server-policy pattern threat-weight
Use this command to configure the global threat weight of security violations. When a security violation is detected, the threat weight of the security violation is used to calculate the threat score of a client that launched the event.
For details about Threat Weight, see the FortiWeb Administration Guide:
http://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.
Syntax
config server-policy pattern threat-weight
set allow-method-level {low | critical | informational | moderate | substantial | severe}
set allow-method-op {enable | disable}
set biometrics-based-detection -level {low | critical | informational | moderate | substantial | severe}
set biometrics-based-detection-op {enable | disable}
set bot-deception-level {low | critical | informational | moderate | substantial | severe}
set bot-deception-op {enable | disable}
set client-management-expire <time_int>
set concurrent-users-peraccount- exceeds-limit-level {low | critical | informational | moderate | substantial | severe}
set concurrent-users-peraccount- exceeds-limit-op {enable | disable}
set cookie-signature-checkfailed- level {low | critical | informational | moderate | substantial | severe}
set cookie-signature-checkfailed- op {enable | disable}
set cors-protection-level {low | critical | informational | moderate | substantial | severe}
set cors-protection-op {enable | disable}
set credential-stuffing-defenselevel {low | critical | informational | moderate | substantial | severe}
set credential-stuffing-defenseop {enable | disable}
set csrf-protection-level {low | critical | informational | moderate | substantial | severe}
set csrf-protection-op {enable | disable}
set custom-policy-op {enable | disable}
set fail-to-validate-json-schemalevel {low | critical | informational | moderate | substantial | severe}
set fail-to-validate-json-schemaop {enable | disable}
set fail-to-validate-xml-schemalevel {low | critical | informational | moderate | substantial | severe}
set fail-to-validate-xml-schemaop {enable | disable}
set forbid-xml-entities-level {low | critical | informational | moderate | substantial | severe}
set forbid-xml-entities-op {enable | disable}
set format-not-allowed-inwebsocket- level {low | critical | informational | moderate | substantial | severe}
set format-not-allowed-inwebsocket- op {enable | disable}
set geo-ip-level {low | critical | informational | moderate | substantial | severe}
set geo-ip-op {enable | disable}
set hidden-field-protection-level {low | critical | informational | moderate | substantial | severe}
set hidden-field-protection-op {enable | disable}
set HTTP-access-limit-level {low | critical | informational | moderate | substantial | severe}
set HTTP-access-limit-op {enable | disable}
set HTTP-flood-prevention-level {low | critical | informational | moderate | substantial | severe}
set HTTP-flood-prevention-op {enable | disable}
set HTTP-protocol-constraints-op {enable | disable}
set illegal-file-size-level {low | critical | informational | moderate | substantial | severe}
set illegal-file-size-op {enable | disable}
set illegal-file-type-level {low | critical | informational | moderate | substantial | severe}
set illegal-file-type-op {enable | disable}
set ip-list-level {low | critical | informational | moderate | substantial | severe}
set ip-list-op {enable | disable}
set ip-replay-violation-level {low | critical | informational | moderate | substantial | severe}
set ip-replay-violation-op {enable | disable}
set ip-reputation-level {low | critical | informational | moderate | substantial | severe}
set ip-reputation-op {enable | disable}
set json-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}
set json-element-lengthexceeded- op {enable | disable}
set known-bots-level {low | critical | informational | moderate | substantial | severe}
set known-bots-op {enable | disable}
set low-level <level_int>
set low-level-score-end <level_ int>
set malicious-action {alert | alert_deny | block-period | client-id-block-period}
set malicious-block-period <minutes_int>
set malicious-file-detected-byfortisandbox- level {low | critical | informational | moderate | substantial | severe}
set malicious-file-detected-byfortisandbox- op {enable | disable}
set malicious-ips-level {low | critical | informational | moderate | substantial | severe}
set malicious-ips-op {enable | disable}
set man-in-browser-protectionlevel {low | critical | informational | moderate | substantial | severe}
set man-in-browser-protectionop {enable | disable}
set medium-level-score-end <level_int>
set mobile-api-protection-level {low | critical | informational | moderate | substantial | severe}
set mobile-api-protection-op {enable | disable}
set openapi-validation-level {low | critical | informational | moderate | substantial | severe}
set openapi-validation-op {enable | disable}
set origin-not-allowed-level {low | critical | informational | moderate | substantial | severe}
set origin-not-allowed-op {enable | disable}
set padding-oracle-protectionlevel {low | critical | informational | moderate | substantial | severe}
set padding-oracle-protection-op {enable | disable}
set parameter-validation-level {low | critical | informational | moderate | substantial | severe}
set parameter-validation-op {enable | disable}
set session-fixation-protectionlevel {low | critical | informational | moderate | substantial | severe}
set session-fixation-protectionop {enable | disable}
