Fortinet black logo

CLI Reference

waf machine-learning-policy

waf machine-learning-policy

Use this command to create machine learning policies and configure related policy settings.

Syntax

config waf machine-learning-policy

edit waf machine-learning-policy

set hmm-engine {enable | disable}

setsample-collecting-mode {normal | fast}

set sample-limit-by-ip <sample-limit-by-ip_int>

set svm-model {xss | sql-injection | code-injection | command-injection | lfi-rfi | common-injection | remote-exploits}

set strictness-level-quantile-potential

set strictness-level-quantile-defnite

set strictness-level-anomaly

set automatic-refresh-model {enable | disable}

set box-notch-count <box-notch-count_int>

set boxplot-checking-interval <boxplot-checking-interval_int>

set allow-method {enable | disable}

set allow-method-exceptions {none others get post head options trace connect delete put patch webdav rpc}

set action-anomaly {alert | alert_deny | block-period}

set action-page-method {alert | alert_deny | block-period}

set block-period-potential "<block-period-potential_int>"

set severity-page-method {High | Info | Low | Medium}

set block-period-definitely "<block-period-definitely_int>"

set severity-definitely {High | Info | Low | Medium}

set trigger-definitely "<policy_name>"

set block-period-page-method "<block-period-page-method_int>"

set severity-page-method {High | Info | Low | Medium}

set trigger-page-method "<policy_name>"

set app-change-sensitivity {High | Low | Medium}

set status {enable | disable}

set ip-list-type {Trust | Black}

set url-replacer-policy

config waf machine-learning-policy

edit "<allow-domain-name_id>"

set domain-name "<domain-name_str>"

set domain-index "<domain-index_id>"

set character-set {AUTO | ISO-8859-1 | ISO-8859-2 | ISO-8859-3 | ISO-8859-4 | ISO-8859-5 | ISO-8859-6 | ISO-8859-7 | ISO-8859-8 | ISO-8859-9 | ISO-8859-10 | ISO-8859-15 | GB2312 | BIG5 | ISO-2022-JP | ISO-2022-JP-2 | Shift-JIS | ISO-2022-KR | UTF-8}

next

end

config source-ip-list

edit "<source-ip-list_id>"

set "<ip>"

next

end


Variable Description Default

machine-learning-policy_id

Enter the ID of the machine learning policy. It's the number displayed in the "#" column of the machine learning policy table on the Machine Learning Policy page. The valid range is 0–65535. No default

hmm-engine {enable | disable}

Enable to monitor access to the application and collect data to build a mathematical model behind every parameter. enable

sample-collecting-mode {normal | fast}

Normal
Up to 5000 samples will be collected to build a machine learning model for the parameter. The default sample collection mode is Normal.
Fast
Up to 2500 samples will be collected to build a machine learning model for the parameter.
Normal

sample-limit-by-ip <sample-limit-by-ip_int>

The limitation number of samples collected from each IP. The valid range is 0–5000. 30

svm-model {xss | sql-injection | code-injection | command-injection | lfi-rfi | common-injection | remote-exploits}

Enable or disable threat models for different types of threats such as cross-site scripting, SQL injection and code injection. Currently, seven trained Support Vector Machine Model are provided for seven attack types. enable

strictness-level-quantile-potential

Enter the threshold value or choose the threshold numbers. The valid range is from 0 to 1. The higher the threshold, the more anomalies will be triggered. 0.3

strictness-level-quantile-defnite

Enter the threshold value or choose the threshold numbers. The valid range is from 0 to 0.9. The higher the threshold, the more anomalies will be triggered. 0.1

strictness-level-anomaly

Enter the value for the strictness level. The valid range is from 0.1 to 0.9. The higher the value is , the more definite anomalies will be triggered. 0.1

automatic-refresh-model {enable | disable}

Enable to let the system to relearn the argument related to the HMM model. enable

