Fortinet Document Library

Version:


Table of Contents

User Guide

Download PDF
Copy Link

Utilizing FortiView to reduce false positives

Sometimes legitimate traffic may be detected as attacks if inappropriate thresholds are set in the security rules. Moreover, even regular users may violate the rules due to the nature of some web pages, such as the stock list web page, where users can be identified as bots because they tend to frequently refresh the pages.

To avoid legitimate traffic being blocked, it's recommended to regularly check the attack statistics in FortiView. It provides deep insights in the attack information and helps you figure out the false positives.

For example, if the attacks are originated from many different source IPs, but they affect the same URL, this might be false positives. It can be caused by the nature of the web page itself that the regular traffic behaves like attacks. You can investigate the issue by clicking source IPs on the Threat by Source IPs page. If the URLs tab of many source IPs shows the same URL, you may consider whether they are false positives.

If the false positives are of the Known Attacks type, you can click Add Exception beside the signature ID. The traffic to that URL will no longer be treated as an attack even if it matches the signatures.

If the false positives are of other types, you can edit the corresponding security rules to add this URL as an exception.

The method mentioned above is just an example. Go ahead explore more ways to utilize FortiView for false positive investigation.

Utilizing FortiView to reduce false positives

Sometimes legitimate traffic may be detected as attacks if inappropriate thresholds are set in the security rules. Moreover, even regular users may violate the rules due to the nature of some web pages, such as the stock list web page, where users can be identified as bots because they tend to frequently refresh the pages.

To avoid legitimate traffic being blocked, it's recommended to regularly check the attack statistics in FortiView. It provides deep insights in the attack information and helps you figure out the false positives.

For example, if the attacks are originated from many different source IPs, but they affect the same URL, this might be false positives. It can be caused by the nature of the web page itself that the regular traffic behaves like attacks. You can investigate the issue by clicking source IPs on the Threat by Source IPs page. If the URLs tab of many source IPs shows the same URL, you may consider whether they are false positives.

If the false positives are of the Known Attacks type, you can click Add Exception beside the signature ID. The traffic to that URL will no longer be treated as an attack even if it matches the signatures.

If the false positives are of other types, you can edit the corresponding security rules to add this URL as an exception.

The method mentioned above is just an example. Go ahead explore more ways to utilize FortiView for false positive investigation.