Fortinet white logo
Fortinet white logo

Administration Guide

Configuring bot deception

Configuring bot deception

To prevent bot deception, you can configure the bot deception policy to insert link in HTML type response page. For regular clients, the link is invisible, while for malicious bots like web crawler, they may request the resources which the invisible link points at.

To configure the bot deception policy

  1. Go to Bot Mitigation > Bot Deception .
  2. Click Create New.
  3. Configure these settings:

    Name

    Type a unique name that can be referenced in other parts of the configuration.

    Deception URL

    Specify the deception URL to be inserted in the HTML response page, which can be either an absolute path or a relative path, for example, HTTP://www.example.com/bot_deception.html or /bot_deception.html. When a relative path is used, the request host is the current host that the broswer is accessing.

    Action

    Select which action FortiWeb will take when it detects a violation of the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.

    Exception

    Select the exception policy which specifies the elements to be exempted from the attack scan.

  4. Click OK.
  5. Click Create New.
    You can also specify the pages that FortiWeb will add the deception URLs to.
  6. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration.
    Host StatusEnable to apply this rule only to HTTP requests for specific web hosts. Also configure Host.
    HostSelect the name of a protected host that the Host: field of an HTTP request must be in to match the bot deception policy.
    This option is available only if Host Status is enabled.

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must exactly.

    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

      When you have finished typing the regular expression, click the >> (test) icon.
      This opens the Regular Expression Validator window where you can finetune the expression. For details, see Appendix E: Regular expressions

  7. Click OK.
    FortiWeb only tries to insert deception URL for matched URLs for HTML type pages, and if no URL table is defined, FortiWeb will not insert deception URL in any page. In addition, FortiWeb checks the content-type of the matches HTML response page.

To apply the bot deception policy in a bot mitigation policy, see Configuring bot mitigation policy.

Configuring bot deception

Configuring bot deception

To prevent bot deception, you can configure the bot deception policy to insert link in HTML type response page. For regular clients, the link is invisible, while for malicious bots like web crawler, they may request the resources which the invisible link points at.

To configure the bot deception policy

  1. Go to Bot Mitigation > Bot Deception .
  2. Click Create New.
  3. Configure these settings:

    Name

    Type a unique name that can be referenced in other parts of the configuration.

    Deception URL

    Specify the deception URL to be inserted in the HTML response page, which can be either an absolute path or a relative path, for example, HTTP://www.example.com/bot_deception.html or /bot_deception.html. When a relative path is used, the request host is the current host that the broswer is accessing.

    Action

    Select which action FortiWeb will take when it detects a violation of the policy:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects that the client has violated the policy. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a violation of the policy:

    • Informative
    • Low
    • Medium
    • High

    The default value is Low.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a violation of the policy. For details, see Viewing log messages.

    Exception

    Select the exception policy which specifies the elements to be exempted from the attack scan.

  4. Click OK.
  5. Click Create New.
    You can also specify the pages that FortiWeb will add the deception URLs to.
  6. Configure these settings:
    NameType a unique name that can be referenced in other parts of the configuration.
    Host StatusEnable to apply this rule only to HTTP requests for specific web hosts. Also configure Host.
    HostSelect the name of a protected host that the Host: field of an HTTP request must be in to match the bot deception policy.
    This option is available only if Host Status is enabled.

    Type

    Select whether the Request URL field must contain either:

    • Simple String—The field is a string that the request URL must exactly.

    • Regular Expression—The field is a regular expression that defines a set of matching URLs.

    Request URL

    Depending on your selection in Type, enter either:

    • The literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

    • A regular expression, such as ^/*.php, matching all and only the URLs to which the input rule should apply. The pattern does not require a slash ( / ).; however, it must at least match URLs that begin with a slash, such as /index.cfm.

      When you have finished typing the regular expression, click the >> (test) icon.
      This opens the Regular Expression Validator window where you can finetune the expression. For details, see Appendix E: Regular expressions

  7. Click OK.
    FortiWeb only tries to insert deception URL for matched URLs for HTML type pages, and if no URL table is defined, FortiWeb will not insert deception URL in any page. In addition, FortiWeb checks the content-type of the matches HTML response page.

To apply the bot deception policy in a bot mitigation policy, see Configuring bot mitigation policy.