set session-idle-timeout-level {low | critical | informational | moderate | substantial | severe}
set session-idle-timeout-op {enable | disable}
set signature-op {enable | disable}
set size-exceeds-limit-level {low | critical | informational | moderate | substantial | severe}
set size-exceeds-limit-op {enable | disable}
set sql-xss-sbd-op {enable | disable}
set statistics-period {one-day | three-days | one-week}
set suspicious-action {alert | alert_deny | block-period | client-id-block-period}
set suspicious-block-period <minutes_int>
set tcp-flood-prevention-level {low | critical | informational | moderate | substantial | severe}
set tcp-flood-prevention-op {enable | disable}
set threshold-based-detectionlevel {low | critical | informational | moderate | substantial | severe}
set threshold-based-detection-op {enable | disable}
set threat-score-profile {enable | disable}
set trojan-detected-level {low | critical | informational | moderate | substantial | severe}
set trojan-detected-op {enable | disable}
set url-access-level {low | critical | informational | moderate | substantial | severe}
set url-access-op {enable | disable}
set virus-detected-level {low | critical | informational | moderate | substantial | severe}
set virus-detected-op {enable | disable}
set websocket-extensions-notallowed- level {low | critical | informational | moderate | substantial | severe}
set websocket-extensions-notallowed- op {enable | disable}
set websocket-traffic-notallowed- level {low | critical | informational | moderate | substantial | severe}
set websocket-traffic-notallowed- op {enable | disable}
set wsdl-validation-failed-level {low | critical | informational | moderate | substantial | severe}
set wsdl-validation-failed-op {enable | disable}
set wsi-check-failed-level {low | critical | informational | moderate | substantial | severe}
set wsi-check-failed-op {enable | disable}
set xml-element-lengthexceeded- level {low | critical | informational | moderate | substantial | severe}
set xml-element-lengthexceeded- op {enable | disable}
end
| Variable | Description | Default |
|---|---|---|
|
allow-method-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for HTTP request method violations. | moderate
|
|
allow-method-op {enable | disable} |
Enable to configure the threat weight for HTTP request method violations. |
|
|
biometrics-based-detection -level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for biometrics based detection rule violations. |
substantial
|
|
biometrics-based-detection-op {enable | disable} |
Enable to configure the threat weight for biometrics based detection rule violations. |
|
|
bot-deception-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for bot deception policy violations. |
|
|
bot-deception-op {enable | disable} |
Enable to configure the threat weight for bot deception policy violations. |
|
|
client-management-expire <time_int> |
Set the amount of time that FortiWeb will store the tracked client information. Once the information has been stored for longer than the set amount of time, FortiWeb will remove that information. |
15 days |
|
concurrent-users-per-account-exceeds-limit-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for violations that the number of concurrent users per account exceeds the limit. |
|
|
concurrent-users-per-account-exceeds-limit-op {enable | disable} |
Enable to configure the threat weight for violations that the number of concurrent users per account exceeds the limit. |
|
|
cookie-signature-check-failed-level {low | critical | informational | moderate | substantial | severe} |
When the security mode is None or Signed, enable to configure the threat weight for cookie tampering protection rule violations. |
|
|
cookie-signature-check-failed-op {enable | disable} |
Enable to configure the threat weight for cookie tampering protection rule violations. |
|
|
cors-protection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for CORS protection rule violations. |
|
|
cors-protection-op {enable | disable} |
Enable to configure the threat weight for CORS protection rule violations. |
|
|
credential-stuffing-defense-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for Credential Stuffing attacks. |
|
|
credential-stuffing-defense-op {enable | disable} |
Enable to configure the threat weight for Credential Stuffing attacks. |
|
|
csrf-protection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for CSRF protection rule violations. |
|
|
csrf-protection-op {enable | disable} |
Enable to configure the threat weight for CSRF protection rule violations. |
|
|
custom-policy-op {enable | disable} |
Enable to configure the threat weight for custom policy violations. |
|
|
fail-to-validate-json-schema-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for JSON protection rule violations. |
|
|
fail-to-validate-json-schema-op {enable | disable} |
Enable to configure the threat weight for violation of failing to validate JSON schema file. |
|
|
fail-to-validate-xml-schema-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for violation of failing to validate JSON schema file. |
|
|
fail-to-validate-xml-schema-op {enable | disable} |
Enable to configure the threat weight for violation of failing to validate XML schema file. |
|
|
forbid-xml-entities-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for violation of failing to validate XML schema file. |
|
|
forbid-xml-entities-op {enable | disable} |
Enable to configure the threat weight for forbidden XML entities violations. |
|
|
