Fortinet black logo

Administration Guide

Configuring threshold based detection

Configuring threshold based detection

You can configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of the following suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.

  • Crawler
  • Vulnerability Scanning
  • Slow Attack
  • Content Scraping
  • Illegal User Scan

It's crucial to understand that unlike other security modules which make a one-time judgment and take immediate action on the request, Threshold Based Detection observes cumulative behaviors from the same client. This means that suspicious or illegal activities may be allowed to continue for a period until they reach the Occurrence and Within (Seconds) threshold.

This approach can potentially lead to confusion, especially if a client has been denied because it reached the threshold. In such cases, if new illegal requests from the same client come afterward, FortiWeb will not necessarily take immediate action. Instead, it will continue to monitor the client's activities until they surpass the threshold again.

For instance, suppose the threshold is set at 100 times within 30 minutes, and the client's illegal activities reach 100 times within that timeframe. In such a scenario, FortiWeb's action would be to deny the 101st illegal request but allow subsequent requests until the illegal activities reach 100 times within another 30 minutes (if the action is set to Deny).

If you find this logic unappealing, the best practice to extend the denial period is to configure the Block Period action, allowing FortiWeb to retain the denial action until the Block Period timeframe is reached.

An alternative approach to further extend the denial period is to configure the following CLI command, ensuring that the threshold counter will not be reset throughout the Within (Seconds) timeframe. FortiWeb can continue denying or period-blocking the client as long as it has ever reached the threshold within the "Within (Seconds)" timeframe:

config waf threshold-based-detection

edit "<policy_name>"

set keep-occurrence-count enable

next

end

For example, let's consider a scenario where the threshold is set at 100 times within 40 minutes. If a client's illegal activities reach 100 times within the 3rd minute, triggering a 30-minute Block Period action, the client will remain blocked until the end of this period. At the 33rd minute, when the Block Period is lifted, the client will be allowed again.

Now, suppose the client initiates another illegal request at the 36th minute. Since it's still within the 40-minute "Within (Seconds)" timeframe, the threshold counter is not reset yet. Consequently, the threshold will be met again, triggering another 30-minute block period for the client.

This approach ensures that the denial period can be extended as long as the threshold is met within the specified timeframe, providing enhanced security against malicious activities. Keep in mind though there is a limitation: the keep-occurrence-count command only takes effect when bot confirmation is enabled.

Please note that we use minutes as the unit of time in the examples above. However, be aware that in the actual settings, you should use seconds as the time unit.

To configure a threshold based detection rule

  1. Go to Bot Mitigation > Threshold Based Detection.
  2. Click Create New.
  3. For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
  4. Configure these settings:

    Bot Detection Settings

    Crawler Detection

    Occurrence

    Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server. The default value is 100.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes. The default value is 10.

    Action

    Select which action FortiWeb will take when it detects a crawler:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Block Period—Block subsequent requests from the same IP address for a number of seconds. Also configure Period Block.

    • Client ID Block Period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a crawler:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see Viewing log messages.

    Vulnerability Scanning Detection

    Occurrence

    Define the frequency that FortiWeb detects attack signatures. The default value is 100.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb monitors the attack signatures. The default value is 10.

    Action

    Select which action FortiWeb will take when it detects vulnerability scanning:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects vulnerability scanning. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs vulnerability scanning:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about vulnerability scanning. For details, see Viewing log messages.

    Slow Attack Detection

    HTTP Transaction Timeout

    Specify a timeout value, in seconds, for the HTTP transaction. The default value is 60.

    Packet Interval Timeout

    Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets). The default value is 10.

    Occurrence

    Define the frequency that FortiWeb detects slow attack activities. The default value is 5.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb detects slow attack activities. The default value is 100.

    Action

    Select which action FortiWeb will take when it detects slow attack activities:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs slow attack activities:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages.

    Content Scraping Detection

    The content types include text/html, text/plain, text/xml, application/xml, application/soap+xml, and application/json.

    Occurrence

    Define the frequency that FortiWeb detects content scraping activities. The default value is 100.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb detects content scraping activities. The default value is 30.

    Action

    Select which action FortiWeb will take when it detects content scraping activities:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects content scraping activities. The valid range is 3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs content scraping activities:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see Viewing log messages.

    Illegal User Scan: Available only when you enable User Tracking in Web Protection Profile.

    Request URL

    Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

    After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Appendix E: Regular expressions .

    Occurrence

    Define the frequency that FortiWeb detects username in requests. The default value is 100.

    Within (Seconds)

    Enter the length of time, in seconds, which FortiWeb detects frequency of username in requests. The default value is 10.

    Action

    Select which action FortiWeb will take when it detects illegal user scan:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects illegal user scan. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When illegal user scan is recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs illegal user scan:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about illegal user scan. For details, see Viewing log messages.

