"<policy_name>"

Enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.

Select between:

• captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the , or doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

• real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by waf threshold-based-detection, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

• recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the , or doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

• disable—Not to carry out the bot verification.

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

mobile-app-identification {disabled | mobile-token-validation}

• disabled—Not to carry out the mobile token verification.
• mobile-token-validation—Requires the client to use mobile token to verify whether the traffic is from mobile devices.
  To apply mobile token validation, you must enable mobile-app-identification in waf web-protection-profile inline-protection.

bot-confirmation {enable | disable}

Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot.

validation-timeout <validation-timeout_int>

Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

Available only when the bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement} is browser-enforcement or captcha-enforcement.

crawler-detection {enable | disable}

Enable to detect tools that browse your web site for indexing purposes.

crawler-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects a crawler:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure crawler-block-period <crawler-block-period_int>.

crawler-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a crawler:

• Informative
• Low
• Medium
• High

crawler-trigger <crawler-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see Viewing log messages.

crawler-occurrence-num <crawler-occurrence-num_int>

Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server.

crawler-within <crawler-within_int>

Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes.

crawler-block-period <crawler-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600 seconds.

Available only if crawler-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

scanner-detection {enable | disable}

Enable to detect tools that scan your web site for vulnerabilities.

scanner-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects attack signatures:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure scanner-block-period <scanner-block-period_int>.

scanner-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs attack signatures:

• Informative
• Low
• Medium
• High

scanner-trigger <scanner-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about attack signatures. For details, see Viewing log messages.

scanner-occurrence-num <scanner-occurrence-num_int>

Define the frequency that FortiWeb detects attack signatures.

scanner-within <scanner-within_int>

Specify the time period, in seconds, during which FortiWeb monitors the attack signatures.

scanner-block-period <scanner-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects attack signatures. The valid range is 1–3,600 seconds.

Available only if scanner-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

slow-attack-detection {enable | disable}

Enable to detect Denial of Service tools that try to go undetected by generating a small stream of traffic.

slow-attack-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects slow attack activities:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure slow-attack-block-period <slow-attack-block-period_int>.

slow-attack-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs slow attack activities:

• Informative
• Low
• Medium
• High

slow-attack-trigger <slow-attack-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages.

slow-attack-occurrence-num <slow-attack-occurrence-num_int>

Define the frequency that FortiWeb detects slow attack activities.

slow-attack-within <slow-attack-within_int>

Specify the time period, in seconds, during which FortiWeb detects slow attack activities.

slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int>

Specify a timeout value, in seconds, for the HTTP transaction.

slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

slow-attack-block-period <slow-attack-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds.

Available only if slow-attack-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

content-scraping-detection {enable | disable}

Enable to detect bots that illegally copy contents from your web site.

content-scraping-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects content scraping activities:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure content-scraping-block-period <content-scraping-block-period_int>.

content-scraping-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs content scraping activities:

• Informative
• Low
• Medium
• High

content-scraping-trigger <content-scraping-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see Viewing log messages.

content-scraping-occurrence-num <content-scraping-occurrence-num_int>

Define the frequency that FortiWeb detects content scraping activities.

content-scraping-within <content-scraping-within_int>

Specify the time period, in seconds, during which FortiWeb detects content scraping activities.