Fortinet 179 FortiWeb 5.0 Patch 6 Administration Guide
5. Click OK.
6. In a server policy, select the auto-learning profile with its protection profile in Web Protection
Profile and WAF Auto Learn Profile (see “Configuring a server policy” on page 483). If you do
not want to change all Action settings to Alert in each of the protection profile’s components,
also enable Monitor Mode.
Server
Protection
Threshold
Enter a percentage of detected attacks, relative to total hits, that will be
interpreted as a false positive for the entire web host.
When you use auto-learning to generate a protection profile (see
“Blocking known attacks & data leaks” on page 387), attack signatures
meeting or exceeding this overall threshold will be disabled.
For example, if all normal HTTP requests, for whatever reason,
sometimes match an attack signature, and therefore do not represent a
genuine attack attempt, you could adjust this threshold to reflect the
percentage of normal requests that match the attack signature for the
overall protected web host. If an average of 99% of requests to the web
host match the attack signature, but are actually harmless, you could
adjust this setting to 99. If requests to this web site meet the threshold,
scanning for this attack signature would be disabled for the entire web
site.
Note: This percentage does not have to be greater than Server
Protection Exception Threshold.
Server
Protection
Exception
Threshold
Enter a percentage of detected attacks, relative to total hits, that will be
interpreted as a false positive for specific URLs.
When you use auto-learning to generate a protection profile, attack
signatures that meet or exceed this threshold on specific URLs will be
disabled.
For example, if normal HTTP requests to some URLS, for whatever
reason, match an attack signature, and therefore do not represent a
genuine attack attempt, you could adjust this threshold to reflect the
percentage of normal requests that match the attack signature for those
specific URLs. If an average of 50% of the requests to some URLs
match an attack signature, but are actually harmless, you could adjust
this setting to 50. Other URLs on the web host, where the signature is
not disabled, would still be subject to scanning by the attack signature.
Note: This percentage does not have to be less than Server Protection
Threshold.
Application
Policy
Select a URL interpreter set to use, if any.
If the web application embeds parameters in the URL or uses
non-standard parameter separators, include an auto-learning adaptor to
define how auto-learning should find parameters in the URL. For details,
see “How to adapt auto-learning to dynamic URLs &
unusual parameters” on page 151.
Setting name Description
Auto-learning is resource-intensive, and can decrease performance. If performance
becomes unacceptable, consider selecting the auto-learning profile in only a few policies at
a time.
Alternatively or in addition, briefly run a first phase of auto-learning, then disable features
which are obviously unnecessary according to auto-learning data, and begin a second, more
lightweight phase of auto-learning.