box-notch-count <box-notch-count_int>

This option appears when you enable Dynamically update when parameters change.
The default value is 2, which means if 2 newly generated boxplots don't overlap with any one of the sample boxplots, FortiWeb automatically updates the machine learning model. You can set a value from 1 to 3.
2

boxplot-checking-interval <boxplot-checking-interval_int>

The interval to collect a boxplot after the parameter model changes to running status. The valid range is 1–15 minutes. 15

allow-method {enable | disable}

Enable to allow the system to learn and verify the HTTP method. enable

allow-method-exceptions {none others get post head options trace connect delete put patch webdav rpc}

Select the HTTP request method that is allowed to access the URL. head, options

action-anomaly {alert | alert_deny | block-period}

Choose the action FortiWeb takes when definite attack is verified.
alert—Accepts the connection and generates an alert email and/or log message.
alert_deny—Blocks the request (or resets the connection) and generates an alert and/or log message.
block-period—Blocks the request for a certain period of time.
alert_deny

action-page-method {alert | alert_deny | block-period}

Choose the action FortiWeb takes when HTTP method violation is verified.
alert—Accepts the connection and generates an alert email and/or log message.
alert_deny—Blocks the request (or resets the connection) and generates an alert and/or log message.
block-period—Blocks the request for a certain period of time.
alert_deny

block-period-potential "<block-period-potential_int>"

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.
This option only takes effect when you choose Period Block in Action.
60

severity-definitely {High | Info | Low | Medium}

Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message. High

trigger-definitely "<policy_name>"

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If definite anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy. No default.

block-period-definitely "<block-period-definitely_int>"

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.
This option only takes effect when you choose Period Block in Action.
60

block-period-page-method "<block-period-page-method_int>"

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds. The default value is 60 seconds.
This option only takes effect when you choose Period Block in Action.
60

severity-page-method {High | Info | Low | Medium}

Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message. High

trigger-page-method "<policy_name>"

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If HTTP Method Violation is detected, it will trigger the system to send email and/or log messages according to the trigger policy. No default

app-change-sensitivity {High | Low | Medium}

This option appears when you enable Dynamically update when parameters change.
Low—The system triggers model update only when the entire data distribution area (from the maximum value to the minimum value, that is, the entire area containing all the data) of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
Medium—The system triggers model update if the notch area (the median rectangular area in the boxplot where most of the data is located) of the new boxplot doesn't have any overlapping part with the entire data distribution areas of the sample boxplots.
High—The system triggers model update as long as the notch area of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
No default.

status {enable | disable}

Enable to change the status to Running, while disable to change the status to Stopped. enable

url-replacer-policy

Select the name of the URL Replacer Policy that you have created in Machine Learning Templates. If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them. No default.

trigger-potential "<policy_name>"

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy.

"<allow-domain-name_id>"

Enter the ID of the policy. The valid range is 1–65,535. No default.

ip-list-type {Trust | Black}

Allow or deny sample collection from the Source IP list. Trust

domain-name "<domain-name_str>"

Add full domain name or use wildcard '*' to cover multiple domains under one profile. No default.

domain-index "<domain-index_id>"

The number automatically assigned by the system when the domain name is created. No default.

character-set {AUTO | ISO-8859-1 | ISO-8859-2 | ISO-8859-3 | ISO-8859-4 | ISO-8859-5 | ISO-8859-6 | ISO-8859-7 | ISO-8859-8 | ISO-8859-9 | ISO-8859-10 | ISO-8859-15 | GB2312 | BIG5 | ISO-2022-JP | ISO-2022-JP-2 | Shift-JIS | ISO-2022-KR | UTF-8}

The corresponding character code when manually setting the domain. No default.

"<source-ip-list_id>"

Enter the ID of the source IP. The valid range is 1–9,223,372,036,854,775,807 No default.

"<ip>"

Enter the IP range for the source IP list. No default.