format-not-allowed-in-websocket-level {low | critical | informational | moderate | substantial | severe} |
When the WebSocket connection is established, data is transmitted in the form of frame. Set the threat weight for violation that frame formats are not allowed. |
|
|
format-not-allowed-in-websocket-op {enable | disable} |
Enable to configure the threat weight for violation that frame formats are not allowed. |
|
|
geo-ip-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for requests from blocked countries or regions based on the associated source IP address. |
|
|
geo-ip-op {enable | disable} |
Enable to configure the threat weight for Geo IP block policy violations. |
|
|
hidden-field-protection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for attempts to tamper with hidden field rules. |
substantial |
|
hidden-field-protection-op {enable | disable} |
Enable to configure the threat weight for hidden field protection rule violations. |
|
|
HTTP-access-limit-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for violation that the number of HTTP requests per second, per source IP address exceeds the limit. |
|
|
HTTP-access-limit-op {enable | disable} |
Enable to configure the threat weight for violation that the number of HTTP requests per second, per source IP address exceeds the limit. |
|
|
HTTP-flood-prevention-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for violation that the number ofHTTP requests per second, per session, per URL exceeds the limit. |
|
|
HTTP-flood-prevention-op {enable | disable} |
Enable to configure the threat weight for violation that the number of HTTP requests per second, per session, per URL exceeds the limit. |
|
|
HTTP-protocol-constraints-op {enable | disable} |
Enable to configure the threat weight for HTTP protocol constraints. Once enabled, the threat weight for each HTTP protocol constraint may be set using waf HTTP-protocol-parameter-restriction. |
|
|
illegal-file-size-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the file size detection and restriction violation. |
|
|
illegal-file-size-op {enable | disable} |
Enable to configure the threat weight for the file size detection and restriction violation. |
|
|
illegal-file-type-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the file type detection and restriction violation. |
|
|
illegal-file-type-op {enable | disable} |
Enable to configure the threat weight for the file type detection and restriction violation. |
|
|
ip-list-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for requests from blocklisted IP addresses. |
|
|
ip-list-op {enable | disable} |
Enable to configure the threat weight for requests from blocklisted IP addresses. |
|
|
ip-replay-violation-level {low | critical | informational | moderate | substantial | severe} |
When the security mode is Encrypted, select whether FortiWeb uses the IP address of a request to determine the owner of the cookie. Set the threat weight for IP replay violations. |
|
|
ip-replay-violation-op {enable | disable} |
Enable to configure the threat weight for IP replay violations. |
|
|
ip-reputation-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for requests from IP addresses with a poor reputation. |
|
|
ip-reputation-op {enable | disable} |
Enable to configure the threat weight for requests from IP addresses with a poor reputation. |
|
|
json-element-length-exceeded-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation that the JSON element length exceeds. |
|
|
json-element-length-exceeded-op {enable | disable} |
Enable to configure the threat weight for the violation that the JSON element length exceeds. |
|
|
known-bots-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the known bots attacks. |
|
|
known-bots-op {enable | disable} |
Enable to configure the threat weight for the known bots attacks. |
|
|
low-level <level_int> |
Set the risk level value for Low level. |
10 |
|
low-level-score-end <level_int> |
Set the low level threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access. |
100 |
|
malicious-action {alert | alert_deny | block-period | client-id-block-period} |
|
none |
|
malicious-block-period |
When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client. Valid range is 1-1440 minutes. |
10 |
|
malicious-file-detected-by-fortisandbox-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation of malicious file detection by FortiSandbox. |
|
|
malicious-file-detected-by-fortisandbox-op {enable | disable} |
Enable to configure the threat weight for the violation of malicious file detection by FortiSandbox. |
|
|
malicious-ips-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation that the number of TCP connections per HTTP session exceeds the limit. |
|
|
malicious-ips-op {enable | disable} |
Enable to configure the threat weight the violation that the number of TCP connections per HTTP session exceeds the limit. |
|
|
man-in-browser-protection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for MiTB attacks. |
|
|
man-in-browser-protection-op {enable | disable} |
Enable to configure the threat weight for MiTB attacks. |
|
|
medium-level-score-end <level_int> |
Set the high threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access. |
|
|
mobile-api-protection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for mobile API protection rule violations. |
|
|
mobile-api-protection-op {enable | disable} |
Enable to configure the threat weight for mobile API protection rule violations. |
