Tracking a client by either the recognized cookie or the source IP, FortiWeb's client management feature identifies suspected attacks based on the clients. When a client triggers a threat, FortiWeb accumulates the threat score based on the configured threat weight value. When the client's threat score reaches a certain threshold, a corresponding blocking action is performed. To identify a visiting client, FortiWeb generates a unique client ID according to the cookie value or source IP.
In inline mode, when a client accesses a web application for the first time, FortiWeb inserts a cookie into the client's browser. In the subsequent access by the client, if the client carries the cookie inserted, FortiWeb tracks the client by this cookie; otherwise, FortiWeb tracks the client by the client's source IP. While in offline mode, FortiWeb cannot insert cookies into the client. By default, three cookies ASPSESSIONID, PHPSESSID, and JSESSIONID are supported. If you want to track the client through other cookies, just configure it in Session Key of Offline Protection Profile.
The client management mechanism takes into account the following factors:
Threat weight of security violations
Each protection feature involved in the client management mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the threat score of the client that launched the event.
Threat score of a client
FortiWeb reacts to security violations launched by a client according to the configured threat score of the client. The threat score is the sum of the threat weights of all the security violations launched by the client in certain time period. Each time a client violates the security, a corresponding threat weight is added to the total threat score based on set time period. The higher the accumulated threat score of the client, the higher of the risk level of the client. A client can be trusted, suspicious, or malicious based on the configured threat score.
Risk level of a client
Risk level is used to evaluate how dangerous a client is. A client is classified as trusted, unidentified, suspicious, or malicious according to the threat score set. To identify the risk level of a client, the threat score of the risk levels must be defined. For example, a client that has a threat score between 0-120 may be considered trusted (the calculation of the traffic shall be over 5 minutes), between 121-300 suspicious, and over 301 malicious. When the client management module is disabled, or it fails to meet the status of the three risk levels, the risk level of the client can be unidentified.
Blocking action based on risk level
When client management is enabled, based on the risk levels, FortiWeb blocks a suspicious or malicious client according to the configurations in Block Settings.
- Go to Policy > Client Management.
- Click Threat Weight.
- Configure Risk Level Values.
Six different risk levels are available to indicate how serious a security violation is: Informational, Low, Moderate, Substantial, Severe, and Critical.
- Define risk level of security violations.
Assign a threat weight of 1-500 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.
Here are the security violations that FortiWeb can detect:
- Signatures (See Blocking known attacks )
- Custom Policy Violations (See Custom Policy)
- Padding Oracle Attacks (See Defeating cipher padding attacks on individually encrypted inputs)
- CSRF Attacks (See Defeating cross-site request forgery (CSRF) attacks)
- Man in Browser Protection (See Protection for Man-in-the-Browser (MiTB) attacks)
- SQL/XSS Syntax Based Detection (See Syntax-based SQL/XSS injection detection)
- Cookie Security Policy Violations (See Cookie security)
- Parameter Validation (See Validating parameters (“input rules”))
- Hidden Field Tampering (See Preventing tampering with hidden inputs)
- FTP Security (see Configuring FTP security)
- HTTP Protocol Constraint Violations (See HTTP/HTTPS protocol constraints)
- WebSocket Protocol Violations (WebSocket protocol)
- URL Access Violations (See Restricting access to specific URLs)
- Allow Methods Violations (See Specifying allowed HTTP methods)
- CORS Protection (see Cross-Origin Resource Sharing (CORS) protection)
- Biometrics Based Detection Violations (see Configuring biometrics based detection)
- Threshold Based Detection Violations (see Configuring threshold based detection)
- Bot Deception Violations (see Configuring bot deception )
- Known Bots Violations (see Configuring known bots)
- JSON Protection Violations (see Configuring JSON protection)
- XML Protection Violations (see Configuring XML protection)
- OpenAPI Validation Violations (see OpenAPI Validation)
- Mobile API Potection Violations (see Configuring mobile API protection)
- Dos Protection Violations (see DoS prevention)
- IP List Violations (See "blocklisting & allowlisting clients" on page 1)
- Geo IP Violations (See "blocklisting & allowlisting countries & regions" on page 1)
- Poor IP Reputation (See "blocklisting source IPs with poor reputation" on page 1)
- User Tracking (See Tracking)
Click Threat Weight and then a specific security module. Adjust the slider bar to assign a risk level to each security violation.
For Signatures and HTTP Protocol Constraints, go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks and HTTP/HTTPS protocol constraints.
To define the threat score and violation actions
- Go to Policy > Client Management.
- Click Configuration.
- Configure these settings:
Client session data expires after
Set the amount of time that FortiWeb will store the tracked client information. Once the information has been stored for longer than the set amount of time, FortiWeb will remove that information.
Select the amount of time in days that FortiWeb will store the threat score data for an active client.
For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set for thrusted/suspicious/malicious clients.
Move the two cursors of the slider bar to set the threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.
Enter the amount of time (in minutes) that FortiWeb will block a suspicious or malicious client. You can set two blocking rules for suspicious and malicious clients respectively.
Note: Setting for suspicious clients will also work for malicious clients; while those for malicious clients will not work for suspicious clients.
IP: Block a malicious user based on source IP.
Client ID: Block a malicious user based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.
- Click Apply.
To view the information that has been tracked to the client, or delete or restore a client's threat score, see Monitoring currently tracked clients .
To view the information of blocked IPs if you configure Block Settings and the threat score exceeds the threshold, see Monitoring currently blocked IPs.
In Log&Report > Log Access > Attack, you can click an attack log to check the threat score, client ID, and client risk information, and click the client ID to restore the client threat score to 0.
In Log&Report > Log Access > Event, you can click an event log to check the client ID information, and click the client ID to restore the client threat score to 0.