Fortinet white logo
Fortinet white logo

CLI Reference

server-policy pattern threat-weight

server-policy pattern threat-weight

Use this command to configure the global threat weight of security violations. When a security violation is detected, the threat weight of the security violation is used to calculate the threat score of a client that launched the event.

For details about Threat Weight, see the FortiWeb Administration Guide:

HTTP://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config server-policy pattern threat-weight

set allow-method-level {low | critical | informational | moderate | substantial | severe}

set allow-method-op {enable | disable}

set biometrics-based-detection -level {low | critical | informational | moderate | substantial | severe}

set biometrics-based-detection-op {enable | disable}

set bot-deception-level {low | critical | informational | moderate | substantial | severe}

set bot-deception-op {enable | disable}

set client-management-expire <time_int>

set concurrent-users-peraccount- exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

set concurrent-users-peraccount- exceeds-limit-op {enable | disable}

set cookie-signature-checkfailed- level {low | critical | informational | moderate | substantial | severe}

set cookie-signature-checkfailed- op {enable | disable}

set cors-protection-level {low | critical | informational | moderate | substantial | severe}

set cors-protection-op {enable | disable}

set credential-stuffing-defenselevel {low | critical | informational | moderate | substantial | severe}

set credential-stuffing-defenseop {enable | disable}

set csrf-protection-level {low | critical | informational | moderate | substantial | severe}

set csrf-protection-op {enable | disable}

set custom-policy-op {enable | disable}

set fail-to-validate-json-schemalevel {low | critical | informational | moderate | substantial | severe}

set fail-to-validate-json-schemaop {enable | disable}

set fail-to-validate-xml-schemalevel {low | critical | informational | moderate | substantial | severe}

set fail-to-validate-xml-schemaop {enable | disable}

set forbid-xml-entities-level {low | critical | informational | moderate | substantial | severe}

set forbid-xml-entities-op {enable | disable}

set format-not-allowed-inwebsocket- level {low | critical | informational | moderate | substantial | severe}

set format-not-allowed-inwebsocket- op {enable | disable}

set geo-ip-level {low | critical | informational | moderate | substantial | severe}

set geo-ip-op {enable | disable}

set hidden-field-protection-level {low | critical | informational | moderate | substantial | severe}

set hidden-field-protection-op {enable | disable}

set HTTP-access-limit-level {low | critical | informational | moderate | substantial | severe}

set HTTP-access-limit-op {enable | disable}

set HTTP-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

set HTTP-flood-prevention-op {enable | disable}

set HTTP-protocol-constraints-op {enable | disable}

set illegal-file-size-level {low | critical | informational | moderate | substantial | severe}

set illegal-file-size-op {enable | disable}

set illegal-file-type-level {low | critical | informational | moderate | substantial | severe}

set illegal-file-type-op {enable | disable}

set ip-list-level {low | critical | informational | moderate | substantial | severe}

set ip-list-op {enable | disable}

set ip-replay-violation-level {low | critical | informational | moderate | substantial | severe}

set ip-replay-violation-op {enable | disable}

set ip-reputation-level {low | critical | informational | moderate | substantial | severe}

set ip-reputation-op {enable | disable}

set json-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}

set json-element-lengthexceeded- op {enable | disable}

set known-bots-level {low | critical | informational | moderate | substantial | severe}

set known-bots-op {enable | disable}

set low-level <level_int>

set low-level-score-end <level_ int>

set malicious-action {alert | alert_deny | block-period | client-id-block-period}

set malicious-block-period <minutes_int>

set malicious-file-detected-byfortisandbox- level {low | critical | informational | moderate | substantial | severe}

set malicious-file-detected-byfortisandbox- op {enable | disable}

set malicious-ips-level {low | critical | informational | moderate | substantial | severe}

set malicious-ips-op {enable | disable}

set man-in-browser-protectionlevel {low | critical | informational | moderate | substantial | severe}

set man-in-browser-protectionop {enable | disable}

set medium-level-score-end <level_int>

set mobile-api-protection-level {low | critical | informational | moderate | substantial | severe}

set mobile-api-protection-op {enable | disable}

set openapi-validation-level {low | critical | informational | moderate | substantial | severe}

set openapi-validation-op {enable | disable}

set origin-not-allowed-level {low | critical | informational | moderate | substantial | severe}

set origin-not-allowed-op {enable | disable}

set padding-oracle-protectionlevel {low | critical | informational | moderate | substantial | severe}

set padding-oracle-protection-op {enable | disable}

set parameter-validation-level {low | critical | informational | moderate | substantial | severe}

