waf machine-learning-policy

Variable	Description	Default
<machine-learning-policy_id>	Enter the ID of the machine learning policy. It's the number displayed in the "#" column of the machine learning policy table on the Machine Learning Policy page. The valid range is 0–65535.	`No default`
sample-collecting-mode {normal \| extended}	When a sample is collected, the system generalized it into a pattern. For example, “abcd_123@abc.com” and “abcdefgecdf_12345678@efg.com” will both be generalized to the pattern “A_N@A.A”. The anomaly detection model is built based on the patterns, not the raw samples. `Extended`: In Extended mode, it's required to also set the learning time. In extended mode at least 2500 samples will be collected and the sample collection period lasts for the specified weeks. For example, if you choose extended mode and set 1 week, the system stops collecting samples after 1 week if at least 2500 samples are collected by then, or continues collecting samples after 1 week until 2500 samples are collected. `Normal`:In Normal mode, the system builds an `initial` model when the sample count reaches `start-min-count`. The system runs the initial model to detect anomalies, while it keeps collecting more samples to refine it. Once the number of samples accumulates to `switch-min-count`, the system uses `switch-percent` to evaluate whether the patterns vary largely since the initial model is built (`switch-percent` = the number of generalized patterns / the number of raw samples * 100%). If the `switch-percent` is smaller than the set value, it indicates the patterns are stable and it's less likely to generalize more patterns afterward, so the system will switch the initial model to a `standard` model. If the `switch-percent` is larger than the set value, it indicates more patterns tend to be generalized, so the system will keep collecting more samples. It won't switch to `standard` model until the actual switch-percent becomes smaller than the set value. Whether in `extended` or `normal` mode, the system keeps refining the model even after it's in running status. You can set `renovate-short-time` and `renovate-long-time` to define the model updating frequency.	`Normal`
start-min-count <start-min-count _int>	An initial model will be built if the sample count reaches `start-min-count`. For more information, see the description for `Normal` mode in sample-collecting-mode {normal \| extended}. The valid range is 200 to 1000. Available only when `sample-collecting-mode` is `normal`.	`400`
switch-min-count <switch-min-count_int>	When the number of samples reaches `switch-min-count`, FortiWeb will evaluate whether to build a standard model. For more information, see the description for `Normal` mode in sample-collecting-mode {normal \| extended}. The valid range is 800 to 3000. Available only when `sample-collecting-mode` is `normal`.	`1200`
switch-percent <switch-percent_int>	`switch-percent` = the number of generalized patterns / the number of raw samples * 100 (%) When the `switch-percent` is smaller than the value you set, FortiWeb switches the initial model to a standard model. For more information, see the description for Normal mode in sample-collecting-mode {normal \| extended}. The valid range is 2 to 20. Available only when `sample-collecting-mode` is `normal`.	`5(%)`
learning-time <the-number-of-weeks>	If you set the `sample-collecting-mode` to `extended`, it's required to set the learning time so that the sample collection period will last for at least the specified weeks. Available only when `sample-collecting-mode` is `extended`.	`No default`
denoise-percent <denoise-percent_int>	It's important to reduce the noisy samples in order to build an accurate model. During the sample collecting period, the system ranks all the samples by their probabilities. The ones with the lowest probabilities will be selected as noisy reduction samples, and will be filtered further with `denoise-threshold` to determine whether it is a noise. For example, if you set `denoise-percent` to 3, then the 3% samples with the lowest probabilities will be selected as noisy reduction samples. The valid range is 1 to 10.	3 (%)
denoise-threshold <denoise-threshold_int>	The system uses the following formula to determine whether the noisy reduction samples are indeed noises: The probability of the sample > μ + `denoise-threshold` * σ. μ is the average probabilities of the noisy samples. σ is the denoise standard deviation. Assume there is a circle with most of the samples crowded in the center, and several samples scattered around the edge of the circle. If the probability of the sample is larger than the value of "μ + the strictness level * σ", it means this sample is scattered far away from the center cluster. It indicates this sample might be an anomaly, i.e. a noise. If you set the `denoise-threshold` larger, it means the system tolerates a longer distance that a sample is scattered from the center cluster. In this way, less samples will be treated as noises. If you want to identify more samples as noises, set the `denoise-threshold` smaller. The valid range is 1 to 10.	2
renovate-short-time <renovate-short-time_int>	The system keeps refining the model even after it's in running status. With more samples collected to train the model, it's performance gets better and better. `renovate-short-time` defines how frequently FortiWeb updates the model if new patterns keep coming in. The valid range is 15 to 1440.	15 (minutes)
renovate-long-time <renovate-long-time_int>	`renovate-long-time` defines how frequently FortiWeb updates the model even if no new pattern is generalized out of the samples collected in the past hours. For example, assuming you set the value to 8 (hours), and in the past 8 hours there isn't any new pattern, FortiWeb will update the model every 8 hours anyway. The valid range is 8 to 720. Note: Unlike automatic-refresh-model {enable \| disable} which triggers the system to discard all the previously collected samples and rebuilds the model with new samples, the `renovate-short-time` and `renovate-long-time` trigger the system to refine the model based on the existing ones.	8 (hours)
