Fortinet white logo
Fortinet white logo

CLI Reference

waf threshold-based-detection

waf threshold-based-detection

Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of the following suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.

  • Crawler
  • Vulnerability Scanning
  • Slow Attack
  • Content Scraping
  • Illegal User Scan

Syntax

config waf threshold-based-detection

edit "<policy_name>"

set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement}

set recaptcha <recaptcha_server_name>

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

set validation-timeout <validation-timeout_int>

set set set max-attempt-times <max-attempt-times_int>

set crawler-detection {enable | disable}

set crawler-action {alert | deny_no_log | alert_deny | block-period}

set crawler-severity {High | Medium | Low | Info}

set crawler-trigger <crawler-trigger-policy_name>

set crawler-occurrence-num <crawler-occurrence-num_int>

set crawler-within <crawler-within_int>

set crawler-block-period <crawler-block-period_int>

set scanner-detection {enable | disable}

set scanner-action {alert | deny_no_log | alert_deny | block-period}

set scanner-severity {High | Medium | Low | Info}

set crawler-trigger <crawler-trigger-policy_name>

set scanner-occurrence-num <scanner-occurrence-num_int>

set scanner-within <scanner-within_int>

set scanner-block-period <scanner-block-period_int>

set slow-attack-detection {enable | disable}

set slow-attack-action {alert | deny_no_log | alert_deny | block-period}

set slow-attack-severity {High | Medium | Low | Info}

set slow-attack-trigger <slow-attack-trigger-policy_name>

set slow-attack-occurrence-num <slow-attack-occurrence-num_int>

set slow-attack-within <slow-attack-within_int>

set slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int>

set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

set slow-attack-block-period <slow-attack-block-period_int>

set content-scraping-detection {enable | disable}

set content-scraping-action {alert | deny_no_log | alert_deny | block-period}

set content-scraping-severity {High | Medium | Low | Info}

set content-scraping-trigger <content-scraping-trigger-policy_name>

set content-scraping-occurrence-num <content-scraping-occurrence-num_int>

set content-scraping-within <content-scraping-within_int>

set content-scraping-block-period <content-scraping-block-period_int>

set keep-occurrence-count {enable | disable}

next

end

Variable Description Default

"<policy_name>"

Enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.

No default.

bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement}

Select between:

  • captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the , or doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

  • real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by waf threshold-based-detection, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

  • recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the , or doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

  • disable—Not to carry out the bot verification.

disabled

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

No default.

mobile-app-identification {disabled | mobile-token-validation}

  • disabledNot to carry out the mobile token verification.
  • mobile-token-validationRequires the client to use mobile token to verify whether the traffic is from mobile devices.
    To apply mobile token validation, you must enable mobile-app-identification in waf web-protection-profile inline-protection.

disabled

bot-confirmation {enable | disable}

Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot.

disable

validation-timeout <validation-timeout_int>

Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

Available only when the bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement} is browser-enforcement or captcha-enforcement.

20

crawler-detection {enable | disable}

Enable to detect tools that browse your web site for indexing purposes.

enable

crawler-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects a crawler:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure crawler-block-period <crawler-block-period_int>.

alert

crawler-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a crawler:

  • Informative
  • Low
  • Medium
  • High

Medium

crawler-trigger <crawler-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see Viewing log messages.

No default.

crawler-occurrence-num <crawler-occurrence-num_int>

Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server.

100

crawler-within <crawler-within_int>

Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes.

10

crawler-block-period <crawler-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600 seconds.

Available only if crawler-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

scanner-detection {enable | disable}

Enable to detect tools that scan your web site for vulnerabilities.

disable

scanner-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects attack signatures:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure scanner-block-period <scanner-block-period_int>.

alert

scanner-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs attack signatures:

  • Informative
  • Low
  • Medium
  • High

Medium

scanner-trigger <scanner-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about attack signatures. For details, see Viewing log messages.

No default.

scanner-occurrence-num <scanner-occurrence-num_int>

Define the frequency that FortiWeb detects attack signatures.

100

scanner-within <scanner-within_int>

Specify the time period, in seconds, during which FortiWeb monitors the attack signatures.

10

scanner-block-period <scanner-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects attack signatures. The valid range is 1–3,600 seconds.