set parameter-validation-op {enable | disable}

set session-fixation-protectionlevel {low | critical | informational | moderate | substantial | severe}

set session-fixation-protectionop {enable | disable}

set session-idle-timeout-level {low | critical | informational | moderate | substantial | severe}

set session-idle-timeout-op {enable | disable}

set signature-op {enable | disable}

set size-exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

set size-exceeds-limit-op {enable | disable}

set sql-xss-sbd-op {enable | disable}

set statistics-period {one-day | three-days | one-week}

set suspicious-action {alert | alert_deny | block-period | client-id-block-period}

set suspicious-block-period <minutes_int>

set tcp-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

set tcp-flood-prevention-op {enable | disable}

set threshold-based-detectionlevel {low | critical | informational | moderate | substantial | severe}

set threshold-based-detection-op {enable | disable}

set threat-score-profile {enable | disable}

set trojan-detected-level {low | critical | informational | moderate | substantial | severe}

set trojan-detected-op {enable | disable}

set url-access-level {low | critical | informational | moderate | substantial | severe}

set url-access-op {enable | disable}

set virus-detected-level {low | critical | informational | moderate | substantial | severe}

set virus-detected-op {enable | disable}

set websocket-extensions-notallowed- level {low | critical | informational | moderate | substantial | severe}

set websocket-extensions-notallowed- op {enable | disable}

set websocket-traffic-notallowed- level {low | critical | informational | moderate | substantial | severe}

set websocket-traffic-notallowed- op {enable | disable}

set wsdl-validation-failed-level {low | critical | informational | moderate | substantial | severe}

set wsdl-validation-failed-op {enable | disable}

set wsi-check-failed-level {low | critical | informational | moderate | substantial | severe}

set wsi-check-failed-op {enable | disable}

set xml-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}

set xml-element-lengthexceeded- op {enable | disable}

end

Variable Description Default

allow-method-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for HTTP request method violations. moderate

allow-method-op {enable | disable}

Enable to configure the threat weight for HTTP request method violations.

enable

biometrics-based-detection -level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for biometrics based detection rule violations.

substantial

biometrics-based-detection-op {enable | disable}

Enable to configure the threat weight for biometrics based detection rule violations.

disable

bot-deception-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for bot deception policy violations.

substantial

bot-deception-op {enable | disable}

Enable to configure the threat weight for bot deception policy violations.

disable

client-management-expire <time_int>

Set the amount of time that FortiWeb will store the tracked client information.

Once the information has been stored for longer than the set amount of time, FortiWeb will remove that information.

15 days

concurrent-users-per-account-exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for violations that the number of concurrent users per account exceeds the limit.

moderate

concurrent-users-per-account-exceeds-limit-op {enable | disable}

Enable to configure the threat weight for violations that the number of concurrent users per account exceeds the limit.

enable

cookie-signature-check-failed-level {low | critical | informational | moderate | substantial | severe}

When the security mode is None or Signed, enable to configure the threat weight for cookie tampering protection rule violations.

substantial

cookie-signature-check-failed-op {enable | disable}

Enable to configure the threat weight for cookie tampering protection rule violations.

enable

cors-protection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for CORS protection rule violations.

moderate

cors-protection-op {enable | disable}

Enable to configure the threat weight for CORS protection rule violations.

enable

credential-stuffing-defense-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Credential Stuffing attacks.

severe

credential-stuffing-defense-op {enable | disable}

Enable to configure the threat weight for Credential Stuffing attacks.

enable

csrf-protection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for CSRF protection rule violations.

substantial

csrf-protection-op {enable | disable}

Enable to configure the threat weight for CSRF protection rule violations.

enable

custom-policy-op {enable | disable}

Enable to configure the threat weight for custom policy violations.

enable

fail-to-validate-json-schema-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for JSON protection rule violations.

substantial

fail-to-validate-json-schema-op {enable | disable}

Enable to configure the threat weight for violation of failing to validate JSON schema file.

enable

fail-to-validate-xml-schema-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for violation of failing to validate JSON schema file.

moderate

fail-to-validate-xml-schema-op {enable | disable}

Enable to configure the threat weight for violation of failing to validate XML schema file.

enable

forbid-xml-entities-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for violation of failing to validate XML schema file.

substantial

forbid-xml-entities-op {enable | disable}

Enable to configure the threat weight for forbidden XML entities violations.

enable

format-not-allowed-in-websocket-level {low | critical | informational | moderate | substantial | severe}

When the WebSocket connection is established, data is transmitted in the form of frame.

