alert & Deny — Block the request (or reset the connection) and generate an alert and/or log message. Deny (no log) — Block the request (or reset the connection). Block Period — Block subsequent requests from the same IP address for a number of seconds. Client ID Block Period — Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. The default value is Alert.
   Period Block	Enter the number of seconds that you want to block subsequent requests from a client. The valid range is 1–3,600 seconds (1 hour). This setting is available only if Action is set to Period Block and Client ID Block Period.
   Severity	When request from a bot is recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use: Informative Low Medium High The default value is Medium.
   Trigger Policy	Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about ABP violation.
   Exception	Select the exception policy which specifies the elements to be exempted from the ABP scan.
   Bot confirmation	Enable it to send clients bot verification requests.
   Verification Method	CAPTCHA Enforcement — Requires the client to successfully fulfill a CAPTCHA request. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout. reCAPTCHA Enforcement — Requires the client to successfully fulfill a reCAPTCHA request.
   reCAPTCHA	Select the reCAPTCHA server you have created in the reCAPTCHA Server tab in User > Remote Server.
   Validation Timeout	Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.
   Max Attempt Times	If CAPTCHA Enforcement is selected for Verification Method, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request. Available only when the Verification Method is CAPTCHA Enforcement.

4. Click OK.

Step 3: Apply the Advanced Bot Protection policy in a Web Protection Profile

After configuring the Advanced Bot Protection policy, apply it in a Web Protection Profile to activate Advanced Bot Protection.

1. Go to Policy > Web Protection Profile.
2. Select the Inline Protection Profile tab.
3. Select an existing web protection profile to which you want to include the Advanced Bot Protection policy.
4. Click Edit.
5. For Bot Mitigation > Advanced Bot Protection, select the Advanced Bot Protection policy from the drop-down list.
   Note: To view details about a selected Advanced Bot Protection policy, click the view icon next to the drop-down list.
6. Click OK.

The FortiWeb Advanced Bot Protection policy does not activate until the ABP Application is fully analyzed and Pre-Provisioned to protect the Application. Pre-Provisioning is required to identify all URLs that should be protected in your Application domain (such as login URLs), and the locations to which JavaScript need to be inserted to collect client information. Without these resources, FortiWeb will not be able to insert the necessary JavaScript for bot detection. Pre-Provisioning is triggered upon creating the Application, and requires 2 to 3 days to complete. During this process, your ABP Application will be in Pending status until Pre-Provisioning is complete. When the Application status is Ready, Advanced Bot Protection can be activated in your FortiWeb.

After Integration

After connecting your ABP Application to FortiWeb or FortiADC, you can manage its connectors under Configurations > Connectors.

For more information about the details displayed on this page, refer to Connectors.

To access this page, navigate to ABP > Application and click the Application Name, or the desired application's Status, then View Dashboard.