pattern-expire-days <pattern-expire-days_int>	`pattern-expire-days` defines how many days past until a pattern is expired. For example, if you set it to 30, then 30 days after a pattern is generalized, FortiWeb will delete all the samples related with this pattern. The valid range is 0 to 366. 0 means there is no expiration time for patterns.	30
sample-limit-by-ip <sample-limit-by-ip_int>	The limitation number of samples collected from each IP. The valid range is 0–5000.	`30`
threat-model {enable \| disable}	Enable to scan anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model.	`enable`
svm-model {xss \| sql-injection \| code-injection \| command-injection \| lfi-rfi \| common-injection \| remote-exploits}	Enable or disable threat models for different types of threats such as cross-site scripting, SQL injection and code injection. Currently, seven trained Support Vector Machine Model are provided for seven attack types.	`enable`
svm-type {standard \| extended}	If `standard` is selected, the system automatically disables the svm models which can easily trigger false positives. If `extended` is selected, the system enables all svm models.	`standard`
anomaly-detection-threshold <anomaly-detection-threshold_int>	The value of the anomaly-detection-threshold ranges from 1 to 10. The system uses the following formula to calculate the anomaly threshold: *The probability of the anomaly > μ + the strictness level σ** If the probability of the sample is larger than the value of "μ + the strictness level * σ", this sample will be identified as anomaly. μ and σ are calculated based on the probabilities of all the samples collected during the sample collection period, where μ is the average value of all the parameters' probabilities, σ is the standard deviation. They are fixed values. So, the value of "μ + the strictness level * σ" varies with the strictness level you set. The smaller the value of the strictness level is, the more strict the anomaly detection model will be. This option sets a global value for all the parameters. If you want to adjust the strictness level for a specific parameter, See Manage anomaly-detecting settings.	`0.1`
automatic-refresh-model {enable \| disable}	Enable to let the system to relearn the argument related to the HMM model.	`enable`
box-notch-count <box-notch-count_int>	This option appears when you enable Dynamically update when parameters change. The default value is 2, which means if 2 newly generated boxplots don't overlap with any one of the sample boxplots, FortiWeb automatically updates the machine learning model. You can set a value from 1 to 2. Note: If `normal` is selected in sample-collecting-mode {normal \| extended}, the `box-notch-count` does not take effect until the standard model is running.	`2`
boxplot-checking-interval <boxplot-checking-interval_int>	The interval to collect a boxplot after the parameter model changes to running status. The valid range is 1–15 minutes.	`15`
parameters-limit-per-conn {enable \| disable}	Enable to avoid collecting samples solely for the parameters in the same connection. The anomaly detection will be more effective if the system builds machine learning models for parameters diversely distributed in different connections.	`enable`
action-anomaly {alert \| alert_deny \| block-period}	Choose the action FortiWeb takes when definite attack is verified. `alert`—Accepts the connection and generates an alert email and/or log message. `alert_deny`—Blocks the request (or resets the connection) and generates an alert and/or log message. `block-period`—Blocks the request for a certain period of time.	`alert_deny`
block-period-anomaly <block-period_int>	Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds. This option only takes effect when you choose Period Block in Action.	`600`
severity-definitely {High \| Info \| Low \| Medium}	Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message.	`High`
trigger-definitely <policy_name>	Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If definite anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy.	No default.
app-change-sensitivity {High \| Low \| Medium}	This option appears when you enable Dynamically update when parameters change. Low—The system triggers model update only when the entire data distribution area (from the maximum value to the minimum value, that is, the entire area containing all the data) of the new boxplot doesn't have any overlapping part with that of the sample boxplots. Medium—The system triggers model update if the notch area (the median rectangular area in the boxplot where most of the data is located) of the new boxplot doesn't have any overlapping part with the entire data distribution areas of the sample boxplots. High—The system triggers model update as long as the notch area of the new boxplot doesn't have any overlapping part with that of the sample boxplots.	No default.
status {enable \| disable}	Enable to change the status to Running, while disable to change the status to Stopped.	`enable`
url-replacer-policy <policy_name>	Select the name of the URL Replacer Policy that you have created in Machine Learning Templates. If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them.	No default.
trigger-potential <policy_name>	Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy.
<allow-domain-name_id>	Enter the ID of the policy. The valid range is 1–65,535.	No default.
ip-list-type {Trust \| Black}	Allow or deny sample collection from the Source IP list.	`Trust`
domain-name <domain-name_str>	Add full domain name or use wildcard '*' to cover multiple domains under one profile.	No default.
domain-index <domain-index_id>	The number automatically assigned by the system when the domain name is created.	No default.
character-set {AUTO \| ISO-8859-1 \| ISO-8859-2 \| ISO-8859-3 \| ISO-8859-4 \| ISO-8859-5 \| ISO-8859-6 \| ISO-8859-7 \| ISO-8859-8 \| ISO-8859-9 \| ISO-8859-10 \| ISO-8859-15 \| GB2312 \| BIG5 \| ISO-2022-JP \| ISO-2022-JP-2 \| Shift-JIS \| ISO-2022-KR \| UTF-8}	The corresponding character code when manually setting the domain.	No default.
<source-ip-list_id>	Enter the ID of the source IP. The valid range is 1–9,223,372,036,854,775,807	No default.
<ip>	Enter the IP range for the source IP list.	No default.