Set the threat weight for violation that frame formats are not allowed.

moderate

format-not-allowed-in-websocket-op {enable | disable}

Enable to configure the threat weight for violation that frame formats are not allowed.

enable

geo-ip-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for requests from blocked countries or regions based on the associated source IP address.

critical

geo-ip-op {enable | disable}

Enable to configure the threat weight for Geo IP block policy violations.

enable

hidden-field-protection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for attempts to tamper with hidden field rules.

substantial

hidden-field-protection-op {enable | disable}

Enable to configure the threat weight for hidden field protection rule violations.

enable

HTTP-access-limit-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for violation that the number of HTTP requests per second, per source IP address exceeds the limit.

substantial

HTTP-access-limit-op {enable | disable}

Enable to configure the threat weight for violation that the number of HTTP requests per second, per source IP address exceeds the limit.

enable

HTTP-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for violation that the number ofHTTP requests per second, per session, per URL exceeds the limit.

substantial

HTTP-flood-prevention-op {enable | disable}

Enable to configure the threat weight for violation that the number of HTTP requests per second, per session, per URL exceeds the limit.

enable

HTTP-protocol-constraints-op {enable | disable}

Enable to configure the threat weight for HTTP protocol constraints. Once enabled, the threat weight for each HTTP protocol constraint may be set using waf HTTP-protocol-parameter-restriction.

enable

illegal-file-size-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the file size detection and restriction violation.

moderate

illegal-file-size-op {enable | disable}

Enable to configure the threat weight for the file size detection and restriction violation.

enable

illegal-file-type-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the file type detection and restriction violation.

substantial

illegal-file-type-op {enable | disable}

Enable to configure the threat weight for the file type detection and restriction violation.

enable

ip-list-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for requests from blocklisted IP addresses.

critical

ip-list-op {enable | disable}

Enable to configure the threat weight for requests from blocklisted IP addresses.

enable

ip-replay-violation-level {low | critical | informational | moderate | substantial | severe}

When the security mode is Encrypted, select whether FortiWeb uses the IP address of a request to determine the owner of the cookie.

Set the threat weight for IP replay violations.

substantial

ip-replay-violation-op {enable | disable}

Enable to configure the threat weight for IP replay violations.

enable

ip-reputation-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for requests from IP addresses with a poor reputation.

critical

ip-reputation-op {enable | disable}

Enable to configure the threat weight for requests from IP addresses with a poor reputation.

enable

json-element-length-exceeded-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the violation that the JSON element length exceeds.

moderate

json-element-length-exceeded-op {enable | disable}

Enable to configure the threat weight for the violation that the JSON element length exceeds.

enable

known-bots-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the known bots attacks.

substantial

known-bots-op {enable | disable}

Enable to configure the threat weight for the known bots attacks.

disable

low-level <level_int>

Set the risk level value for Low level.

10

low-level-score-end <level_int>

Set the low level threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.

100

malicious-action {alert | alert_deny | block-period | client-id-block-period}

  • block-period: Block a malicious client based on source IP.
  • client-id-block-period: Block a malicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.

  • alert: Accept the connection and generate an alert email and/or log message.
  • alert_deny : Block the request (or reset the connection) and generate an alert and/or log message.

none

malicious-block-period

When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client.

Valid range is 1-1440 minutes.

10

malicious-file-detected-by-fortisandbox-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the violation of malicious file detection by FortiSandbox.

severe

malicious-file-detected-by-fortisandbox-op {enable | disable}

Enable to configure the threat weight for the violation of malicious file detection by FortiSandbox.

enable

malicious-ips-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the violation that the number of TCP connections per HTTP session exceeds the limit.

substantial

malicious-ips-op {enable | disable}

Enable to configure the threat weight the violation that the number of TCP connections per HTTP session exceeds the limit.

enable

man-in-browser-protection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for MiTB attacks.

substantial

man-in-browser-protection-op {enable | disable}

Enable to configure the threat weight for MiTB attacks.

enable

medium-level-score-end <level_int>

Set the high threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.

