Fortinet white logo
Fortinet white logo

CLI Reference

waf_known_bots

waf known-bots

Known Bots protects your websites, mobile applications, and APIs from malicious bots such as DoS, Spam, and Crawler, etc, and known good bots such as known search engines without affecting the flow of critical traffic. This feature identifies and manages a wide range of attacks from automated tools no matter where these applications or APIs are deployed.

Use these commands to configure known bots prevention.

Syntax

config waf known-bots

edit "known-bots_rule_name"

set crawler-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set crawler-block-period <period_int>

set crawler-severity {High | Medium | Low | Info}

set crawler-status {enable | disable}

set crawler-threat-weight {low | critical | informational | moderate | substantial | severe}

set crawler-trigger <trigger_policy_name>

set dos-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set dos-block-period <period_int>

set dos-severity {High | Medium | Low | Info}

set dos-status {enable | disable}

set dos-threat-weight {low | critical | informational | moderate | substantial | severe}

set dos-trigger <trigger_policy_name>

set known-engines-action {alert | bypass | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set known-engines-block-period <period_int>

set known-engines-severity {High | Medium | Low | Info}

set known-engines-status {enable | disable}

set known-engines-threat-weight {low | critical | informational | moderate | substantial | severe}

set known-engines-trigger <trigger_policy_name>

set scanner-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set scanner-block-period <period_int>

set scanner-severity {High | Medium | Low | Info}

set scanner-status {enable | disable}

set scanner-threat-weight {low | critical | informational | moderate | substantial | severe}

set scanner-trigger <trigger_policy_name>

set spam-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set spam-block-period <period_int>

set spam-severity {High | Medium | Low | Info}

set spam-status {enable | disable}

set spam-threat-weight {low | critical | informational | moderate | substantial | severe}

set spam-trigger <trigger_policy_name>

set trojan-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set trojan-block-period <period_int>

set trojan-severity {High | Medium | Low | Info}

set trojan-status {enable | disable}

set trojan-threat-weight {low | critical | informational | moderate | substantial | severe}

set trojan-trigger <trigger_policy_name>

config malicious-bot-disable-list

edit "<malicious-bot-disable-list_name>"

next

end

config known-good-bots-disable-list

edit "<known-good-bots-disable-list_name>"

next

end

next

end

Variable Description Default

"known-bots_rule_name"

Enter a name for the known bots rule name.

No default

crawler-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure crawler-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny
crawler-block-period <period_int> Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600
crawler-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High
crawler-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

crawler-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for crawler bot attack.

moderate

crawler-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

dos-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure dos-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

dos-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

dos-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

dos-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

dos-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for DoS bot attack.

critical

dos-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

known-engines-action {alert | bypass | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • bypass—allow the request.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure known-engines-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

bypass

known-engines-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

known-engines-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
Info

known-engines-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

known-engines-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for known search engines attack.

informational

known-engines-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

scanner-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure scanner-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

scanner-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

scanner-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

scanner-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

scanner-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for scanner bot attack.

critical

scanner-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

spam-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure spam-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

spam-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

spam-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

spam-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

spam-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for scanner bot attack.

critical

spam-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

trojan-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure trojan-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

trojan-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

trojan-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

trojan-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

trojan-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Trojan bot attack.

critical

trojan-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

"<malicious-bot-disable-list_name>"

Select the malicious bot list not to be scanned.

No default

"<known-good-bots-disable-list_name>"

Select the known good bots list not to be scanned.

No default

Related Topics

waf_known_bots

waf known-bots

Known Bots protects your websites, mobile applications, and APIs from malicious bots such as DoS, Spam, and Crawler, etc, and known good bots such as known search engines without affecting the flow of critical traffic. This feature identifies and manages a wide range of attacks from automated tools no matter where these applications or APIs are deployed.

Use these commands to configure known bots prevention.