Available only if scanner-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

slow-attack-detection {enable | disable}

Enable to detect Denial of Service tools that try to go undetected by generating a small stream of traffic.

disable

slow-attack-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects slow attack activities:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure slow-attack-block-period <slow-attack-block-period_int>.

slow-attack-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs slow attack activities:

  • Informative
  • Low
  • Medium
  • High

Medium

slow-attack-trigger <slow-attack-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages.

No default.

slow-attack-occurrence-num <slow-attack-occurrence-num_int>

Define the frequency that FortiWeb detects slow attack activities.

5

slow-attack-within <slow-attack-within_int>

Specify the time period, in seconds, during which FortiWeb detects slow attack activities.

100

slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int>

Specify a timeout value, in seconds, for the HTTP transaction.

60

slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

10

slow-attack-block-period <slow-attack-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds.

Available only if slow-attack-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

content-scraping-detection {enable | disable}

Enable to detect bots that illegally copy contents from your web site.

disable

content-scraping-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects content scraping activities:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure content-scraping-block-period <content-scraping-block-period_int>.

alert

content-scraping-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs content scraping activities:

  • Informative
  • Low
  • Medium
  • High

Medium

content-scraping-trigger <content-scraping-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see Viewing log messages.

No default.

content-scraping-occurrence-num <content-scraping-occurrence-num_int>

Define the frequency that FortiWeb detects content scraping activities.

100

content-scraping-within <content-scraping-within_int>

Specify the time period, in seconds, during which FortiWeb detects content scraping activities.

30

content-scraping-block-period <content-scraping-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects content scraping activities. The valid range is 1–3,600 seconds.

Available only if content-scraping-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

keep-occurrence-count {enable | disable}

Enable this option so that the threshold counter will not be reset throughout the Within (Seconds) timeframe. FortiWeb can continue denying or period-blocking the client as long as it has ever reached the threshold within the "Within (Seconds)" timeframe.

disable

Related Topics

waf threshold-based-detection

waf threshold-based-detection

Use this command to configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of the following suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.

  • Crawler
  • Vulnerability Scanning
  • Slow Attack
  • Content Scraping
  • Illegal User Scan

Syntax

config waf threshold-based-detection

edit "<policy_name>"

set bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement}

set recaptcha <recaptcha_server_name>

set mobile-app-identification {disabled | mobile-token-validation}

set bot-confirmation {enable | disable}

set validation-timeout <validation-timeout_int>

set set set max-attempt-times <max-attempt-times_int>

set crawler-detection {enable | disable}

set crawler-action {alert | deny_no_log | alert_deny | block-period}

set crawler-severity {High | Medium | Low | Info}

set crawler-trigger <crawler-trigger-policy_name>

set crawler-occurrence-num <crawler-occurrence-num_int>

set crawler-within <crawler-within_int>

set crawler-block-period <crawler-block-period_int>

set scanner-detection {enable | disable}

set scanner-action {alert | deny_no_log | alert_deny | block-period}

set scanner-severity {High | Medium | Low | Info}

set crawler-trigger <crawler-trigger-policy_name>

set scanner-occurrence-num <scanner-occurrence-num_int>

set scanner-within <scanner-within_int>

set scanner-block-period <scanner-block-period_int>

set slow-attack-detection {enable | disable}

set slow-attack-action {alert | deny_no_log | alert_deny | block-period}

set slow-attack-severity {High | Medium | Low | Info}

set slow-attack-trigger <slow-attack-trigger-policy_name>

set slow-attack-occurrence-num <slow-attack-occurrence-num_int>

set slow-attack-within <slow-attack-within_int>

set slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int>

set slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

set slow-attack-block-period <slow-attack-block-period_int>

set content-scraping-detection {enable | disable}

set content-scraping-action {alert | deny_no_log | alert_deny | block-period}

set content-scraping-severity {High | Medium | Low | Info}

set content-scraping-trigger <content-scraping-trigger-policy_name>

set content-scraping-occurrence-num <content-scraping-occurrence-num_int>

set content-scraping-within <content-scraping-within_int>

set content-scraping-block-period <content-scraping-block-period_int>

set keep-occurrence-count {enable | disable}

next

end

Variable Description Default

"<policy_name>"

Enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.