200

mobile-api-protection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for mobile API protection rule violations.

substantial

mobile-api-protection-op {enable | disable}

Enable to configure the threat weight for mobile API protection rule violations.

enable

openapi-validation-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for OpenAPI validation rule violations.

moderate

openapi-validation-op {enable | disable}

Enable to configure the threat weight for OpenAPI validation rule violations.

enable

origin-not-allowed-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the violation of origin not allowed.

low

origin-not-allowed-op {enable | disable}

Enable to configure the threat weight for the violation of origin not allowed.

enable

padding-oracle-protection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for padding oracle attacks.

severe

padding-oracle-protection-op {enable | disable}

Enable to configure the threat weight for padding oracle attacks.

enable

parameter-validation-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for parameter validation violation.

moderate

parameter-validation-op {enable | disable}

Enable to configure threat weight for parameter validation violation.

enable

session-fixation-protection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for session fixation protection rule violation.

moderate

session-fixation-protection-op {enable | disable}

Enable to configure the threat weight for session fixation protection rule violation.

enable

session-idle-timeout-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the violation of session idle timeout.

moderate

session-idle-timeout-op {enable | disable}

Enable to configure the threat weight for the violation of session idle timeout.

enable

signature-op {enable | disable}

Enable to set the threat weight for each signature rule.

enable

size-exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the violation when the maximum acceptable frame header and body size in bytes exceeds the limit.

moderate

size-exceeds-limit-op {enable | disable}

Enable to configure the threat weight for the violation when the maximum acceptable frame header and body size in bytes exceeds the limit.

enable

sql-xss-sbd-op {enable | disable}

Enable to configure the threat weight for the SQL/XSS syntax based detection rule violation.

enable

statistics-period {one-day | three-days | one-week}

Select the amount of time in days that FortiWeb will store the threat score data for an active client.

For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set fo thrusted/suspicious/malicious clients.

three-days

suspicious-action {alert | alert_deny | block-period | client-id-block-period}

  • block-period: Block a suspicious client based on source IP.
  • client-id-block-period: Block a suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.

  • alert: Accept the connection and generate an alert email and/or log message.
  • alert_deny : Block the request (or reset the connection) and generate an alert and/or log message.

none

suspicious-block-period

When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client.

Valid range is 1-1440 minutes.

10

tcp-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the violation when the number of fully-formed TCP connections per source IP address exceeds the limit.

substantial

tcp-flood-prevention-op {enable | disable}

Enable to configure the threat weight for the violation when the number of fully-formed TCP connections per source IP address exceeds the limit.

enable

threshold-based-detection-level {low | critical | informational | moderate | substantial | severe}

Set the threat weight for the threshold based detection rule violation.

substantial

threshold-based-detection-op {enable | disable}

Enable to configure the threat weight for the threshold based detection rule violation.

disable

threat-score-profile {enable | disable}

  • If you want to differentiate the Threat Score settings in different web protection profiles, you can enable threat-score-profile. After enabling it, use config server-policy pattern threat-score-profile to create multiple Threat Score profiles and apply them to different web protection profiles.
  • disable

    trojan-detected-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the Trojan detection rule violation.

    enable

    trojan-detected-op {enable | disable}

    Enable to configure the threat weight for the Trojan detection rule violation.

    severe

    url-access-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the URL access rule violation.

    substantial

    url-access-op {enable | disable}

    Enable to configure the threat weight for the URL access rule violation.

    enable

    virus-detected-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the virus detection rule violation.

    critical

    virus-detected-op {enable | disable}

    Enable to configure the threat weight for the virus detection rule violation.

    enable

    websocket-extensions-not-allowed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation of extension header in WebSocket handshake packet.

    substantial

    websocket-extensions-not-allowed-op {enable | disable}

    Enable to configure the threat weight for the violation of extension header in WebSocket handshake packet.

    enable

    websocket-traffic-not-allowed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the WebSocket traffic blocking violation.

    substantial

    websocket-traffic-not-allowed-op {enable | disable}

    Enable to configure the threat weight for the WebSocket traffic blocking violation.

    enable

    wsdl-validation-failed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the WSDL file validation rule violation.

    substantial

    wsdl-validation-failed-op {enable | disable}

    Enable to set the threat weight for the WSDL file validation rule violation.

    enable

    wsi-check-failed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the WS-security rule violation.

    moderate

    wsi-check-failed-op {enable | disable}

    Enable to set the threat weight for the WS-security rule violation.

    enable

    xml-element-length-exceeded-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation that the XML element length exceeds.

    moderate

    xml-element-length-exceeded-op {enable | disable}

    Enable to configure the threat weight for the violation that the XML element length exceeds.

    enable

    Related Topics

    server-policy pattern threat-weight

    server-policy pattern threat-weight

    Use this command to configure the global threat weight of security violations. When a security violation is detected, the threat weight of the security violation is used to calculate the threat score of a client that launched the event.

