Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Threshold Based Detection

With the occurrence, time period, and severity of the following suspicious behaviors predefined, FortiWeb Cloud judges whether the request comes from a human or a bot.

  • Known Bad Bots
  • Known Search Engines
  • Crawler
  • Vulnerability Scanning
  • Slow Attack
  • Content Scraping
  • Credential Based Brute Force

To configure Threshold Based Detection:

  1. Go to BOT MITIGATION > Threshold Based Detection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Crawler

    Enable to detect web crawlers that are usually used to map out your application structure. If 403 and 404 response codes occur more than 100 times within 10 seconds, FortiWeb Cloud will take actions.

    Vulnerability Scanning

    Enable to detect tools that scan your application for vulnerabilities. If attack signatures are triggered more than 100 times within 10 seconds, FortiWeb Cloud will take actions.

    Slow-Attack

    Enable to detect automatic tools that try to go undetected by generating traffic in low thresholds. If the timeout HTTP Transaction occurs more than 5 times within 100 seconds, FortiWeb Cloud will take actions.

    Content-Scraping

    Enable to detect malicious tools that try to download large amounts of content such as text/html and application/xml from your web site. If the download activity occurs more than 100 times within 30 seconds, FortiWeb Cloud will take actions.

    Credential Based Brute Force

    Enable to block brute force attacks that try to obtain user credentials.

    To enable Credential Based Brute Force, Account Takeover must be enabled.

    Request URL

    The URL that you want to protect from brute force login.

    Here we only support Regular Expression Match. The value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Only available when Credential Based Brute Force is enabled.

    Occurrence

    Within

    When the brute force login occurs more than a certain times in a certain time period, FortiWeb Cloud will periodically block the request. The Occurrence defines "how many times", while the Within (Seconds) defines the "time period".

    Only available when Credential Based Brute Force is enabled.

    Challenge

    You can select among:

    • Disable—Disables this option to not to challenge users when a rule is triggered.
    • Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. If the client fails the test or does not return results in 20 seconds, FortiWeb Cloud applies specified actions. If the client appears to be a web browser, FortiWeb Cloud allows the client to exceed the action.
    • CAPTCHA Enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within 3 times or doesn't fulfill the request within 20 seconds, FortiWeb Cloud applies related actions and sends the CAPTCHA block page.

    Note: Configurable only when either of Crawler, Vulnerability Scanning, Slow Attack, or Content Scraping is enabled.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.

    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    note icon

    The default action for Threshold Based Detection is Period Block. It is not recommended to change this configuration.

    For Threshold Based Detection, Period Block is the most reasonable action to take. When the count of suspicious behaviors reaches the threshold and triggers the Period Block action, all the subsequent requests from the suspected IP address in the next 10 minutes will be blocked, while if the action is Alert & Deny or Deny (no log), only the request that hits the threshold will be denied, and the subsequent requests will be let go until the threshold count is hit again.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

    Period Block

    Block subsequent requests from the client for 10 minutes.

  4. Click SAVE.

Threshold Based Detection

With the occurrence, time period, and severity of the following suspicious behaviors predefined, FortiWeb Cloud judges whether the request comes from a human or a bot.

  • Known Bad Bots
  • Known Search Engines
  • Crawler
  • Vulnerability Scanning
  • Slow Attack
  • Content Scraping
  • Credential Based Brute Force

To configure Threshold Based Detection:

  1. Go to BOT MITIGATION > Threshold Based Detection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Crawler

    Enable to detect web crawlers that are usually used to map out your application structure. If 403 and 404 response codes occur more than 100 times within 10 seconds, FortiWeb Cloud will take actions.

    Vulnerability Scanning

    Enable to detect tools that scan your application for vulnerabilities. If attack signatures are triggered more than 100 times within 10 seconds, FortiWeb Cloud will take actions.

    Slow-Attack

    Enable to detect automatic tools that try to go undetected by generating traffic in low thresholds. If the timeout HTTP Transaction occurs more than 5 times within 100 seconds, FortiWeb Cloud will take actions.

    Content-Scraping

    Enable to detect malicious tools that try to download large amounts of content such as text/html and application/xml from your web site. If the download activity occurs more than 100 times within 30 seconds, FortiWeb Cloud will take actions.

    Credential Based Brute Force

    Enable to block brute force attacks that try to obtain user credentials.

    To enable Credential Based Brute Force, Account Takeover must be enabled.

    Request URL

    The URL that you want to protect from brute force login.

    Here we only support Regular Expression Match. The value does not require a forward slash ( / ). However, ensure that it can match values that contain a forward slash. For details, see Frequently used regular expressions.

    Only available when Credential Based Brute Force is enabled.

    Occurrence

    Within

    When the brute force login occurs more than a certain times in a certain time period, FortiWeb Cloud will periodically block the request. The Occurrence defines "how many times", while the Within (Seconds) defines the "time period".

    Only available when Credential Based Brute Force is enabled.

    Challenge

    You can select among:

    • Disable—Disables this option to not to challenge users when a rule is triggered.
    • Real Browser Enforcement—Specifies whether FortiWeb Cloud returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. If the client fails the test or does not return results in 20 seconds, FortiWeb Cloud applies specified actions. If the client appears to be a web browser, FortiWeb Cloud allows the client to exceed the action.
    • CAPTCHA Enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within 3 times or doesn't fulfill the request within 20 seconds, FortiWeb Cloud applies related actions and sends the CAPTCHA block page.

    Note: Configurable only when either of Crawler, Vulnerability Scanning, Slow Attack, or Content Scraping is enabled.

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.

    To configure the actions, you must first enable the Advanced Configuration in Global > Settings.

    note icon

    The default action for Threshold Based Detection is Period Block. It is not recommended to change this configuration.

    For Threshold Based Detection, Period Block is the most reasonable action to take. When the count of suspicious behaviors reaches the threshold and triggers the Period Block action, all the subsequent requests from the suspected IP address in the next 10 minutes will be blocked, while if the action is Alert & Deny or Deny (no log), only the request that hits the threshold will be denied, and the subsequent requests will be let go until the threshold count is hit again.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

    Period Block

    Block subsequent requests from the client for 10 minutes.

  4. Click SAVE.