waf threshold-based-detection
Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of the following suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.
- Crawler
- Vulnerability Scanning
- Slow Attack
- Content Scraping
- Illegal User Scan
Syntax
config waf threshold-based-detection
edit "<policy_name>"
set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement}
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
set validation-timeout <validation-timeout_int>
set set set max-attempt-times <max-attempt-times_int>
set crawler-detection {enable | disable}
set crawler-action {alert | deny_no_log | alert_deny | block-period}
set crawler-severity {High | Medium | Low | Info}
set crawler-trigger <crawler-trigger-policy_name>
set crawler-occurrence-num <crawler-occurrence-num_int>
set crawler-within <crawler-within_int>
set crawler-block-period <crawler-block-period_int>
set scanner-detection {enable | disable}
set scanner-action {alert | deny_no_log | alert_deny | block-period}
set scanner-severity {High | Medium | Low | Info}
set crawler-trigger <crawler-trigger-policy_name>
set scanner-occurrence-num <scanner-occurrence-num_int>
set scanner-within <scanner-within_int>
set scanner-block-period <scanner-block-period_int>
set slow-attack-detection {enable | disable}
set slow-attack-action {alert | deny_no_log | alert_deny | block-period}
set slow-attack-severity {High | Medium | Low | Info}
set slow-attack-trigger <slow-attack-trigger-policy_name>
set slow-attack-occurrence-num <slow-attack-occurrence-num_int>
set slow-attack-within <slow-attack-within_int>
set slow-attack-http-transaction-timeout <slow-attack-http-transaction-timeout_int>
set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>
set slow-attack-block-period <slow-attack-block-period_int>
set content-scraping-detection {enable | disable}
set content-scraping-action {alert | deny_no_log | alert_deny | block-period}
set content-scraping-severity {High | Medium | Low | Info}
set content-scraping-trigger <content-scraping-trigger-policy_name>
set content-scraping-occurrence-num <content-scraping-occurrence-num_int>
set content-scraping-within <content-scraping-within_int>
set content-scraping-block-period <content-scraping-block-period_int>
set brute-login-detection {enable | disable}
set brute-login-action {alert | deny_no_log | alert_deny | block-period}
set brute-login-severity {High | Medium | Low | Info}
set brute-login-trigger <brute-login-trigger-policy_name>
set brute-login-occurrence-num <brute-login-occurrence-num_int>
set brute-login-within <brute-login-within_int>
set brute-login-request-file <brute-login-request-file_str>
set brute-login-block-period <brute-login-block-period_int>
next
end
| Variable | Description | Default |
|---|---|---|
|
Enter a name for the threshold based detection rule that can be referenced in bot mitigation policy. |
No default. |
|
| bot-recognition {disabled | real-browser-enforcement | captcha-enforcement} |
Select between:
|
disabled |
|
mobile-app-identification {disabled | mobile-token-validation} |
|
disabled |
|
Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot. |
disable |
|
|
Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client. Available only when the bot-recognition {disabled | real-browser-enforcement | captcha-enforcement} is browser-enforcement or captcha-enforcement. |
20 |
|
|
Enable to detect tools that browse your web site for indexing purposes. |
enable |
|
|
crawler-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects a crawler:
|
alert |
|
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
|
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see Viewing log messages. |
No default. |
|
|
Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server. |
100 |
|
|
Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes. |
10 |
|
|
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600. Available only if crawler-action {alert | deny_no_log | alert_deny | block-period} is set to |
60 |
|
|
Enable to detect tools that scan your web site for vulnerabilities. |
disable |
|
|
scanner-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects attack signatures:
|
alert |
|
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
|
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about attack signatures. For details, see Viewing log messages. |
No default. |
|
|
Define the frequency that FortiWeb detects attack signatures. |
100 |
|
|
Specify the time period, in seconds, during which FortiWeb monitors the attack signatures. |
10 |
|
|
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects attack signatures. The valid range is 1–3,600. Available only if scanner-action {alert | deny_no_log | alert_deny | block-period} is set to |
60 |
|
|
Enable to detect Denial of Service tools that try to go undetected by generating a small stream of traffic. |
disable |
|
|
slow-attack-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects slow attack activities:
|
|
|
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
|
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages. |
No default. |
|
|
Define the frequency that FortiWeb detects slow attack activities. |
5 |
|
|
Specify the time period, in seconds, during which FortiWeb detects slow attack activities. |
100 |
|
|
slow-attack-http-transaction-timeout <slow-attack-http-transaction-timeout_int> |
Specify a timeout value, in seconds, for the HTTP transaction. |
60 |
|
slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int> |
Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets). |
10 |
|
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600. Available only if slow-attack-action {alert | deny_no_log | alert_deny | block-period} is set to |
60 |
|
|
Enable to detect bots that illegally copy contents from your web site. |
disable |
|
|
content-scraping-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects content scraping activities:
|
alert |
|
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
|
content-scraping-trigger <content-scraping-trigger-policy_name> |
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see Viewing log messages. |
No default. |
|
content-scraping-occurrence-num <content-scraping-occurrence-num_int> |
Define the frequency that FortiWeb detects content scraping activities. |
100 |
|
Specify the time period, in seconds, during which FortiWeb detects content scraping activities. |
30 |
|
|
content-scraping-block-period <content-scraping-block-period_int> |
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects content scraping activities. The valid range is 1–3,600. Available only if content-scraping-action {alert | deny_no_log | alert_deny | block-period} is set to |
60 |
|
Enable to detect brute force attacks that try to obtain user credentials. |
disable |
|
|
brute-login-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects username in requests:
|
alert |
|
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
|
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about username in requests. For details, see Viewing log messages. |
No default. |
|
|
Define the frequency that FortiWeb detects username in requests. |
100 |
|
|
Enter the length of time, in seconds, which FortiWeb detects frequency of username in requests. |
10 |
|
|
Specify the URL used to match requests so that security headers can be applied to responses of the matched requests. After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Appendix D: Regular expressions |
.* |
|
|
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects credential based brute login . The valid range is 1–3,600. Available only if brute-login-action {alert | deny_no_log | alert_deny | block-period} is set to |
60 |