Onboarding ABP Applications

This page provides a detailed explanation of each step in the ABP application onboarding process, followed by configuration steps. Please read through the Overview and Concepts before proceeding to configuration.

• Overview and Concepts

  • Auto Discovery

  • Entry points

• Configuration Steps

  • Create an ABP Application

  • Review Suggested Protection Entries

  • Enable Block Mode

    • Block Mode Prerequisites

Overview and Concepts

The Advanced Bot Protection onboarding process is composed of the following stages:

1. Create Application

   1. Enter name and regions

   2. Add at least one on-premises Integration domain or FortiAppSec Cloud WAF Application.

   3. Enter Entry Points.

2. Complete Onboarding on WAF or on-premises device

   • Route traffic from your FortiAppSec Cloud WAF application to Advanced Bot Protection, or Integrate the newly created ABP application to your on-premises device.

3. Auto Discovery

   1. Auto Discovery analyzes your application. The duration of this process depends on the application's complexity, as well as the number of entry points and protection categories selected.

   2. You should be notified by email when Auto Discovery finishes.

   3. Once Auto Discovery is complete, ABP may suggest new protection entries to add to your configuration.

4. Review Configuration

   1. Review, edit, and apply Auto Discovery's suggested protection entries as needed.

   2. When you apply a suggested protection entry, the protection takes effect within a few minutes.

5. Rule adjustment

   • ABP tunes protection rules for two weeks based on real traffic to your application.

6. Set Block Action

   • Before you enable BlockMode, review the Block Mode Prerequisites. Enabling Block Mode too early may cause false positives, as rule adjustments are based on real-time traffic analysis.

Auto Discovery

Auto Discovery is an optional, AI-assisted feature that analyzes your provided information and application behavior to identify key application components and protection targets, such as login pages, APIs, and transaction flows. It requires manual review and adjustment of its results. If no entry points are provided, Auto Discovery will not run automatically. Users can also perform manual configuration under Advanced Bot Protection > Application > Configurations.

Auto Discovery differs from the previous Pre-Provisioning process by leveraging self-service and AI to reduce setup time from several weeks to a few hours.

What it does:

• Detects potential entry points that need protection (pages, endpoints, APIs).

• Suggests protection entries automatically.

• Recognizes authentication patterns using return codes or HTTP responses.

• Reduces manual configuration effort during ABP onboarding.

The Auto Discovery Status indicates the current stage of the protection entry discovery process.

• In Progress: Auto Discovery is still analyzing your application. No urgent action required.

• Review Needed: Auto Discovery has suggested new protection entries. Please review and confirm the changes.
• Connection Issue: Advanced Bot Protection could not connect to the entry points you provided. Potential causes for this include:
  • The application's firewall is blocking ABP's management IPs.
    Add these IPs to your allowlist to prevent requests from being blocked.
    • FortiAppSec Cloud WAF: IP protection

    • FortiWeb: IP List - Blocklisting & whitelisting clients using a source IP or source IP range

    • FortiADC： Using the Geo IP allowlist

    If additional services are configured with firewall policies, ensure that ABP’s management IPs are added to their allowlists.

  • There is an error in the entry point URL.
    To edit the entry point URL:
    1. From Advanced Bot Protection > Applications, click the three dots under Action .
    2. Click Edit Application.
    3. Go to the Entry Points tab, and edit the Entry Point text input field

Entry points

Entry points refer to URLs in your application that users or bots interact with. For Auto Discovery, add entry points that are common targets for bot activity. These typically include pages where users submit sensitive information, such as login, signup, or checkout pages.

Other recommended protection entries include:

• Search or product listing pages with dynamic content

• API endpoints handling authentication or transactions

• Contact or feedback forms

• Account management pages (e.g., password reset)

For any additional or customized protection goals, configure them manually under Advanced Bot Protection > Application > Configurations.

When adding entry points, select only the most relevant protection categories to speed up the auto-discovery process.

• Denial of Service (DoS): Attempts to overwhelm your site with traffic, causing downtime or slow performance. AutoDiscovery primarily detects DoS activity targeting search pages.

• Account Takeover: Attempts to gain unauthorized access to user accounts. Typically targets login or password-reset pages.

• Automated Account Creation: Bots create fake accounts to exploit services or commit fraud. Typically targets registration or signup pages.

• Content Scraping: Bots extract content from your site, such as articles or images. Typically targets browsing pages.