    For details about Threat Weight, see the FortiWeb Administration Guide:

    HTTP://docs.fortinet.com/fortiweb/admin-guides

    To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

    Syntax

    config server-policy pattern threat-weight

    set allow-method-level {low | critical | informational | moderate | substantial | severe}

    set allow-method-op {enable | disable}

    set biometrics-based-detection -level {low | critical | informational | moderate | substantial | severe}

    set biometrics-based-detection-op {enable | disable}

    set bot-deception-level {low | critical | informational | moderate | substantial | severe}

    set bot-deception-op {enable | disable}

    set client-management-expire <time_int>

    set concurrent-users-peraccount- exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

    set concurrent-users-peraccount- exceeds-limit-op {enable | disable}

    set cookie-signature-checkfailed- level {low | critical | informational | moderate | substantial | severe}

    set cookie-signature-checkfailed- op {enable | disable}

    set cors-protection-level {low | critical | informational | moderate | substantial | severe}

    set cors-protection-op {enable | disable}

    set credential-stuffing-defenselevel {low | critical | informational | moderate | substantial | severe}

    set credential-stuffing-defenseop {enable | disable}

    set csrf-protection-level {low | critical | informational | moderate | substantial | severe}

    set csrf-protection-op {enable | disable}

    set custom-policy-op {enable | disable}

    set fail-to-validate-json-schemalevel {low | critical | informational | moderate | substantial | severe}

    set fail-to-validate-json-schemaop {enable | disable}

    set fail-to-validate-xml-schemalevel {low | critical | informational | moderate | substantial | severe}

    set fail-to-validate-xml-schemaop {enable | disable}

    set forbid-xml-entities-level {low | critical | informational | moderate | substantial | severe}

    set forbid-xml-entities-op {enable | disable}

    set format-not-allowed-inwebsocket- level {low | critical | informational | moderate | substantial | severe}

    set format-not-allowed-inwebsocket- op {enable | disable}

    set geo-ip-level {low | critical | informational | moderate | substantial | severe}

    set geo-ip-op {enable | disable}

    set hidden-field-protection-level {low | critical | informational | moderate | substantial | severe}

    set hidden-field-protection-op {enable | disable}

    set HTTP-access-limit-level {low | critical | informational | moderate | substantial | severe}

    set HTTP-access-limit-op {enable | disable}

    set HTTP-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

    set HTTP-flood-prevention-op {enable | disable}

    set HTTP-protocol-constraints-op {enable | disable}

    set illegal-file-size-level {low | critical | informational | moderate | substantial | severe}

    set illegal-file-size-op {enable | disable}

    set illegal-file-type-level {low | critical | informational | moderate | substantial | severe}

    set illegal-file-type-op {enable | disable}

    set ip-list-level {low | critical | informational | moderate | substantial | severe}

    set ip-list-op {enable | disable}

    set ip-replay-violation-level {low | critical | informational | moderate | substantial | severe}

    set ip-replay-violation-op {enable | disable}

    set ip-reputation-level {low | critical | informational | moderate | substantial | severe}

    set ip-reputation-op {enable | disable}

    set json-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}

    set json-element-lengthexceeded- op {enable | disable}

    set known-bots-level {low | critical | informational | moderate | substantial | severe}

    set known-bots-op {enable | disable}

    set low-level <level_int>

    set low-level-score-end <level_ int>

    set malicious-action {alert | alert_deny | block-period | client-id-block-period}

    set malicious-block-period <minutes_int>

    set malicious-file-detected-byfortisandbox- level {low | critical | informational | moderate | substantial | severe}

    set malicious-file-detected-byfortisandbox- op {enable | disable}

    set malicious-ips-level {low | critical | informational | moderate | substantial | severe}

    set malicious-ips-op {enable | disable}

    set man-in-browser-protectionlevel {low | critical | informational | moderate | substantial | severe}

    set man-in-browser-protectionop {enable | disable}

    set medium-level-score-end <level_int>

    set mobile-api-protection-level {low | critical | informational | moderate | substantial | severe}

    set mobile-api-protection-op {enable | disable}

    set openapi-validation-level {low | critical | informational | moderate | substantial | severe}

    set openapi-validation-op {enable | disable}

    set origin-not-allowed-level {low | critical | informational | moderate | substantial | severe}

    set origin-not-allowed-op {enable | disable}

    set padding-oracle-protectionlevel {low | critical | informational | moderate | substantial | severe}

    set padding-oracle-protection-op {enable | disable}

    set parameter-validation-level {low | critical | informational | moderate | substantial | severe}

    set parameter-validation-op {enable | disable}

    set session-fixation-protectionlevel {low | critical | informational | moderate | substantial | severe}

    set session-fixation-protectionop {enable | disable}

    set session-idle-timeout-level {low | critical | informational | moderate | substantial | severe}