Related Topics

waf machine-learning-policy

Use this command to create machine learning policies and configure related policy settings.

Syntax

config waf machine-learning-policy

edit waf machine-learning-policy

set hmm-engine {enable | disable}

setsample-collecting-mode {normal | fast}

set sample-limit-by-ip <sample-limit-by-ip_int>

set svm-model {xss | sql-injection | code-injection | command-injection | lfi-rfi | common-injection | remote-exploits}

set strictness-level-quantile-potential

set strictness-level-quantile-defnite

set strictness-level-anomaly

set automatic-refresh-model {enable | disable}

set box-notch-count <box-notch-count_int>

set boxplot-checking-interval <boxplot-checking-interval_int>

set allow-method {enable | disable}

set allow-method-exceptions {none others get post head options trace connect delete put patch webdav rpc}

set action-anomaly {alert | alert_deny | block-period}

set action-page-method {alert | alert_deny | block-period}

set block-period-potential "<block-period-potential_int>"

set severity-page-method {High | Info | Low | Medium}

set block-period-definitely "<block-period-definitely_int>"

set severity-definitely {High | Info | Low | Medium}

set trigger-definitely "<policy_name>"

set block-period-page-method "<block-period-page-method_int>"

set severity-page-method {High | Info | Low | Medium}

set trigger-page-method "<policy_name>"

set app-change-sensitivity {High | Low | Medium}

set status {enable | disable}

set ip-list-type {Trust | Black}

set url-replacer-policy

config waf machine-learning-policy

edit "<allow-domain-name_id>"

set domain-name "<domain-name_str>"

set domain-index "<domain-index_id>"

set character-set {AUTO | ISO-8859-1 | ISO-8859-2 | ISO-8859-3 | ISO-8859-4 | ISO-8859-5 | ISO-8859-6 | ISO-8859-7 | ISO-8859-8 | ISO-8859-9 | ISO-8859-10 | ISO-8859-15 | GB2312 | BIG5 | ISO-2022-JP | ISO-2022-JP-2 | Shift-JIS | ISO-2022-KR | UTF-8}

next

end

config source-ip-list

edit "<source-ip-list_id>"

set "<ip>"

next

end


Variable Description Default

machine-learning-policy_id

Enter the ID of the machine learning policy. It's the number displayed in the "#" column of the machine learning policy table on the Machine Learning Policy page. The valid range is 0–65535. No default

hmm-engine {enable | disable}

Enable to monitor access to the application and collect data to build a mathematical model behind every parameter. enable

sample-collecting-mode {normal | fast}

Normal
Up to 5000 samples will be collected to build a machine learning model for the parameter. The default sample collection mode is Normal.
Fast
Up to 2500 samples will be collected to build a machine learning model for the parameter.
Normal

sample-limit-by-ip <sample-limit-by-ip_int>

The limitation number of samples collected from each IP. The valid range is 0–5000. 30

svm-model {xss | sql-injection | code-injection | command-injection | lfi-rfi | common-injection | remote-exploits}

Enable or disable threat models for different types of threats such as cross-site scripting, SQL injection and code injection. Currently, seven trained Support Vector Machine Model are provided for seven attack types. enable

strictness-level-quantile-potential

Enter the threshold value or choose the threshold numbers. The valid range is from 0 to 1. The higher the threshold, the more anomalies will be triggered. 0.3

strictness-level-quantile-defnite

Enter the threshold value or choose the threshold numbers. The valid range is from 0 to 0.9. The higher the threshold, the more anomalies will be triggered. 0.1

strictness-level-anomaly

Enter the value for the strictness level. The valid range is from 0.1 to 0.9. The higher the value is , the more definite anomalies will be triggered. 0.1

automatic-refresh-model {enable | disable}

Enable to let the system to relearn the argument related to the HMM model. enable

box-notch-count <box-notch-count_int>

This option appears when you enable Dynamically update when parameters change.
The default value is 2, which means if 2 newly generated boxplots don't overlap with any one of the sample boxplots, FortiWeb automatically updates the machine learning model. You can set a value from 1 to 3.
2

boxplot-checking-interval <boxplot-checking-interval_int>

The interval to collect a boxplot after the parameter model changes to running status. The valid range is 1–15 minutes. 15

allow-method {enable | disable}

Enable to allow the system to learn and verify the HTTP method. enable

allow-method-exceptions {none others get post head options trace connect delete put patch webdav rpc}