• Price Scraping: Bots collect pricing information for competitive analysis. Typically targets browsing pages.

Configuration Steps

When you create an ABP application, make sure to add FortiAppSec Cloud's IP addresses to your security allowlist to ensure proper connectivity: 3.123.68.65 3.226.2.163

Create an ABP Application

1. Navigate to Advanced Bot Protection > Application.

2. Click Add Application.

3. Basic Information

   

   1. Enter the following:

      Setting	Description
      Application Name	Enter a name for this application that will make it easy for you to identify within the FortiAppSec Cloud UI.
      Region	The location of the service that processes the traffic of your application. United States (US) European Union (EU)

   2. Add at least one On-premises Integration (FortiWeb or FortiADC) or FortiAppSec Cloud WAF Application.
      • If adding an On-Premises Integration, click Add Domain and enter the following:

        Setting	Description
        Domains	Enter the domains associated with your on-premises integration.
        Advanced Domain Options	Select whether your domain uses HTTP, HTTPS, or both. Enable Special Port to enter a custom port number if your domain uses a non-standard port (other than HTTP 80 or HTTPS 443).
        API-Only Domains	Enter any domains belonging to your application that only handle API calls.

      • If adding a FortiAppSec Cloud WAF Application, click Add WAF Application and enter the following:
        

        Setting	Description
        Cloud WAF Application Name	From the drop-down list, select the desired existing WAF Application under your account.
        API-Only Domains	Enter any domains belonging to your application that only handle API calls.

   3. Click Next.

4. Entry Points

   Enter Auto Discovery Entry points. For more details on how Auto Discovery works, please refer to Auto Discovery.
   

   1. Click Add Entry Points

   2. Enter the following:

      Setting	Description
      Entry Point URL	Entry Points are URLs in your application that are likely targets for bots. This typically includes pages where users enter sensitive information, such as login or checkout pages. If the port number is not 80 for HTTP or 443 for HTTPS, please include the custom port number in the Entry Point URL. Example input where the port number is 1111: example.com:1111/login For more details on this concept, please refer to Entry points.
      Protection Category	Select the attack categories relevant to the URL entered above. Note that selecting more protection categories may increase the time required for the AutoDiscovery process to complete. Denial of Service (DoS): Attempts to overwhelm your site with traffic, causing downtime or slow performance. AutoDiscovery primarily detects DoS activity targeting search pages. Account Takeover: Attempts to gain unauthorized access to user accounts. Typically targets login or password-reset pages. Automated Account Creation: Bots create fake accounts to exploit services or commit fraud. Typically targets registration or signup pages. Content Scraping: Bots extract content from your site, such as articles or images. Typically targets browsing pages. Price Scraping: Bots collect pricing information for competitive analysis. Typically targets browsing pages.
      Credentials	Optional; Provide the username and password for an existing, non-critical test account. This allows the system to determine the conditions for successful authentication, such as expected HTTP responses.

   3. SSL Certificate Verification is enabled by default. When enabled, FortiAppSec Cloud verifies the server’s SSL certificate when Auto Discovery connects to entry points.

      Disable this only for self-signed or staging/test certificates not trusted by browsers.

   4. Click Save.

   5. Repeat steps a to c until you have finished adding Entry Points. You will be able to add additional entry points after creation.

   6. Click Create Application, and confirm application creation.

5. Next Steps

   At this stage, Auto discovery is initiated.

   If your ABP applicaiton is connected to an on-premises FortiWeb or FortiADC device, please follow the instructions for Integrate ABP on an on-premises device

For more information on how to edit and delete applications, please see ABP Application.

Review Suggested Protection Entries

Once Auto Discovery is complete, ABP may suggest new protection entries for your configuration. Review, edit, and apply these suggested entries as needed. When a suggested protection entry is applied, the protection becomes effective within a few minutes.

1. When an application's Auto Discovery Status displays as Review Needed, click the status to navigate directly to the suggested protection entry.

2. Click Go to Configurations Page. Alternatively, you can navigate to this page by going to Advanced Bot Protection > Application > Configurations, and clicking the Review icon under Action.

   

3. Review the detected inputs and choose whether to include them in your ABP configuration.

   The header at the top of the screen shows how many protection entries are pending review — for example, "Review Protection Entry - 1 of 6" means you are currently reviewing the first of 6 suggested entries.

