You need to check both HTTP request and response from the following aspects:
1) If the domain has been learnt correctly;
2) The charset is correct (in the support list) in the HTTP response;
Charset is set in HTTP response header as “Content-Type:text/html; charset=xxx;”
Charset can also be included in the HTTP response body as <META …. charset=xxx">
The maximum bytes buffered for HTTP response body is 2048; charset cannot be learnt if it’s out of this range.
3) There is an acceptable Content-Type in the response;
Please refer to the FAQ section for the content-type supported by ML.
Note: machine learning examines Content-Type in the response, not the request. If the body of a HTTP request includes XML or JSON, but the Content-Type in the response is text/html, the parameter will NOT be collected/learnt.
4) Only if the HTTP return code is 200, a parameter will be learnt.
1. Check if the “Collected Samples” reaches 400 (the default start-min-count), which is the default number for an initial model to be built up;
2. Check if new requests meet the requirements of
ip-expire-intval (1-24 hours) and
ip-expire-cnts (source IPs).
You can set both value as 1 to make it easier for test.
3. Sending traffic from single source and multiple XFFs:
- Enable Inline Protection Profile and choose “Use X-Header to Identify Original Client's IP”.
- Need to use public IP addresses to test instead of private IPs.
Sometimes you may use curl to verify the functionalities, however please note that the behavior of different curl versions may vary. It’s better to double check the traffic/request actually sent out with packet capture or FortiWeb tlog.
E.g, with curl 7.68.0 on Ubuntu 20.0.4, the XFF IP 126.96.36.199 will be recognized as the “Original Source” in tlog with the 1st curl command as below. But on Win10 with curl 7.78.0, just the 1st curl command cannot be identified as the “Original Source”; the other 3 formatted commands will take effect and trigger the machine learning process.
curl HTTP://direct.ama01.com/index.php?new_para=123 -H 'X-Forwarded-For:188.8.131.52'
curl HTTP://direct.ama01.com/index.php?new_para=123 -H “X-Forwarded-For:184.108.40.206”
curl HTTP://direct.ama01.com/index.php?new_para=123 -H X-Forwarded-For:220.127.116.11
curl HTTP://direct.ama01.com/index.php?new_para=123 -H X-FORWARDED-FOR:18.104.22.168
1. In Web Protection > ML Based Anomaly Detection > Tree View, click Test Sample, then enter a parameter value to verify whether it will be detected as an anomaly at the current strictness level.
Only if a parameter is recognized as an anomaly first by HMM model, it will be then sent to SVM model to double check if it’s a real attack.
2. Check if FortiWeb works in Active-Active-Standard or Active-Active-High-Volume mode, which are not supported yet on 6.3 & 6.4.
This issue has been resolved on FortiWeb 7.0 and later releases.
FortiWeb 6.4 uses MySQL while 6.3 uses Redis. So after upgrading from 6.3 to 6.4, old machine learning data will be lost.
Upgrading from 6.3/6.4 to 7.0 is supported.