waf threshold-based-detection
Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of the following suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.
- Crawler
- Vulnerability Scanning
- Slow Attack
- Content Scraping
- Illegal User Scan
Syntax
config waf threshold-based-detection
edit "<policy_name>"
set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement}
set recaptcha <recaptcha_server_name>
set mobile-app-identification {disabled | mobile-token-validation}
set bot-confirmation {enable | disable}
set validation-timeout <validation-timeout_int>
set set set max-attempt-times <max-attempt-times_int>
set crawler-detection {enable | disable}
set crawler-action {alert | deny_no_log | alert_deny | block-period}
set crawler-severity {High | Medium | Low | Info}
set crawler-trigger <crawler-trigger-policy_name>
set crawler-occurrence-num <crawler-occurrence-num_int>
set crawler-within <crawler-within_int>
set crawler-block-period <crawler-block-period_int>
set scanner-detection {enable | disable}
set scanner-action {alert | deny_no_log | alert_deny | block-period}
set scanner-severity {High | Medium | Low | Info}
set crawler-trigger <crawler-trigger-policy_name>
set scanner-occurrence-num <scanner-occurrence-num_int>
set scanner-within <scanner-within_int>
set scanner-block-period <scanner-block-period_int>
set slow-attack-detection {enable | disable}
set slow-attack-action {alert | deny_no_log | alert_deny | block-period}
set slow-attack-severity {High | Medium | Low | Info}
set slow-attack-trigger <slow-attack-trigger-policy_name>
set slow-attack-occurrence-num <slow-attack-occurrence-num_int>
set slow-attack-within <slow-attack-within_int>
set slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int>
set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>
set slow-attack-block-period <slow-attack-block-period_int>
set content-scraping-detection {enable | disable}
set content-scraping-action {alert | deny_no_log | alert_deny | block-period}
set content-scraping-severity {High | Medium | Low | Info}
set content-scraping-trigger <content-scraping-trigger-policy_name>
set content-scraping-occurrence-num <content-scraping-occurrence-num_int>
set content-scraping-within <content-scraping-within_int>
set content-scraping-block-period <content-scraping-block-period_int>
set keep-occurrence-count {enable | disable}
next
end
Variable | Description | Default |
---|---|---|
Enter a name for the threshold based detection rule that can be referenced in bot mitigation policy. |
No default. |
|
bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement} |
Select between:
|
disabled |
Enter the reCAPTCHA server you have created through user recaptcha-user |
No default. |
|
mobile-app-identification {disabled | mobile-token-validation} |
|
disabled |
Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot. |
disable |
|
Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client. Available only when the bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement} is browser-enforcement or captcha-enforcement. |
20 |
|
Enable to detect tools that browse your web site for indexing purposes. |
enable |
|
crawler-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects a crawler:
|
alert |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see Viewing log messages. |
No default. |
|
Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server. |
100 |
|
Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes. |
10 |
|
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600 seconds. Available only if crawler-action {alert | deny_no_log | alert_deny | block-period} is set to |
600 |
|
Enable to detect tools that scan your web site for vulnerabilities. |
disable |
|
scanner-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects attack signatures:
|
alert |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about attack signatures. For details, see Viewing log messages. |
No default. |
|
Define the frequency that FortiWeb detects attack signatures. |
100 |
|
Specify the time period, in seconds, during which FortiWeb monitors the attack signatures. |
10 |
|
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects attack signatures. The valid range is 1–3,600 seconds. Available only if scanner-action {alert | deny_no_log | alert_deny | block-period} is set to |
600 |
|
Enable to detect Denial of Service tools that try to go undetected by generating a small stream of traffic. |
disable |
|
slow-attack-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects slow attack activities:
|
|
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages. |
No default. |
|
Define the frequency that FortiWeb detects slow attack activities. |
5 |
|
Specify the time period, in seconds, during which FortiWeb detects slow attack activities. |
100 |
|
slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int> |
Specify a timeout value, in seconds, for the HTTP transaction. |
60 |
slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int> |
Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets). |
10 |
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds. Available only if slow-attack-action {alert | deny_no_log | alert_deny | block-period} is set to |
600 |
|
Enable to detect bots that illegally copy contents from your web site. |
disable |
|
content-scraping-action {alert | deny_no_log | alert_deny | block-period} |
Select which action FortiWeb will take when it detects content scraping activities:
|
alert |
When policy violations are recorded in the attack log, each log message contains a Severity Level (
|
Medium |
|
content-scraping-trigger <content-scraping-trigger-policy_name> |
Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see Viewing log messages. |
No default. |
content-scraping-occurrence-num <content-scraping-occurrence-num_int> |
Define the frequency that FortiWeb detects content scraping activities. |
100 |
Specify the time period, in seconds, during which FortiWeb detects content scraping activities. |
30 |
|
content-scraping-block-period <content-scraping-block-period_int> |
Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects content scraping activities. The valid range is 1–3,600 seconds. Available only if content-scraping-action {alert | deny_no_log | alert_deny | block-period} is set to |
600 |
Enable this option so that the threshold counter will not be reset throughout the Within (Seconds) timeframe. FortiWeb can continue denying or period-blocking the client as long as it has ever reached the threshold within the "Within (Seconds)" timeframe. |
disable |