waf machine-learning-policy

Use this command to create machine learning policies and configure related policy settings.

Syntax

config waf machine-learning-policy

edit <machine-learning-policy_id>

setsample-collecting-mode {normal | extended}

set start-min-count <start-min-count _int>

set switch-min-count <switch-min-count_int>

set switch-percent <switch-percent_int>

set learning-time <the-number-of-weeks>

set denoise-percent <denoise-percent_int>

set denoise-threshold <denoise-threshold_int>

set renovate-short-time <renovate-short-time_int>

set waf machine-learning-policy

set pattern-expire-days <pattern-expire-days_int>

set sample-limit-by-ip <sample-limit-by-ip_int>

set svm-model {xss | sql-injection | code-injection | command-injection | lfi-rfi | common-injection | remote-exploits}

set svm-type {standard | extended}

set anomaly-detection-threshold <anomaly-detection-threshold_int>

set automatic-refresh-model {enable | disable}

set box-notch-count <box-notch-count_int>

set boxplot-checking-interval <boxplot-checking-interval_int>

set action-anomaly {alert | alert_deny | block-period}

set block-period-anomaly <block-period_int>

set severity-definitely {High | Info | Low | Medium}

set trigger-definitely <policy_name>

set app-change-sensitivity {High | Low | Medium}

set status {enable | disable}

set ip-list-type {Trust | Black}

set url-replacer-policy <policy_name>

set threat-model {enable | disable}

set parameters-limit-per-conn {enable | disable}

set anomaly-detection-threshold <anomaly-detection-threshold_int>

config waf machine-learning-policy

edit <allow-domain-name_id>

set domain-name <domain-name_str>

set domain-index <domain-index_id>

end

config source-ip-list

edit <source-ip-list_id>

set <ip>

end

Variable	Description	Default
<machine-learning-policy_id>	Enter the ID of the machine learning policy. It's the number displayed in the "#" column of the machine learning policy table on the Machine Learning Policy page. The valid range is 0–65535.	`No default`
sample-collecting-mode {normal \| extended}	When a sample is collected, the system generalized it into a pattern. For example, “abcd_123@abc.com” and “abcdefgecdf_12345678@efg.com” will both be generalized to the pattern “A_N@A.A”. The anomaly detection model is built based on the patterns, not the raw samples. `Extended`: In Extended mode, it's required to also set the learning time. In extended mode at least 2500 samples will be collected and the sample collection period lasts for the specified weeks. For example, if you choose extended mode and set 1 week, the system stops collecting samples after 1 week if at least 2500 samples are collected by then, or continues collecting samples after 1 week until 2500 samples are collected. `Normal`:In Normal mode, the system builds an `initial` model when the sample count reaches `start-min-count`. The system runs the initial model to detect anomalies, while it keeps collecting more samples to refine it. Once the number of samples accumulates to `switch-min-count`, the system uses `switch-percent` to evaluate whether the patterns vary largely since the initial model is built (`switch-percent` = the number of generalized patterns / the number of raw samples * 100%). If the `switch-percent` is smaller than the set value, it indicates the patterns are stable and it's less likely to generalize more patterns afterward, so the system will switch the initial model to a `standard` model. If the `switch-percent` is larger than the set value, it indicates more patterns tend to be generalized, so the system will keep collecting more samples. It won't switch to `standard` model until the actual switch-percent becomes smaller than the set value. Whether in `extended` or `normal` mode, the system keeps refining the model even after it's in running status. You can set `renovate-short-time` and `renovate-long-time` to define the model updating frequency.	`Normal`
start-min-count <start-min-count _int>	An initial model will be built if the sample count reaches `start-min-count`. For more information, see the description for `Normal` mode in sample-collecting-mode {normal \| extended}. The valid range is 200 to 1000. Available only when `sample-collecting-mode` is `normal`.	`400`
switch-min-count <switch-min-count_int>	When the number of samples reaches `switch-min-count`, FortiWeb will evaluate whether to build a standard model. For more information, see the description for `Normal` mode in sample-collecting-mode {normal \| extended}. The valid range is 800 to 3000. Available only when `sample-collecting-mode` is `normal`.	`1200`