Select the HTTP request method that is allowed to access the URL. head, options

action-anomaly {alert | alert_deny | block-period}

Choose the action FortiWeb takes when definite attack is verified.
alert—Accepts the connection and generates an alert email and/or log message.
alert_deny—Blocks the request (or resets the connection) and generates an alert and/or log message.
block-period—Blocks the request for a certain period of time.
alert_deny

action-page-method {alert | alert_deny | block-period}

Choose the action FortiWeb takes when HTTP method violation is verified.
alert—Accepts the connection and generates an alert email and/or log message.
alert_deny—Blocks the request (or resets the connection) and generates an alert and/or log message.
block-period—Blocks the request for a certain period of time.
alert_deny

block-period-potential "<block-period-potential_int>"

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.
This option only takes effect when you choose Period Block in Action.
60

severity-definitely {High | Info | Low | Medium}

Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message. High

trigger-definitely "<policy_name>"

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If definite anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy. No default.

block-period-definitely "<block-period-definitely_int>"

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds.
This option only takes effect when you choose Period Block in Action.
60

block-period-page-method "<block-period-page-method_int>"

Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds. The default value is 60 seconds.
This option only takes effect when you choose Period Block in Action.
60

severity-page-method {High | Info | Low | Medium}

Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message. High

trigger-page-method "<policy_name>"

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If HTTP Method Violation is detected, it will trigger the system to send email and/or log messages according to the trigger policy. No default

app-change-sensitivity {High | Low | Medium}

This option appears when you enable Dynamically update when parameters change.
Low—The system triggers model update only when the entire data distribution area (from the maximum value to the minimum value, that is, the entire area containing all the data) of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
Medium—The system triggers model update if the notch area (the median rectangular area in the boxplot where most of the data is located) of the new boxplot doesn't have any overlapping part with the entire data distribution areas of the sample boxplots.
High—The system triggers model update as long as the notch area of the new boxplot doesn't have any overlapping part with that of the sample boxplots.
No default.

status {enable | disable}

Enable to change the status to Running, while disable to change the status to Stopped. enable

url-replacer-policy

Select the name of the URL Replacer Policy that you have created in Machine Learning Templates. If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them. No default.

trigger-potential "<policy_name>"

Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy.

"<allow-domain-name_id>"

Enter the ID of the policy. The valid range is 1–65,535. No default.

ip-list-type {Trust | Black}

Allow or deny sample collection from the Source IP list. Trust

domain-name "<domain-name_str>"

Add full domain name or use wildcard '*' to cover multiple domains under one profile. No default.

domain-index "<domain-index_id>"

The number automatically assigned by the system when the domain name is created. No default.

character-set {AUTO | ISO-8859-1 | ISO-8859-2 | ISO-8859-3 | ISO-8859-4 | ISO-8859-5 | ISO-8859-6 | ISO-8859-7 | ISO-8859-8 | ISO-8859-9 | ISO-8859-10 | ISO-8859-15 | GB2312 | BIG5 | ISO-2022-JP | ISO-2022-JP-2 | Shift-JIS | ISO-2022-KR | UTF-8}

The corresponding character code when manually setting the domain. No default.

"<source-ip-list_id>"

Enter the ID of the source IP. The valid range is 1–9,223,372,036,854,775,807 No default.

"<ip>"

Enter the IP range for the source IP list. No default.

Related Topics