    set session-idle-timeout-op {enable | disable}

    set signature-op {enable | disable}

    set size-exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

    set size-exceeds-limit-op {enable | disable}

    set sql-xss-sbd-op {enable | disable}

    set statistics-period {one-day | three-days | one-week}

    set suspicious-action {alert | alert_deny | block-period | client-id-block-period}

    set suspicious-block-period <minutes_int>

    set tcp-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

    set tcp-flood-prevention-op {enable | disable}

    set threshold-based-detectionlevel {low | critical | informational | moderate | substantial | severe}

    set threshold-based-detection-op {enable | disable}

    set threat-score-profile {enable | disable}

    set trojan-detected-level {low | critical | informational | moderate | substantial | severe}

    set trojan-detected-op {enable | disable}

    set url-access-level {low | critical | informational | moderate | substantial | severe}

    set url-access-op {enable | disable}

    set virus-detected-level {low | critical | informational | moderate | substantial | severe}

    set virus-detected-op {enable | disable}

    set websocket-extensions-notallowed- level {low | critical | informational | moderate | substantial | severe}

    set websocket-extensions-notallowed- op {enable | disable}

    set websocket-traffic-notallowed- level {low | critical | informational | moderate | substantial | severe}

    set websocket-traffic-notallowed- op {enable | disable}

    set wsdl-validation-failed-level {low | critical | informational | moderate | substantial | severe}

    set wsdl-validation-failed-op {enable | disable}

    set wsi-check-failed-level {low | critical | informational | moderate | substantial | severe}

    set wsi-check-failed-op {enable | disable}

    set xml-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}

    set xml-element-lengthexceeded- op {enable | disable}

    end

    Variable Description Default

    allow-method-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for HTTP request method violations. moderate

    allow-method-op {enable | disable}

    Enable to configure the threat weight for HTTP request method violations.

    enable

    biometrics-based-detection -level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for biometrics based detection rule violations.

    substantial

    biometrics-based-detection-op {enable | disable}

    Enable to configure the threat weight for biometrics based detection rule violations.

    disable

    bot-deception-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for bot deception policy violations.

    substantial

    bot-deception-op {enable | disable}

    Enable to configure the threat weight for bot deception policy violations.

    disable

    client-management-expire <time_int>

    Set the amount of time that FortiWeb will store the tracked client information.

    Once the information has been stored for longer than the set amount of time, FortiWeb will remove that information.

    15 days

    concurrent-users-per-account-exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for violations that the number of concurrent users per account exceeds the limit.

    moderate

    concurrent-users-per-account-exceeds-limit-op {enable | disable}

    Enable to configure the threat weight for violations that the number of concurrent users per account exceeds the limit.

    enable

    cookie-signature-check-failed-level {low | critical | informational | moderate | substantial | severe}

    When the security mode is None or Signed, enable to configure the threat weight for cookie tampering protection rule violations.

    substantial

    cookie-signature-check-failed-op {enable | disable}

    Enable to configure the threat weight for cookie tampering protection rule violations.

    enable

    cors-protection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for CORS protection rule violations.

    moderate

    cors-protection-op {enable | disable}

    Enable to configure the threat weight for CORS protection rule violations.

    enable

    credential-stuffing-defense-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for Credential Stuffing attacks.

    severe

    credential-stuffing-defense-op {enable | disable}

    Enable to configure the threat weight for Credential Stuffing attacks.

    enable

    csrf-protection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for CSRF protection rule violations.

    substantial

    csrf-protection-op {enable | disable}

    Enable to configure the threat weight for CSRF protection rule violations.

    enable

    custom-policy-op {enable | disable}

    Enable to configure the threat weight for custom policy violations.

    enable

    fail-to-validate-json-schema-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for JSON protection rule violations.

    substantial

    fail-to-validate-json-schema-op {enable | disable}

    Enable to configure the threat weight for violation of failing to validate JSON schema file.

    enable

    fail-to-validate-xml-schema-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for violation of failing to validate JSON schema file.

    moderate

    fail-to-validate-xml-schema-op {enable | disable}

    Enable to configure the threat weight for violation of failing to validate XML schema file.

    enable

    forbid-xml-entities-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for violation of failing to validate XML schema file.

    substantial

    forbid-xml-entities-op {enable | disable}

    Enable to configure the threat weight for forbidden XML entities violations.

    enable

    format-not-allowed-in-websocket-level {low | critical | informational | moderate | substantial | severe}

    When the WebSocket connection is established, data is transmitted in the form of frame.

