server-policy pattern threat-score-profile

The settings in config server-policy pattern threat-weight apply to all the web protection profiles in a ADOM. However, if you want to differentiate the Threat Score settings in different web protection profiles, you can use server-policy pattern threat-score-profile to create multiple Threat Score profiles and apply them to different web protection profiles.

For details about Threat Weight, see the FortiWeb Administration Guide:

http://docs.fortinet.com/fortiweb/admin-guides

To use this command, your administrator account’s access control profile must have either w or rw permission to the admingrp area. For details, see Permissions.

Syntax

config server-policy pattern threat-score-profile

edit <name>

set low-level-score-end <level_ int>

set medium-level-score-end <level_int>

set statistics-period {one-day | three-days | one-week}

set malicious-action {none | alert | alert_deny | block-period | client-id-block-period}

set malicious-block-period <minutes_int>

set suspicious-action {none | alert | alert_deny | block-period | client-id-block-period}

set suspicious-block-period <minutes_int>

set signature-only-threat-score {enable | disable}

set signature-score-threshold <int>

set signature-action {alert | alert_deny | block-period | client-id-block-period}

set signature-block-period <int>

set always-record-signature-alog {enable | disable}

end

Variable	Description	Default
low-level-score-end <level_int>	Set the low level threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.	100
medium-level-score-end <level_int>	Set the high threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.	`200`
statistics-period {one-day \| three-days \| one-week}	Select the amount of time in days that FortiWeb will store the threat score data for an active client. For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set fo thrusted/suspicious/malicious clients.	three-days
malicious-action {none \| alert \| alert_deny \| block-period \| client-id-block-period}	block-period: Block a malicious client based on source IP. client-id-block-period: Block a malicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. alert: Accept the connection and generate an alert email and/or log message. alert_deny : Block the request (or reset the connection) and generate an alert and/or log message.	none
malicious-block-period <minutes_int>	When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client. Valid range is 1-1440 minutes.	10
suspicious-action {none \| alert \| alert_deny \| block-period \| client-id-block-period}	block-period: Block a suspicious client based on source IP. client-id-block-period: Block a suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. alert: Accept the connection and generate an alert email and/or log message. alert_deny : Block the request (or reset the connection) and generate an alert and/or log message.	none
suspicious-block-period <minutes_int>	When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client. Valid range is 1-1440 minutes.	10
signature-only-threat-score {enable \| disable}	Enable signature-only-threat-score to limit Threat Score threshold calculation to signature violations only. When enabled, a single signature violation from the client will not trigger the system to take actions according to the settings on the Signature page. The system will calculate threat scores and take action only when the signature-only-threat-score threshold is reached. An exception is for the Erase action, when means the system will take immediate action if the client violates a signature for which the action is Erase.	disable
signature-score-threshold <int>	Enter a threshold value for the signature violations. Available only when signature-only-threat-score is enabled.	200
signature-action {alert \| alert_deny \| block-period \| client-id-block-period}	block-period: Block a client based on source IP. client-id-block-period: Block a client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. alert: Accept the connection and generate an alert email and/or log message. alert_deny : Block the request (or reset the connection) and generate an alert and/or log message. Available only when signature-only-threat-score is enabled.	alert_deny
signature-block-period <int>	When selecting block-period or client-id-block-period, you need to enter the number of minutes that you want to block subsequent requests from the IP or client. Available only when signature-only-threat-score is enabled.	10
always-record-signature-alog {enable \| disable}	When disabled, the Signature module itself will no longer record logs. Signature log will be generated only when the signature-only-threat-score exceeds the threshold. When enabled, every time a signature rule is triggered, the signature attack log will be generated. Available only when signature-only-threat-score is enabled.	disable