   

   Setting	Description
   Protective Action	The action ABP takes when bot activity is detected. The currently configured or suggested action is displayed as a dropdown at the top of the page. Click it to expand the menu and select a different protective action. Alert: Record the invalid request in the attack log. Alert and Deny: Block the invalid request and send a "block page" back to the browser, as well as record the request in the attack log. Deny (no log): Block the invalid request and send a "block page" back to the browser, without recording the request in the attack log. Block Period：Block the current request and all subsequent requests from the same client for the configured duration. When this option is selected, you must also enter the Block Period in seconds. Please note, the Deny (no log) and Block Period actions will not take effect until Block Mode is enabled. During onboarding, these actions can be safely configured without risk of impacting live traffic. The Protective Action setting is supported for FortiAppSec Cloud WAF Applications and FortiWeb Versions 7.4.12 and later, 7.6.6 and later, and 8.0.3 and later. If you are using FortiADC or an older version of FortiWeb, configure the protective action directly from your FortiADC/FortiWeb interface.
   Domain Name	The domain of the relevant application.
   Path	The path that indicates the page being protected on the relevant application.
   HTTP Method	The HTTP Method to be protected in this protection entry. GET – Retrieve data (e.g., loading a page) POST – Submit data (e.g., login, form submission) PUT / PATCH – Update resources DELETE – Remove resources
   Label	Select a label in the dropdown menu to indicate the primary function of the page. Sign In Sign Up Search Forget Password Browsing
   Username Field	Specify the field used for the username in the API request.
   Label Condition	Click Edit to specify the Label Conditions for the selected Label type. For example, if the following protection entry should be labeled as Sign In: Login: POST https://.com/accounts/apply?type=login then the condition for the Sign In label could be: URL includes "type" = "login". To add a new condition, click Add Condition. To create a subgroup of related conditions, click Add Group. Define how the conditions within a group are evaluated by selecting a logical operator: and: All conditions in the group must be met. or: At least one condition in the group must be met.
   Result Condition	Define the conditions for both successful and failed actions. For example, if Sign In is selected as the Label, the Result Condition specifies what indicates a successful or failed sign-in. To add a new condition, click Add Condition. To create a subgroup of related conditions, click Add Group. Define how the conditions within a group are evaluated by selecting a logical operator: and: All conditions in the group must be met. or: At least one condition in the group must be met.

4. To apply the suggested protection entry, click Save.To discard it, click Reject. To keep it for review later, click Cancel.

Enable Block Mode

When Block Mode is enabled, Advanced Bot Protection executes the configured Protective Action on each of its Protection Entries. Before you configure these settings, review Block Mode Prerequisites. Blocking detected activity too early may cause false positives, as rule adjustments are based on real-time traffic analysis.

For information on viewing and editing created applications, refer to ABP Application.

For instructions on editing Protection Entries and the Protective Action, refer to Configurations.

Block Mode Prerequisites

Before enabling Block Mode, ensure you complete the following:

• If you are using a FortiWeb version earlier than 7.4.11, 7.6.6, or 8.0.2 and have CSP enabled, you may need to add the domain names shown in your browser’s console error messages to the CSP configuration.

  Based on our experience, this typically applies to the following directives: default-src, script-src, script-src-elem, and connect-src.
  FortiWeb versions 7.4.11, 7.6.6, 8.0.2, and later do not experience this issue.

  If you are running an earlier version and cannot upgrade or find a suitable workaround, please submit a support ticket.

• Verify JavaScript Insertion

  Our JavaScript is designed to run safely without impacting your website. If you encounter any issues, please contact the support team.

• Review Traffic Insights

  If your server IPs or partner IPs are blocked, add them to your allowlist. For instructions on how to do this, please refer to the following:

  • FortiAppSec Cloud WAF: IP protection

  • FortiWeb: IP List - Blocklisting & whitelisting clients using a source IP or source IP range

  • FortiADC： Using the Geo IP allowlist

• If legitimate bots are blocked, enable Known Bots. For instructions on how to do this, please refer to the following:

  • FortiAppSec Cloud WAF: Known Bots

  • FortiWeb: Configuring known bots

  • FortiADC: Configuring a Bot Detection policy

Specify the web application to which you want to apply FortiAppSec Cloud Advanced Bot Protection (ABP) services. When you create an application, an Application ID will automatically be assigned to your application which can then be used to bind it to the Advanced Bot Protection policy in a connector device.