Client management

Tracking a client by either the recognized cookie or the source IP, FortiWeb's client management feature identifies suspected attacks based on the clients. When a client triggers a threat, FortiWeb accumulates the threat score based on the configured threat weight value. When the client's threat score reaches a certain threshold, a corresponding blocking action is performed. To identify a visiting client, FortiWeb generates a unique client ID according to the cookie value or source IP.

In inline mode, when a client accesses a web application for the first time, FortiWeb inserts a cookie into the client's browser. In the subsequent access by the client, if the client carries the cookie inserted, FortiWeb tracks the client by this cookie; otherwise, FortiWeb tracks the client by the client's source IP. While in offline mode, FortiWeb cannot insert cookies into the client. By default, three cookies ASPSESSIONID, PHPSESSID, and JSESSIONID are supported. If you want to track the client through other cookies, just configure it in Session Key of Offline Protection Profile.

See also

• Monitoring currently tracked clients

How client management works

The client management mechanism takes into account the following factors:

Threat weight of security violations

Each protection feature involved in the client management mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the threat score of the client that launched the event.

Threat score of a client

FortiWeb reacts to security violations launched by a client according to the configured threat score of the client. The threat score is the sum of the threat weights of all the security violations launched by the client in certain time period. Each time a client violates the security, a corresponding threat weight is added to the total threat score based on set time period. The higher the accumulated threat score of the client, the higher of the risk level of the client. A client can be trusted, suspicious, or malicious based on the configured threat score.

Risk level of a client

Risk level is used to evaluate how dangerous a client is. A client is classified as trusted, unidentified, suspicious, or malicious according to the threat score set. To identify the risk level of a client, the threat score of the risk levels must be defined. For example, a client that has a threat score between 0-120 may be considered trusted (the calculation of the traffic shall be over 5 minutes), between 121-300 suspicious, and over 301 malicious. When the client management module is disabled, or it fails to meet the status of the three risk levels, the risk level of the client can be unidentified.

Blocking action based on risk level

When client management is enabled, based on the risk levels, FortiWeb blocks a suspicious or malicious client according to the configurations in Block Settings.

Configuring a global threat score profile

By default, FortiWeb uses a global threat score profile that applies to all the web protection profiles in a ADOM.

To configure a global threat score profile:

1. Go to Policy > Client Management.
2. Enter a value for Client session data expires after.
   Set the amount of time that FortiWeb will store the tracked client information. Once the information has been stored for longer than the set amount of time, FortiWeb will remove that information.
3. Enter a value for Statistics period.
   This is the amount of time in days that FortiWeb will store the threat score data for an active client.
   For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set for thrusted/suspicious/malicious clients.
4. Configure Risk Level Values.
   Six different risk levels are available to indicate how serious a security violation is: Informational, Low, Moderate, Substantial, Severe, and Critical.

Assign a threat weight of 1-500 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.



5. Define risk level of security violations.

Here are the security violations that FortiWeb can detect:

• Signatures (See Blocking known attacks )
• Custom Policy Violations (See Custom Policy)
• Padding Oracle Attacks (See Defeating cipher padding attacks on individually encrypted inputs)
• CSRF Attacks (See Defeating cross-site request forgery (CSRF) attacks)
• Man in Browser Protection (See Protection for Man-in-the-Browser (MiTB) attacks)
• SQL/XSS Syntax Based Detection (See Syntax-based SQL/XSS injection detection)
• Cookie Security Policy Violations (See Cookie security)
• Parameter Validation (See Validating parameters (“input rules”))
• Hidden Field Tampering (See Preventing tampering with hidden inputs)
• FTP Security (see Configuring FTP security)
• HTTP Protocol Constraint Violations (See HTTP/HTTPS protocol constraints)
• WebSocket Protocol Violations (WebSocket protocol)
• URL Access Violations (See Restricting access to specific URLs)
• Allow Methods Violations (See Specifying allowed HTTP methods)
• CORS Protection (see Cross-Origin Resource Sharing (CORS) protection)
• Biometrics Based Detection Violations (see Configuring biometrics based detection)
• Threshold Based Detection Violations (see Configuring threshold based detection)
• Bot Deception Violations (see Configuring bot deception )
• Known Bots Violations (see Configuring known bots)
• JSON Protection Violations (see Configuring JSON protection)
• XML Protection Violations (see Configuring XML protection)
• OpenAPI Validation Violations (see OpenAPI Validation)
• Mobile API Potection Violations (see Configuring mobile API protection)
• Dos Protection Violations (see DoS prevention)
• IP List Violations (See "blocklisting & allowlisting clients" on page 1)
• Geo IP Violations (See "blocklisting & allowlisting countries & regions" on page 1)
• Poor IP Reputation (See "blocklisting source IPs with poor reputation" on page 1)
• User Tracking (See Tracking)
  