switch-percent <switch-percent_int>	`switch-percent` = the number of generalized patterns / the number of raw samples * 100 (%) When the `switch-percent` is smaller than the value you set, FortiWeb switches the initial model to a standard model. For more information, see the description for Normal mode in sample-collecting-mode {normal \| extended}. The valid range is 2 to 20. Available only when `sample-collecting-mode` is `normal`.	`5(%)`
learning-time <the-number-of-weeks>	If you set the `sample-collecting-mode` to `extended`, it's required to set the learning time so that the sample collection period will last for at least the specified weeks. Available only when `sample-collecting-mode` is `extended`.	`No default`
denoise-percent <denoise-percent_int>	It's important to reduce the noisy samples in order to build an accurate model. During the sample collecting period, the system ranks all the samples by their probabilities. The ones with the lowest probabilities will be selected as noisy reduction samples, and will be filtered further with `denoise-threshold` to determine whether it is a noise. For example, if you set `denoise-percent` to 3, then the 3% samples with the lowest probabilities will be selected as noisy reduction samples. The valid range is 1 to 10.	3 (%)
denoise-threshold <denoise-threshold_int>	The system uses the following formula to determine whether the noisy reduction samples are indeed noises: The probability of the sample > μ + `denoise-threshold` * σ. μ is the average probabilities of the noisy samples. σ is the denoise standard deviation. Assume there is a circle with most of the samples crowded in the center, and several samples scattered around the edge of the circle. If the probability of the sample is larger than the value of "μ + the strictness level * σ", it means this sample is scattered far away from the center cluster. It indicates this sample might be an anomaly, i.e. a noise. If you set the `denoise-threshold` larger, it means the system tolerates a longer distance that a sample is scattered from the center cluster. In this way, less samples will be treated as noises. If you want to identify more samples as noises, set the `denoise-threshold` smaller. The valid range is 1 to 10.	2
renovate-short-time <renovate-short-time_int>	The system keeps refining the model even after it's in running status. With more samples collected to train the model, it's performance gets better and better. `renovate-short-time` defines how frequently FortiWeb updates the model if new patterns keep coming in. The valid range is 15 to 1440.	15 (minutes)
renovate-long-time <renovate-long-time_int>	`renovate-long-time` defines how frequently FortiWeb updates the model even if no new pattern is generalized out of the samples collected in the past hours. For example, assuming you set the value to 8 (hours), and in the past 8 hours there isn't any new pattern, FortiWeb will update the model every 8 hours anyway. The valid range is 8 to 720. Note: Unlike automatic-refresh-model {enable \| disable} which triggers the system to discard all the previously collected samples and rebuilds the model with new samples, the `renovate-short-time` and `renovate-long-time` trigger the system to refine the model based on the existing ones.	8 (hours)
pattern-expire-days <pattern-expire-days_int>	`pattern-expire-days` defines how many days past until a pattern is expired. For example, if you set it to 30, then 30 days after a pattern is generalized, FortiWeb will delete all the samples related with this pattern. The valid range is 0 to 366. 0 means there is no expiration time for patterns.	30
sample-limit-by-ip <sample-limit-by-ip_int>	The limitation number of samples collected from each IP. The valid range is 0–5000.	`30`
threat-model {enable \| disable}	Enable to scan anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model.	`enable`
svm-model {xss \| sql-injection \| code-injection \| command-injection \| lfi-rfi \| common-injection \| remote-exploits}	Enable or disable threat models for different types of threats such as cross-site scripting, SQL injection and code injection. Currently, seven trained Support Vector Machine Model are provided for seven attack types.	`enable`
svm-type {standard \| extended}	If `standard` is selected, the system automatically disables the svm models which can easily trigger false positives. If `extended` is selected, the system enables all svm models.	`standard`
anomaly-detection-threshold <anomaly-detection-threshold_int>	The value of the anomaly-detection-threshold ranges from 1 to 10. The system uses the following formula to calculate the anomaly threshold: *The probability of the anomaly > μ + the strictness level σ** If the probability of the sample is larger than the value of "μ + the strictness level * σ", this sample will be identified as anomaly. μ and σ are calculated based on the probabilities of all the samples collected during the sample collection period, where μ is the average value of all the parameters' probabilities, σ is the standard deviation. They are fixed values. So, the value of "μ + the strictness level * σ" varies with the strictness level you set. The smaller the value of the strictness level is, the more strict the anomaly detection model will be. This option sets a global value for all the parameters. If you want to adjust the strictness level for a specific parameter, See Manage anomaly-detecting settings.	`0.1`