    Bot Confirmation Settings

    Bot Confirmation

    For Browser

    Verification Method

    • Disabled: Not to carry out the real browser verification.
    • Real Browser Enforcement—Specifies whether FortiWeb returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. If the client fails the test or does not return results before the Validation Timeout expires, FortiWeb applies the Action. If the client appears to be a web browser, FortiWeb allows the client to exceed the action.
    • CAPTCHA Enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the Max Attempt Times or doesn't fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the CAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.
    • reCAPTCHA Enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the reCAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide.
    • reCAPTCHA v3 Enforcement: Requires the client to successfully fulfill a reCAPTCHA v3 request. If the client cannot successfully fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the reCAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide.
      You can set the threshold of the reCAPTCHA v3 score through CLI

      config system recaptcha-api

      set recaptcha-v3-score-threshold <string> *The value range is 0 to 1

      end

    It will trigger the action policy if the traffic is not from web browser.

    reCAPTCHA

    Select the reCAPTCHA server you have created in the reCAPTCHA Server tab in User > Remote Server. See Creating reCAPTCHA servers

    Validation Timeout

    Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

    Available only when the Configuring threshold based detection is Real Browser Enforcement, CAPTCHA Enforcement, or reCAPTCHA Enforcement.

    Max Attempt Times

    If CAPTCHA Enforcement is selected for Verification Method, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request.

    Available only when the Verification Method is CAPTCHA Enforcement.

    For Mobile Client App

    Available only when Mobile Application Identification is enabled in System > Config > Feature Visibility.

    Verification Method

    • Disabled: Not to carry out the mobile token verification.
    • Mobile Token Validation: Requires the client to use mobile token to verify whether the traffic is from mobile devices.
      To apply mobile token validation, you must enable Mobile App Identification in Web Protection Profile.

    It will trigger the action policy if the traffic is not from mobile devices.

    Exception: Select the exception policy which specifies the elements to be exempted from the attack scan.

  5. Click OK.
  6. You can view the details of the created rule in the threshold based detection rule table.


To apply the threshold based detection rule in a bot mitigation policy, see Configuring bot mitigation policy.

Configuring threshold based detection

You can configure threshold based detection rules to define occurrence, time period, severity, and trigger policy, etc of the following suspicious behaviors, and thus FortiWeb judges whether the request comes from a human or a bot.

  • Crawler
  • Vulnerability Scanning
  • Slow Attack
  • Content Scraping
  • Illegal User Scan

It's crucial to understand that unlike other security modules which make a one-time judgment and take immediate action on the request, Threshold Based Detection observes cumulative behaviors from the same client. This means that suspicious or illegal activities may be allowed to continue for a period until they reach the Occurrence and Within (Seconds) threshold.

This approach can potentially lead to confusion, especially if a client has been denied because it reached the threshold. In such cases, if new illegal requests from the same client come afterward, FortiWeb will not necessarily take immediate action. Instead, it will continue to monitor the client's activities until they surpass the threshold again.

For instance, suppose the threshold is set at 100 times within 30 minutes, and the client's illegal activities reach 100 times within that timeframe. In such a scenario, FortiWeb's action would be to deny the 101st illegal request but allow subsequent requests until the illegal activities reach 100 times within another 30 minutes (if the action is set to Deny).

If you find this logic unappealing, the best practice to extend the denial period is to configure the Block Period action, allowing FortiWeb to retain the denial action until the Block Period timeframe is reached.

An alternative approach to further extend the denial period is to configure the following CLI command, ensuring that the threshold counter will not be reset throughout the Within (Seconds) timeframe. FortiWeb can continue denying or period-blocking the client as long as it has ever reached the threshold within the "Within (Seconds)" timeframe:

config waf threshold-based-detection

edit "<policy_name>"

set keep-occurrence-count enable

next

end

For example, let's consider a scenario where the threshold is set at 100 times within 40 minutes. If a client's illegal activities reach 100 times within the 3rd minute, triggering a 30-minute Block Period action, the client will remain blocked until the end of this period. At the 33rd minute, when the Block Period is lifted, the client will be allowed again.

Now, suppose the client initiates another illegal request at the 36th minute. Since it's still within the 40-minute "Within (Seconds)" timeframe, the threshold counter is not reset yet. Consequently, the threshold will be met again, triggering another 30-minute block period for the client.

This approach ensures that the denial period can be extended as long as the threshold is met within the specified timeframe, providing enhanced security against malicious activities. Keep in mind though there is a limitation: the keep-occurrence-count command only takes effect when bot confirmation is enabled.

Please note that we use minutes as the unit of time in the examples above. However, be aware that in the actual settings, you should use seconds as the time unit.

To configure a threshold based detection rule

  1. Go to Bot Mitigation > Threshold Based Detection.
  2. Click Create New.
  3. For Name, enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.
  4. Configure these settings:

    Bot Detection Settings

    Crawler Detection

    Occurrence

    Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server. The default value is 100.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes. The default value is 10.

