Fortinet black logo

CLI Reference

waf biometrics-based-detection

waf biometrics-based-detection

By checking the client events such as mouse movement, keyboard, screen touch, and scroll, etc in specified period, FortiWeb judges whether the request comes from a human or from a bot. You can use this command to configure the biometrics based detection rule to define the client event, collection period, and the request URL, etc.

Syntax

config waf biometrics-based-detection

edit <biometrics-based-detection-name_str>

set mouse-movement {enable | disable}

set click {enable | disable}

set screen-touch {enable | disable}

set keyboard {enable | disable}

set scroll {enable | disable}

set event-collection-time <time_int>

set bot-effective-time <time_int>

set action {alert | alert_deny | | deny_no_log}

set severity {high | medium | low | Info}

set trigger <trigger_policy>

config url-list

edit <url-list_id>

set host <host_str>

set host-status {enable | disable}

set type {simple-string | regex-expression}

set url <url_str>

next

end

next

end

Variable Description Default
<biometrics-based-detection-name_str> Type a unique name that can be referenced in other parts of the configuration. No default.
mouse-movement {enable | disable} Click to enable monitoring the mouse movement event. enable

keyboard {enable | disable}

Click to enable monitoring the keyboard event. enable

click {enable | disable}

Click to enable monitoring the click event. enable

screen-touch {enable | disable}

Click to enable monitoring the screen touch event. disable

scroll {enable | disable}

Click to enable monitoring the scroll event. disable

event-collection-time <time_int>

Specify how long the events will be collected from the client.

15

bot-effective-time <time_int>

For the identified bot, choose the time period before FortiWeb tests and verifies the bot again.

5

action {alert | alert_deny | | deny_no_log}

Select which action FortiWeb will take when it detects a violation of the policy:

  • Alert—Accept the connection and generate an alert email and/or log message.

  • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

  • Deny (no log)—Block the request (or reset the connection).

The default value is Alert.

Alert
severity {high | medium | low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

  • Informative
  • Low
  • Medium
  • High
Low
trigger <trigger_policy> Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages. No default.
<url-list_id> Enter the sequence number of the URL. No default.

host <host_str>

Select the name of a protected host that the Host: field of an HTTP request must be in to match the bot deception policy.
This option is available only if waf biometrics-based-detection is enabled.

No default.

host-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific web hosts. Also configure host <host_str>.

disable

type {simple-string | regex-expression}

Select whether the url <url_str> field must contain either:

  • simple-string—The field is a string that the request URL must exactly.

  • regex-expression—The field is a regular expression that defines a set of matching URLs.

simple-string

url <url_str>

Depending on your selection in type {simple-string | regex-expression}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).

  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

    When you have finished typing the regular expression, click the >> (test) icon.
    This opens the Regular Expression Validator window where you can finetune the expression. For details, see Appendix D: Regular expressions

No default.

Related topics

waf bot-mitigation-policy

waf biometrics-based-detection

waf biometrics-based-detection

By checking the client events such as mouse movement, keyboard, screen touch, and scroll, etc in specified period, FortiWeb judges whether the request comes from a human or from a bot. You can use this command to configure the biometrics based detection rule to define the client event, collection period, and the request URL, etc.

Syntax

config waf biometrics-based-detection

edit <biometrics-based-detection-name_str>

set mouse-movement {enable | disable}

set click {enable | disable}

set screen-touch {enable | disable}

set keyboard {enable | disable}

set scroll {enable | disable}

set event-collection-time <time_int>

set bot-effective-time <time_int>

set action {alert | alert_deny | | deny_no_log}

set severity {high | medium | low | Info}

set trigger <trigger_policy>

config url-list

edit <url-list_id>

set host <host_str>

set host-status {enable | disable}

set type {simple-string | regex-expression}

set url <url_str>

next

end

next

end

Variable Description Default
<biometrics-based-detection-name_str> Type a unique name that can be referenced in other parts of the configuration. No default.
mouse-movement {enable | disable} Click to enable monitoring the mouse movement event. enable

keyboard {enable | disable}

Click to enable monitoring the keyboard event. enable

click {enable | disable}

Click to enable monitoring the click event. enable

screen-touch {enable | disable}

Click to enable monitoring the screen touch event. disable

scroll {enable | disable}

Click to enable monitoring the scroll event. disable

event-collection-time <time_int>

Specify how long the events will be collected from the client.

15

bot-effective-time <time_int>

For the identified bot, choose the time period before FortiWeb tests and verifies the bot again.

5

action {alert | alert_deny | | deny_no_log}

Select which action FortiWeb will take when it detects a violation of the policy:

  • Alert—Accept the connection and generate an alert email and/or log message.

  • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

  • Deny (no log)—Block the request (or reset the connection).

The default value is Alert.

Alert
severity {high | medium | low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

  • Informative
  • Low
  • Medium
  • High
Low
trigger <trigger_policy> Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages. No default.
<url-list_id> Enter the sequence number of the URL. No default.

host <host_str>

Select the name of a protected host that the Host: field of an HTTP request must be in to match the bot deception policy.
This option is available only if waf biometrics-based-detection is enabled.

No default.

host-status {enable | disable}

Enable to apply this rule only to HTTP requests for specific web hosts. Also configure host <host_str>.

disable

type {simple-string | regex-expression}

Select whether the url <url_str> field must contain either:

  • simple-string—The field is a string that the request URL must exactly.

  • regex-expression—The field is a regular expression that defines a set of matching URLs.

simple-string

url <url_str>

Depending on your selection in type {simple-string | regex-expression}, enter either:

  • The literal URL, such as /index.php, that the HTTP request must contain in order to match the input rule. The URL must begin with a backslash ( / ).

  • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

    When you have finished typing the regular expression, click the >> (test) icon.
    This opens the Regular Expression Validator window where you can finetune the expression. For details, see Appendix D: Regular expressions

No default.

Related topics

waf bot-mitigation-policy