automatic-refresh-model {enable \| disable}	Enable to let the system to relearn the argument related to the HMM model.	`enable`
box-notch-count <box-notch-count_int>	This option appears when you enable Dynamically update when parameters change. The default value is 2, which means if 2 newly generated boxplots don't overlap with any one of the sample boxplots, FortiWeb automatically updates the machine learning model. You can set a value from 1 to 2. Note: If `normal` is selected in sample-collecting-mode {normal \| extended}, the `box-notch-count` does not take effect until the standard model is running.	`2`
boxplot-checking-interval <boxplot-checking-interval_int>	The interval to collect a boxplot after the parameter model changes to running status. The valid range is 1–15 minutes.	`15`
parameters-limit-per-conn {enable \| disable}	Enable to avoid collecting samples solely for the parameters in the same connection. The anomaly detection will be more effective if the system builds machine learning models for parameters diversely distributed in different connections.	`enable`
action-anomaly {alert \| alert_deny \| block-period}	Choose the action FortiWeb takes when definite attack is verified. `alert`—Accepts the connection and generates an alert email and/or log message. `alert_deny`—Blocks the request (or resets the connection) and generates an alert and/or log message. `block-period`—Blocks the request for a certain period of time.	`alert_deny`
block-period-anomaly <block-period_int>	Enter the number of seconds that you want to block the requests. The valid range is 1–3,600 seconds. This option only takes effect when you choose Period Block in Action.	`600`
severity-definitely {High \| Info \| Low \| Medium}	Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message.	`High`
trigger-definitely <policy_name>	Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If definite anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy.	No default.
app-change-sensitivity {High \| Low \| Medium}	This option appears when you enable Dynamically update when parameters change. Low—The system triggers model update only when the entire data distribution area (from the maximum value to the minimum value, that is, the entire area containing all the data) of the new boxplot doesn't have any overlapping part with that of the sample boxplots. Medium—The system triggers model update if the notch area (the median rectangular area in the boxplot where most of the data is located) of the new boxplot doesn't have any overlapping part with the entire data distribution areas of the sample boxplots. High—The system triggers model update as long as the notch area of the new boxplot doesn't have any overlapping part with that of the sample boxplots.	No default.
status {enable \| disable}	Enable to change the status to Running, while disable to change the status to Stopped.	`enable`
url-replacer-policy <policy_name>	Select the name of the URL Replacer Policy that you have created in Machine Learning Templates. If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them.	No default.
trigger-potential <policy_name>	Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy.
<allow-domain-name_id>	Enter the ID of the policy. The valid range is 1–65,535.	No default.
ip-list-type {Trust \| Black}	Allow or deny sample collection from the Source IP list.	`Trust`
domain-name <domain-name_str>	Add full domain name or use wildcard '*' to cover multiple domains under one profile.	No default.
domain-index <domain-index_id>	The number automatically assigned by the system when the domain name is created.	No default.
character-set {AUTO \| ISO-8859-1 \| ISO-8859-2 \| ISO-8859-3 \| ISO-8859-4 \| ISO-8859-5 \| ISO-8859-6 \| ISO-8859-7 \| ISO-8859-8 \| ISO-8859-9 \| ISO-8859-10 \| ISO-8859-15 \| GB2312 \| BIG5 \| ISO-2022-JP \| ISO-2022-JP-2 \| Shift-JIS \| ISO-2022-KR \| UTF-8}	The corresponding character code when manually setting the domain.	No default.
<source-ip-list_id>	Enter the ID of the source IP. The valid range is 1–9,223,372,036,854,775,807	No default.
<ip>	Enter the IP range for the source IP list.	No default.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

CLI Reference

waf machine-learning-policy

waf machine-learning-policy

Syntax

Related Topics

waf machine-learning-policy

waf machine-learning-policy

Syntax

Related Topics