Click Threat Weight and then a specific security module. Adjust the slider bar to assign a risk level to each security violation.

For Signatures and HTTP Protocol Constraints, go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks and HTTP/HTTPS protocol constraints.

Click Apply to save the configuration.

You can also click Restore Defaults to restore the configured threat weight of each security violation to the default values.

Configure the actions settings for Suspicious and Malicious clients.

• Block Period: Block a malicious or suspicious client based on source IP.

• Client ID Block Period: Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.

  When selecting Block Period or Client ID Block Period, you need to enter the number of seconds that you want to block subsequent requests from the IP or client.

• Alert: Accept the connection and generate an alert email and/or log message.

• Alert & Deny: Block the request (or reset the connection) and generate an alert and/or log message.

The settings above apply to all the web protection profiles in a ADOM. However, if you want to differentiate the Threat Score settings in different web protection profiles, you can enable Threat Score Profile. After enabling it, a Threat Score Profile tab will appear, where you can create multiple Threat Score profiles and apply them to different web protection profiles.

Click Apply.

Configuring a Threat Score Profile at the web protection profile level

After enabling Threat Score Profile in Global Configuration, the Threat Score Profile tab will appear. You can create multiple Threat Score profiles and apply them to different web protection profiles.

1. Click Create New.
2. Enter a name for the profile.
3. Refer to "Configuring a global threat score profile" for the Statistics period, Threat Score and Action Settings. The Client session data expires after in Global Configuration also applies to Threat Score Profile.
4. Enable Signature Only Threat Score to specifically calculate the threshold for signatures and take actions when the threshold is hit.
   • The difference between Signature Only Threat Score and the Web Protection > Known Attacks > Signature page
     When enabled, a single signature violation from the client will not trigger the system to take actions according to the settings on the Signature page. The system will calculate threat scores and take action only when the Signature Only Threat Score threshold is reached. An exception is for the Erase action, when means the system will take immediate action if the client violates a signature for which the action is Erase.
   • The difference between Signature Only Threat Score and the Threat Score
     
     Threat Score is for the overall threat score calculation not only including signature but also other threats, while Signature Only Threat Score is only for signatures. Whichever score threshold is hit first, the system will take corresponding action.
5. Configure the following settings for Signature Only Threat Score.
   

   Score Threshold	Enter a threshold value for the signature violations.
   Action	Block Period: Block a client based on source IP. Client ID Block Period: Block a client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. Alert: Accept the connection and generate an alert email and/or log message. Alert & Deny: Block the request (or reset the connection) and generate an alert and/or log message.
   Block Period	When selecting Block Period or Client ID Block Period, you need to enter the number of seconds that you want to block subsequent requests from the IP or client.
   Always Record Signature Attack Log	When disabled, the Signature module itself will no longer record logs. Signature log will be generated only when the Signature Only Threat Score exceeds the threshold. When enabled, every time a signature rule is triggered, the signature attack log will be generated.

Monitoring currently tracked clients

To view the information that has been tracked to the client, or delete or restore a client's threat score, see Monitoring currently tracked clients .

To view the information of blocked IPs if you configure Block Settings and the threat score exceeds the threshold, see Monitoring currently blocked IPs.

In Log&Report > Log Access > Attack, you can click an attack log to check the threat score, client ID, and client risk information, and click the client ID to restore the client threat score to 0.

On Attack log page, you can also view the 10 history threats from a client. For Signature Only Threat Score attack log, only Signature related history threats will be record.

In Log&Report > Log Access > Event, you can click an event log to check the client ID information, and click the client ID to restore the client threat score to 0.