    Action

    Select which action FortiWeb will take when it detects a crawler:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Block Period—Block subsequent requests from the same IP address for a number of seconds. Also configure Period Block.

    • Client ID Block Period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a crawler:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see Viewing log messages.

    Vulnerability Scanning Detection

    Occurrence

    Define the frequency that FortiWeb detects attack signatures. The default value is 100.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb monitors the attack signatures. The default value is 10.

    Action

    Select which action FortiWeb will take when it detects vulnerability scanning:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects vulnerability scanning. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs vulnerability scanning:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about vulnerability scanning. For details, see Viewing log messages.

    Slow Attack Detection

    HTTP Transaction Timeout

    Specify a timeout value, in seconds, for the HTTP transaction. The default value is 60.

    Packet Interval Timeout

    Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets). The default value is 10.

    Occurrence

    Define the frequency that FortiWeb detects slow attack activities. The default value is 5.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb detects slow attack activities. The default value is 100.

    Action

    Select which action FortiWeb will take when it detects slow attack activities:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs slow attack activities:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see Viewing log messages.

    Content Scraping Detection

    The content types include text/html, text/plain, text/xml, application/xml, application/soap+xml, and application/json.

    Occurrence

    Define the frequency that FortiWeb detects content scraping activities. The default value is 100.

    Within (Seconds)

    Specify the time period, in seconds, during which FortiWeb detects content scraping activities. The default value is 30.

    Action

    Select which action FortiWeb will take when it detects content scraping activities:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects content scraping activities. The valid range is 3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs content scraping activities:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see Viewing log messages.

    Illegal User Scan: Available only when you enable User Tracking in Web Protection Profile.

    Request URL

    Specify the URL used to match requests so that security headers can be applied to responses of the matched requests.

    After filling in the field with a regular expression, it is possible to fine-tune the expression in a Regular Expression Validator by clicking the >> button on the side. For details, see Appendix E: Regular expressions .

    Occurrence

    Define the frequency that FortiWeb detects username in requests. The default value is 100.

    Within (Seconds)

    Enter the length of time, in seconds, which FortiWeb detects frequency of username in requests. The default value is 10.

    Action

    Select which action FortiWeb will take when it detects illegal user scan:

    • Alert—Accept the connection and generate an alert email and/or log message.

    • Alert & Deny—Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log)—Block the request (or reset the connection).

    • Period Block—Block subsequent requests from the client for a number of seconds. Also configure Period Block.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects illegal user scan. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block.

    Severity

    When illegal user scan is recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs illegal user scan:

    • Informative
    • Low
    • Medium
    • High

    The default value is Medium.

    Trigger Policy

    Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about illegal user scan. For details, see Viewing log messages.

    Bot Confirmation Settings

    Bot Confirmation

    For Browser

    Verification Method

    • Disabled: Not to carry out the real browser verification.
    • Real Browser Enforcement—Specifies whether FortiWeb returns a JavaScript to the client to test whether it is a web browser or automated tool when it meets any of the specified conditions. If the client fails the test or does not return results before the Validation Timeout expires, FortiWeb applies the Action. If the client appears to be a web browser, FortiWeb allows the client to exceed the action.
    • CAPTCHA Enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the Max Attempt Times or doesn't fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the CAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.
    • reCAPTCHA Enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client cannot successfully fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the reCAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide.
    • reCAPTCHA v3 Enforcement: Requires the client to successfully fulfill a reCAPTCHA v3 request. If the client cannot successfully fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the reCAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide.
      You can set the threshold of the reCAPTCHA v3 score through CLI

      config system recaptcha-api

      set recaptcha-v3-score-threshold <string> *The value range is 0 to 1

      end

    It will trigger the action policy if the traffic is not from web browser.

    reCAPTCHA

    Select the reCAPTCHA server you have created in the reCAPTCHA Server tab in User > Remote Server. See Creating reCAPTCHA servers

    Validation Timeout

    Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

    Available only when the Configuring threshold based detection is Real Browser Enforcement, CAPTCHA Enforcement, or reCAPTCHA Enforcement.

    Max Attempt Times

    If CAPTCHA Enforcement is selected for Verification Method, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request.

    Available only when the Verification Method is CAPTCHA Enforcement.

    For Mobile Client App

    Available only when Mobile Application Identification is enabled in System > Config > Feature Visibility.

    Verification Method

    • Disabled: Not to carry out the mobile token verification.
    • Mobile Token Validation: Requires the client to use mobile token to verify whether the traffic is from mobile devices.
      To apply mobile token validation, you must enable Mobile App Identification in Web Protection Profile.

    It will trigger the action policy if the traffic is not from mobile devices.

    Exception: Select the exception policy which specifies the elements to be exempted from the attack scan.

  5. Click OK.
  6. You can view the details of the created rule in the threshold based detection rule table.


To apply the threshold based detection rule in a bot mitigation policy, see Configuring bot mitigation policy.