waf machine-learning-policy
Use this command to create machine learning policies and configure related policy settings.
Syntax
config waf machine-learning-policy
edit waf machine-learning-policy
set hmm-engine {enable | disable}
setsample-collecting-mode {normal | fast}
set learning-time <the-number-of-weeks>
set sample-limit-by-ip <sample-limit-by-ip_int>
set waf machine-learning-policy
set waf machine-learning-policy
set anomaly-detection-threshold <anomaly-detection-threshold_int>
set automatic-refresh-model {enable | disable}
set box-notch-count <box-notch-count_int>
set boxplot-checking-interval <boxplot-checking-interval_int>
set action-anomaly {alert | alert_deny | block-period}
set block-period-potential "<block-period-potential_int>"
set block-period-definitely "<block-period-definitely_int>"
set severity-definitely {High | Info | Low | Medium}
set trigger-definitely "<policy_name>"
set app-change-sensitivity {High | Low | Medium}
set ip-list-type {Trust | Black}
set threat-model {enable | disable}
set parameters-limit-per-conn {enable | disable}
set anomaly-detection-threshold <anomaly-detection-threshold_int>
config waf machine-learning-policy
set domain-name "<domain-name_str>"
set domain-index "<domain-index_id>"
next
end
config source-ip-list
set "<ip>"
next
end
Variable | Description | Default |
Enter the ID of the machine learning policy. It's the number displayed in the "#" column of the machine learning policy table on the Machine Learning Policy page. The valid range is 0–65535. | No default | |
Enable to monitor access to the application and collect data to build a mathematical model behind every parameter. |
enable
|
|
When a sample is collected, the system generalized it into a pattern. For example, “abcd_123@abc.com” and “abcdefgecdf_12345678@efg.com” will both be generalized to the pattern “A_N@A.A”. The anomaly detection model is built based on the patterns, not the raw samples. Normal: When you select normal mode, it's required to also set the learning time. The normal mode will collect at least 2500 samples and last for the specified weeks. For example, if you choose Normal mode and set 1 week, the system stops collecting samples after 1 week if at least 2500 samples are collected by then, or continues collecting samples after 1 week until 2500 samples are collected. Fast: Up to 1500 samples will be collected to build an anomaly detection model. |
Normal
|
|
If you set the sample-collecting-mode to normal, it's required to set the learning time so that the sample collection period will last for at least the specified weeks. |
No default |
|
The limitation number of samples collected from each IP. The valid range is 0–5000. |
30
|
|
Enable to scan anomalies to verify whether they are attacks. It provides a method to check whether an anomaly is a real attack by the trained Support Vector Machine Model. |
|
|
svm-model {xss | sql-injection | code-injection | command-injection | lfi-rfi | common-injection | remote-exploits} |
Enable or disable threat models for different types of threats such as cross-site scripting, SQL injection and code injection. Currently, seven trained Support Vector Machine Model are provided for seven attack types. |
enable
|
anomaly-detection-threshold <anomaly-detection-threshold_int> |
The value of the anomaly-detection-threshold ranges from 1 to 10. The system uses the following formula to calculate the anomaly threshold: The probability of the anomaly > μ + the strictness level * σ If the probability of the sample is larger than the value of "μ + the strictness level * σ", this sample will be identified as anomaly. μ and σ are calculated based on the probabilities of all the samples collected during the sample collection period, where μ is the average value of all the parameters' probabilities, σ is the standard deviation. They are fixed values. So, the value of "μ + the strictness level * σ" varies with the strictness level you set. The smaller the value of the strictness level is, the more strict the anomaly detection model will be. This options set a global value for all the parameters. If you want to adjust the strictness level for a specific parameter, See Manage anomaly-detecting settings. |
0.1
|
Enable to let the system to relearn the argument related to the HMM model. |
enable
|
|
This option appears when you enable Dynamically
update when parameters change.
The default value is 2, which means if 2 newly generated boxplots don't overlap with any one of the sample boxplots, FortiWeb automatically updates the machine learning model. You can set a value from 1 to 3. |
2
|
|
The interval to collect a boxplot after the parameter model changes to running status. The valid range is 1–15 minutes. |
15
|
|
Enable to avoid collecting samples solely for the parameters in the same connection. The anomaly detection will be more effective if the system builds machine learning models for parameters diversely distributed in different connections. |
|
|
Choose the action FortiWeb takes when definite attack is
verified. alert—Accepts the connection and generates an alert email and/or log message. alert_deny—Blocks the request (or resets the connection) and generates an alert and/or log message. block-period—Blocks the request for a certain period of time. |
alert_deny
|
|
block-period-potential "<block-period-potential_int>" |
Enter the number of seconds that you want to block
the requests. The valid range is 1–3,600 seconds. This option only takes effect when you choose Period Block in Action. |
60
|
severity-definitely {High | Info | Low | Medium} |
Select the severity level for this anomaly type. The severity level will be displayed in the alert email and/or log message. |
High
|
Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If definite anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy. | No default. | |
Enter the number of seconds that you want to block
the requests. The valid range is 1–3,600 seconds. This option only takes effect when you choose Period Block in Action. |
60
|
|
This option appears when you enable Dynamically
update when parameters change. Low—The system triggers model update only when the entire data distribution area (from the maximum value to the minimum value, that is, the entire area containing all the data) of the new boxplot doesn't have any overlapping part with that of the sample boxplots. Medium—The system triggers model update if the notch area (the median rectangular area in the boxplot where most of the data is located) of the new boxplot doesn't have any overlapping part with the entire data distribution areas of the sample boxplots. High—The system triggers model update as long as the notch area of the new boxplot doesn't have any overlapping part with that of the sample boxplots. |
No default. | |
Enable to change the status to Running, while disable to change the status to Stopped. |
enable
|
|
Select the name of the URL Replacer Policy that you have created in Machine Learning Templates. If web applications have dynamic URLs or unusual parameter styles, you must adapt URL Replacer Policy to recognize them. | No default. | |
Select a trigger policy that you have set in Log&Report > Log Policy > Trigger Policy. If potential anomaly is detected, it will trigger the system to send email and/or log messages according to the trigger policy. | ||
Enter the ID of the policy. The valid range is 1–65,535. | No default. | |
Allow or deny sample collection from the Source IP list. |
Trust
|
|
Add full domain name or use wildcard '*' to cover multiple domains under one profile. | No default. | |
The number automatically assigned by the system when the domain name is created. | No default. | |
character-set {AUTO | ISO-8859-1 | ISO-8859-2 | ISO-8859-3 | ISO-8859-4 | ISO-8859-5 | ISO-8859-6 | ISO-8859-7 | ISO-8859-8 | ISO-8859-9 | ISO-8859-10 | ISO-8859-15 | GB2312 | BIG5 | ISO-2022-JP | ISO-2022-JP-2 | Shift-JIS | ISO-2022-KR | UTF-8} |
The corresponding character code when manually setting the domain. | No default. |
Enter the ID of the source IP. The valid range is 1–9,223,372,036,854,775,807 | No default. | |
Enter the IP range for the source IP list. | No default. | |
threat-model {enable | disable} |
|
|