    Set the threat weight for violation that frame formats are not allowed.

    moderate

    format-not-allowed-in-websocket-op {enable | disable}

    Enable to configure the threat weight for violation that frame formats are not allowed.

    enable

    geo-ip-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for requests from blocked countries or regions based on the associated source IP address.

    critical

    geo-ip-op {enable | disable}

    Enable to configure the threat weight for Geo IP block policy violations.

    enable

    hidden-field-protection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for attempts to tamper with hidden field rules.

    substantial

    hidden-field-protection-op {enable | disable}

    Enable to configure the threat weight for hidden field protection rule violations.

    enable

    HTTP-access-limit-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for violation that the number of HTTP requests per second, per source IP address exceeds the limit.

    substantial

    HTTP-access-limit-op {enable | disable}

    Enable to configure the threat weight for violation that the number of HTTP requests per second, per source IP address exceeds the limit.

    enable

    HTTP-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for violation that the number ofHTTP requests per second, per session, per URL exceeds the limit.

    substantial

    HTTP-flood-prevention-op {enable | disable}

    Enable to configure the threat weight for violation that the number of HTTP requests per second, per session, per URL exceeds the limit.

    enable

    HTTP-protocol-constraints-op {enable | disable}

    Enable to configure the threat weight for HTTP protocol constraints. Once enabled, the threat weight for each HTTP protocol constraint may be set using waf HTTP-protocol-parameter-restriction.

    enable

    illegal-file-size-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the file size detection and restriction violation.

    moderate

    illegal-file-size-op {enable | disable}

    Enable to configure the threat weight for the file size detection and restriction violation.

    enable

    illegal-file-type-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the file type detection and restriction violation.

    substantial

    illegal-file-type-op {enable | disable}

    Enable to configure the threat weight for the file type detection and restriction violation.

    enable

    ip-list-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for requests from blocklisted IP addresses.

    critical

    ip-list-op {enable | disable}

    Enable to configure the threat weight for requests from blocklisted IP addresses.

    enable

    ip-replay-violation-level {low | critical | informational | moderate | substantial | severe}

    When the security mode is Encrypted, select whether FortiWeb uses the IP address of a request to determine the owner of the cookie.

    Set the threat weight for IP replay violations.

    substantial

    ip-replay-violation-op {enable | disable}

    Enable to configure the threat weight for IP replay violations.

    enable

    ip-reputation-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for requests from IP addresses with a poor reputation.

    critical

    ip-reputation-op {enable | disable}

    Enable to configure the threat weight for requests from IP addresses with a poor reputation.

    enable

    json-element-length-exceeded-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation that the JSON element length exceeds.

    moderate

    json-element-length-exceeded-op {enable | disable}

    Enable to configure the threat weight for the violation that the JSON element length exceeds.

    enable

    known-bots-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the known bots attacks.

    substantial

    known-bots-op {enable | disable}

    Enable to configure the threat weight for the known bots attacks.

    disable

    low-level <level_int>

    Set the risk level value for Low level.

    10

    low-level-score-end <level_int>

    Set the low level threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.

    100

    malicious-action {alert | alert_deny | block-period | client-id-block-period}

    • block-period: Block a malicious client based on source IP.
    • client-id-block-period: Block a malicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.

    • alert: Accept the connection and generate an alert email and/or log message.
    • alert_deny : Block the request (or reset the connection) and generate an alert and/or log message.

    none

    malicious-block-period

    When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client.

    Valid range is 1-1440 minutes.

    10

    malicious-file-detected-by-fortisandbox-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation of malicious file detection by FortiSandbox.

    severe

    malicious-file-detected-by-fortisandbox-op {enable | disable}

    Enable to configure the threat weight for the violation of malicious file detection by FortiSandbox.

    enable

    malicious-ips-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation that the number of TCP connections per HTTP session exceeds the limit.

    substantial

    malicious-ips-op {enable | disable}

    Enable to configure the threat weight the violation that the number of TCP connections per HTTP session exceeds the limit.

    enable

    man-in-browser-protection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for MiTB attacks.

    substantial

    man-in-browser-protection-op {enable | disable}

    Enable to configure the threat weight for MiTB attacks.

    enable

    medium-level-score-end <level_int>

    Set the high threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.