No default.

bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement}

Select between:

  • captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the , or doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

  • real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by waf threshold-based-detection, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

  • recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the , or doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

  • disable—Not to carry out the bot verification.

disabled

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

No default.

mobile-app-identification {disabled | mobile-token-validation}

  • disabledNot to carry out the mobile token verification.
  • mobile-token-validationRequires the client to use mobile token to verify whether the traffic is from mobile devices.
    To apply mobile token validation, you must enable mobile-app-identification in waf web-protection-profile inline-protection.

disabled

bot-confirmation {enable | disable}

Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot.

disable

validation-timeout <validation-timeout_int>

Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

Available only when the bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | recaptcha-enforcement} is browser-enforcement or captcha-enforcement.

20

crawler-detection {enable | disable}

Enable to detect tools that browse your web site for indexing purposes.

enable

crawler-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects a crawler:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure crawler-block-period <crawler-block-period_int>.

alert

crawler-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a crawler:

  • Informative
  • Low
  • Medium
  • High

Medium

crawler-trigger <crawler-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see Viewing log messages.

No default.

crawler-occurrence-num <crawler-occurrence-num_int>

Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server.

100

crawler-within <crawler-within_int>

Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes.

10

crawler-block-period <crawler-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600 seconds.

Available only if crawler-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

scanner-detection {enable | disable}

Enable to detect tools that scan your web site for vulnerabilities.

disable

scanner-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects attack signatures:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure scanner-block-period <scanner-block-period_int>.

alert

scanner-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs attack signatures:

  • Informative
  • Low
  • Medium
  • High

Medium

scanner-trigger <scanner-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about attack signatures. For details, see Viewing log messages.

No default.

scanner-occurrence-num <scanner-occurrence-num_int>

Define the frequency that FortiWeb detects attack signatures.

100

scanner-within <scanner-within_int>

Specify the time period, in seconds, during which FortiWeb monitors the attack signatures.

10

scanner-block-period <scanner-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects attack signatures. The valid range is 1–3,600 seconds.

Available only if scanner-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

slow-attack-detection {enable | disable}

Enable to detect Denial of Service tools that try to go undetected by generating a small stream of traffic.

disable

slow-attack-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects slow attack activities:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure slow-attack-block-period <slow-attack-block-period_int>.

slow-attack-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs slow attack activities:

  • Informative
  • Low
  • Medium
  • High

Medium

slow-attack-trigger <slow-attack-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages.

No default.

slow-attack-occurrence-num <slow-attack-occurrence-num_int>

Define the frequency that FortiWeb detects slow attack activities.

5

slow-attack-within <slow-attack-within_int>

Specify the time period, in seconds, during which FortiWeb detects slow attack activities.

100

slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int>

Specify a timeout value, in seconds, for the HTTP transaction.

60

slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

10

slow-attack-block-period <slow-attack-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds.

Available only if slow-attack-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

content-scraping-detection {enable | disable}

Enable to detect bots that illegally copy contents from your web site.

disable

content-scraping-action {alert | deny_no_log | alert_deny | block-period}

Select which action FortiWeb will take when it detects content scraping activities:

  • alert—Accept the connection and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
  • deny_no_log—Block the request (or reset the connection).
  • block-period—Block subsequent requests from the client for a number of seconds. Also configure content-scraping-block-period <content-scraping-block-period_int>.

alert

content-scraping-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs content scraping activities:

  • Informative
  • Low
  • Medium
  • High

Medium

content-scraping-trigger <content-scraping-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see Viewing log messages.

No default.

content-scraping-occurrence-num <content-scraping-occurrence-num_int>

Define the frequency that FortiWeb detects content scraping activities.

100

content-scraping-within <content-scraping-within_int>

Specify the time period, in seconds, during which FortiWeb detects content scraping activities.

30

content-scraping-block-period <content-scraping-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects content scraping activities. The valid range is 1–3,600 seconds.

Available only if content-scraping-action {alert | deny_no_log | alert_deny | block-period} is set to block-period.

600

keep-occurrence-count {enable | disable}

Enable this option so that the threshold counter will not be reset throughout the Within (Seconds) timeframe. FortiWeb can continue denying or period-blocking the client as long as it has ever reached the threshold within the "Within (Seconds)" timeframe.

disable

Related Topics