Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.2 Administration Guide
    8.0.2
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Client ID–Based Occurrence Tracking for Threshold Based Detection (8.0.0)

    Client ID–Based Occurrence Tracking for Threshold Based Detection (8.0.0)

    FortiWeb 8.0.0 introduces a new tracking mode for Threshold-Based Detection policies that enables occurrence counting by Client ID rather than Client IP. This enhancement leverages the Client Management module, which issues persistent cookies to uniquely identify and monitor clients across sessions. This allows for more precise behavior analysis in use cases such as vulnerability scanning, content scraping, brute-force logins, and crawler detection.

    Tracking Method Selection

    A new Tracking by option is now available in both the GUI and CLI, allowing administrators to choose between Client IP and Client ID tracking. The selection applies globally across all supported detection modules except Slow Header Attack, which automatically defaults to IP-based tracking due to technical limitations. For details, see Slow Header Attack Detection (8.0.0).

    When Tracking by is set to Client ID:

    • Client ID Block Period replaces the standard Block Period action in detection rules. This ensures blocking is enforced based on the client’s persistent identifier rather than source IP.

    • If Client Management is not enabled in the associated protection profile, the system will prompt you to enable it, as Client ID tracking depends on its cookie mechanism.

    • The standard Block Period action becomes unavailable to avoid configuration conflicts.

    When Tracking by is set to Client IP:

    • Standard Block Period is available for use in detection action settings.

    • Client ID Block Period options are hidden to prevent misconfiguration.

    To configure the tracking method via CLI:
    config waf threshold-based-detection policy
  edit "<policy_name>"
    set tracking-type {client-ip | client-id}
  next
end

    Processing Logic and Compatibility

    Each detection module maintains a separate occurrence counter based on the selected tracking mode. When Client ID is used, tracking is based on the persistent client cookie; when Client IP is selected, tracking is based on source IP address.

    The Slow Header Attack detection mechanism does not support Client ID–based tracking. If tracking is configured to use Client ID, FortiWeb will automatically fall back to IP-based tracking for Slow Header Attack events. If Client ID Block Period is configured, enforcement will be carried out using IP-based period blocking. For more information, see Slow Header Attack Detection (8.0.0).

    Upgrade Considerations

    • Upon upgrading to FortiWeb 8.0.0, any existing action set to Client ID Block Period will be automatically converted to Block Period to maintain policy compatibility.

    • No downgrade-specific migration is required.

    Previous
    Next

    Client ID–Based Occurrence Tracking for Threshold Based Detection (8.0.0)

    Client ID–Based Occurrence Tracking for Threshold Based Detection (8.0.0)

    FortiWeb 8.0.0 introduces a new tracking mode for Threshold-Based Detection policies that enables occurrence counting by Client ID rather than Client IP. This enhancement leverages the Client Management module, which issues persistent cookies to uniquely identify and monitor clients across sessions. This allows for more precise behavior analysis in use cases such as vulnerability scanning, content scraping, brute-force logins, and crawler detection.

    Tracking Method Selection

    A new Tracking by option is now available in both the GUI and CLI, allowing administrators to choose between Client IP and Client ID tracking. The selection applies globally across all supported detection modules except Slow Header Attack, which automatically defaults to IP-based tracking due to technical limitations. For details, see Slow Header Attack Detection (8.0.0).

    When Tracking by is set to Client ID:

    • Client ID Block Period replaces the standard Block Period action in detection rules. This ensures blocking is enforced based on the client’s persistent identifier rather than source IP.

    • If Client Management is not enabled in the associated protection profile, the system will prompt you to enable it, as Client ID tracking depends on its cookie mechanism.

    • The standard Block Period action becomes unavailable to avoid configuration conflicts.

    When Tracking by is set to Client IP:

    • Standard Block Period is available for use in detection action settings.

    • Client ID Block Period options are hidden to prevent misconfiguration.

    To configure the tracking method via CLI:
    config waf threshold-based-detection policy
  edit "<policy_name>"
    set tracking-type {client-ip | client-id}
  next
end

    Processing Logic and Compatibility

    Each detection module maintains a separate occurrence counter based on the selected tracking mode. When Client ID is used, tracking is based on the persistent client cookie; when Client IP is selected, tracking is based on source IP address.

    The Slow Header Attack detection mechanism does not support Client ID–based tracking. If tracking is configured to use Client ID, FortiWeb will automatically fall back to IP-based tracking for Slow Header Attack events. If Client ID Block Period is configured, enforcement will be carried out using IP-based period blocking. For more information, see Slow Header Attack Detection (8.0.0).

    Upgrade Considerations

    • Upon upgrading to FortiWeb 8.0.0, any existing action set to Client ID Block Period will be automatically converted to Block Period to maintain policy compatibility.

    • No downgrade-specific migration is required.

    Previous
    Next