    200

    mobile-api-protection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for mobile API protection rule violations.

    substantial

    mobile-api-protection-op {enable | disable}

    Enable to configure the threat weight for mobile API protection rule violations.

    enable

    openapi-validation-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for OpenAPI validation rule violations.

    moderate

    openapi-validation-op {enable | disable}

    Enable to configure the threat weight for OpenAPI validation rule violations.

    enable

    origin-not-allowed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation of origin not allowed.

    low

    origin-not-allowed-op {enable | disable}

    Enable to configure the threat weight for the violation of origin not allowed.

    enable

    padding-oracle-protection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for padding oracle attacks.

    severe

    padding-oracle-protection-op {enable | disable}

    Enable to configure the threat weight for padding oracle attacks.

    enable

    parameter-validation-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for parameter validation violation.

    moderate

    parameter-validation-op {enable | disable}

    Enable to configure threat weight for parameter validation violation.

    enable

    session-fixation-protection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for session fixation protection rule violation.

    moderate

    session-fixation-protection-op {enable | disable}

    Enable to configure the threat weight for session fixation protection rule violation.

    enable

    session-idle-timeout-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation of session idle timeout.

    moderate

    session-idle-timeout-op {enable | disable}

    Enable to configure the threat weight for the violation of session idle timeout.

    enable

    signature-op {enable | disable}

    Enable to set the threat weight for each signature rule.

    enable

    size-exceeds-limit-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation when the maximum acceptable frame header and body size in bytes exceeds the limit.

    moderate

    size-exceeds-limit-op {enable | disable}

    Enable to configure the threat weight for the violation when the maximum acceptable frame header and body size in bytes exceeds the limit.

    enable

    sql-xss-sbd-op {enable | disable}

    Enable to configure the threat weight for the SQL/XSS syntax based detection rule violation.

    enable

    statistics-period {one-day | three-days | one-week}

    Select the amount of time in days that FortiWeb will store the threat score data for an active client.

    For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set fo thrusted/suspicious/malicious clients.

    three-days

    suspicious-action {alert | alert_deny | block-period | client-id-block-period}

    • block-period: Block a suspicious client based on source IP.
    • client-id-block-period: Block a suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.

    • alert: Accept the connection and generate an alert email and/or log message.
    • alert_deny : Block the request (or reset the connection) and generate an alert and/or log message.

    none

    suspicious-block-period

    When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client.

    Valid range is 1-1440 minutes.

    10

    tcp-flood-prevention-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation when the number of fully-formed TCP connections per source IP address exceeds the limit.

    substantial

    tcp-flood-prevention-op {enable | disable}

    Enable to configure the threat weight for the violation when the number of fully-formed TCP connections per source IP address exceeds the limit.

    enable

    threshold-based-detection-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the threshold based detection rule violation.

    substantial

    threshold-based-detection-op {enable | disable}

    Enable to configure the threat weight for the threshold based detection rule violation.

    disable

    threat-score-profile {enable | disable}

  • If you want to differentiate the Threat Score settings in different web protection profiles, you can enable threat-score-profile. After enabling it, use config server-policy pattern threat-score-profile to create multiple Threat Score profiles and apply them to different web protection profiles.
  • disable

    trojan-detected-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the Trojan detection rule violation.

    enable

    trojan-detected-op {enable | disable}

    Enable to configure the threat weight for the Trojan detection rule violation.

    severe

    url-access-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the URL access rule violation.

    substantial

    url-access-op {enable | disable}

    Enable to configure the threat weight for the URL access rule violation.

    enable

    virus-detected-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the virus detection rule violation.

    critical

    virus-detected-op {enable | disable}

    Enable to configure the threat weight for the virus detection rule violation.

    enable

    websocket-extensions-not-allowed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation of extension header in WebSocket handshake packet.

    substantial

    websocket-extensions-not-allowed-op {enable | disable}

    Enable to configure the threat weight for the violation of extension header in WebSocket handshake packet.

    enable

    websocket-traffic-not-allowed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the WebSocket traffic blocking violation.

    substantial

    websocket-traffic-not-allowed-op {enable | disable}

    Enable to configure the threat weight for the WebSocket traffic blocking violation.

    enable

    wsdl-validation-failed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the WSDL file validation rule violation.

    substantial

    wsdl-validation-failed-op {enable | disable}

    Enable to set the threat weight for the WSDL file validation rule violation.

    enable

    wsi-check-failed-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the WS-security rule violation.

    moderate

    wsi-check-failed-op {enable | disable}

    Enable to set the threat weight for the WS-security rule violation.

    enable

    xml-element-length-exceeded-level {low | critical | informational | moderate | substantial | severe}

    Set the threat weight for the violation that the XML element length exceeds.

    moderate

    xml-element-length-exceeded-op {enable | disable}

    Enable to configure the threat weight for the violation that the XML element length exceeds.

    enable

    Related Topics