|
|
openapi-validation-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for OpenAPI validation rule violations. |
|
|
openapi-validation-op {enable | disable} |
Enable to configure the threat weight for OpenAPI validation rule violations. |
|
|
origin-not-allowed-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation of origin not allowed. |
low |
|
origin-not-allowed-op {enable | disable} |
Enable to configure the threat weight for the violation of origin not allowed. |
enable |
|
padding-oracle-protection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for padding oracle attacks. |
|
|
padding-oracle-protection-op {enable | disable} |
Enable to configure the threat weight for padding oracle attacks. |
|
|
parameter-validation-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for parameter validation violation. |
|
|
parameter-validation-op {enable | disable} |
Enable to configure threat weight for parameter validation violation. |
|
|
session-fixation-protection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for session fixation protection rule violation. |
|
|
session-fixation-protection-op {enable | disable} |
Enable to configure the threat weight for session fixation protection rule violation. |
|
|
session-idle-timeout-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation of session idle timeout. |
|
|
session-idle-timeout-op {enable | disable} |
Enable to configure the threat weight for the violation of session idle timeout. |
|
|
signature-op {enable | disable} |
Enable to set the threat weight for each signature rule. |
|
|
size-exceeds-limit-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation when the maximum acceptable frame header and body size in bytes exceeds the limit. |
|
|
size-exceeds-limit-op {enable | disable} |
Enable to configure the threat weight for the violation when the maximum acceptable frame header and body size in bytes exceeds the limit. |
|
|
sql-xss-sbd-op {enable | disable} |
Enable to configure the threat weight for the SQL/XSS syntax based detection rule violation. |
|
|
statistics-period {one-day | three-days | one-week} |
Select the amount of time in days that FortiWeb will store the threat score data for an active client. For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set fo thrusted/suspicious/malicious clients. |
three-days |
|
suspicious-action {alert | alert_deny | block-period | client-id-block-period} |
|
none |
|
suspicious-block-period |
When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client. Valid range is 1-1440 minutes. |
10 |
|
tcp-flood-prevention-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation when the number of fully-formed TCP connections per source IP address exceeds the limit. |
|
|
tcp-flood-prevention-op {enable | disable} |
Enable to configure the threat weight for the violation when the number of fully-formed TCP connections per source IP address exceeds the limit. |
|
|
threshold-based-detection-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the threshold based detection rule violation. |
|
|
threshold-based-detection-op {enable | disable} |
Enable to configure the threat weight for the threshold based detection rule violation. |
|
|
threat-score-profile {enable | disable} |
config server-policy pattern threat-score-profile to create multiple Threat Score profiles and apply them to different web protection profiles. |
|
|
trojan-detected-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the Trojan detection rule violation. |
|
|
trojan-detected-op {enable | disable} |
Enable to configure the threat weight for the Trojan detection rule violation. |
|
|
url-access-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the URL access rule violation. |
|
|
url-access-op {enable | disable} |
Enable to configure the threat weight for the URL access rule violation. |
|
|
virus-detected-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the virus detection rule violation. |
|
|
virus-detected-op {enable | disable} |
Enable to configure the threat weight for the virus detection rule violation. |
|
|
websocket-extensions-not-allowed-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation of extension header in WebSocket handshake packet. |
|
|
websocket-extensions-not-allowed-op {enable | disable} |
Enable to configure the threat weight for the violation of extension header in WebSocket handshake packet. |
|
|
websocket-traffic-not-allowed-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the WebSocket traffic blocking violation. |
|
|
websocket-traffic-not-allowed-op {enable | disable} |
Enable to configure the threat weight for the WebSocket traffic blocking violation. |
|
|
wsdl-validation-failed-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the WSDL file validation rule violation. |
|
|
wsdl-validation-failed-op {enable | disable} |
Enable to set the threat weight for the WSDL file validation rule violation. |
|
|
wsi-check-failed-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the WS-security rule violation. |
|
|
wsi-check-failed-op {enable | disable} |
Enable to set the threat weight for the WS-security rule violation. |
|
|
xml-element-length-exceeded-level {low | critical | informational | moderate | substantial | severe} |
Set the threat weight for the violation that the XML element length exceeds. |
|
|
xml-element-length-exceeded-op {enable | disable} |
Enable to configure the threat weight for the violation that the XML element length exceeds. |
|