Syntax

config waf known-bots

edit "known-bots_rule_name"

set crawler-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set crawler-block-period <period_int>

set crawler-severity {High | Medium | Low | Info}

set crawler-status {enable | disable}

set crawler-threat-weight {low | critical | informational | moderate | substantial | severe}

set crawler-trigger <trigger_policy_name>

set dos-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set dos-block-period <period_int>

set dos-severity {High | Medium | Low | Info}

set dos-status {enable | disable}

set dos-threat-weight {low | critical | informational | moderate | substantial | severe}

set dos-trigger <trigger_policy_name>

set known-engines-action {alert | bypass | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set known-engines-block-period <period_int>

set known-engines-severity {High | Medium | Low | Info}

set known-engines-status {enable | disable}

set known-engines-threat-weight {low | critical | informational | moderate | substantial | severe}

set known-engines-trigger <trigger_policy_name>

set scanner-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set scanner-block-period <period_int>

set scanner-severity {High | Medium | Low | Info}

set scanner-status {enable | disable}

set scanner-threat-weight {low | critical | informational | moderate | substantial | severe}

set scanner-trigger <trigger_policy_name>

set spam-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set spam-block-period <period_int>

set spam-severity {High | Medium | Low | Info}

set spam-status {enable | disable}

set spam-threat-weight {low | critical | informational | moderate | substantial | severe}

set spam-trigger <trigger_policy_name>

set trojan-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

set trojan-block-period <period_int>

set trojan-severity {High | Medium | Low | Info}

set trojan-status {enable | disable}

set trojan-threat-weight {low | critical | informational | moderate | substantial | severe}

set trojan-trigger <trigger_policy_name>

config malicious-bot-disable-list

edit "<malicious-bot-disable-list_name>"

next

end

config known-good-bots-disable-list

edit "<known-good-bots-disable-list_name>"

next

end

next

end

Variable Description Default

"known-bots_rule_name"

Enter a name for the known bots rule name.

No default

crawler-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure crawler-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny
crawler-block-period <period_int> Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600
crawler-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High
crawler-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

crawler-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for crawler bot attack.

moderate

crawler-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

dos-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure dos-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

dos-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

dos-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

dos-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

dos-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for DoS bot attack.

critical

dos-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

known-engines-action {alert | bypass | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • bypass—allow the request.

  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure known-engines-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

bypass

known-engines-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

known-engines-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
Info

known-engines-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

known-engines-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for known search engines attack.

informational

known-engines-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

scanner-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure scanner-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

scanner-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

scanner-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

scanner-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

scanner-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for scanner bot attack.

critical

scanner-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

spam-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure spam-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

spam-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

spam-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

spam-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

spam-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for scanner bot attack.

critical

spam-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

trojan-action {alert | redirect | deny_no_log | alert_deny | block_period | send_HTTP_response}

Select the action FortiWeb takes when this type attack is identified.

  • alert—Accept the request and generate an alert email and/or log message.
  • alert_deny—Block the request (or reset the connection) and generate an alert email and/or log message.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • deny_no_log—Block the request (or reset the connection).
  • redirect—Redirect the request to the URL that you specify in the protection profile and generate an alert email and/or log message.
  • block_period—Block subsequent requests from the client for a number of seconds. Also configure trojan-block-period <period_int>.
    You can customize the web page that FortiWeb returns to the client with the HTTP status code. For details, see system replacemsg-image.
  • send_HTTP_response—Block and reply to the client with an HTTP error message and generate an alert email and/or log message.

Note: Logging and/or alert email will occur only if enabled and configured. See log and log alertMail.

alert_deny

trojan-block-period <period_int>

Enter the number of seconds that you want to block subsequent requests from the client after the FortiWeb appliance detects this type attack. 600

trojan-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs an attack:

  • High
  • Medium
  • Low
  • Info
High

trojan-status {enable | disable}

Enable or disable the bot type detection for this rule.

enable

trojan-threat-weight {low | critical | informational | moderate | substantial | severe}

Set the threat weight for Trojan bot attack.

critical

trojan-trigger <trigger_policy_name>

Enter the name of the trigger to apply when this policy is violated. For details, see log trigger-policy.

To display the list of existing triggers, enter:

set trigger ?

No default

"<malicious-bot-disable-list_name>"

Select the malicious bot list not to be scanned.

No default

"<known-good-bots-disable-list_name>"

Select the known good bots list not to be scanned.

No default

Related Topics