Fortinet 5.0 Patch 6

Fortinet 179 FortiWeb 5.0 Patch 6 Administration Guide

5. Click OK.

6. In a server policy, select the auto-learning profile with its protection profile in Web Protection

Profile and WAF Auto Learn Profile (see “Configuring a server policy” on page 483). If you do

not want to change all Action settings to Alert in each of the protection profile’s components,

also enable Monitor Mode.

Server

Protection

Threshold

Enter a percentage of detected attacks, relative to total hits, that will be

interpreted as a false positive for the entire web host.

When you use auto-learning to generate a protection profile (see

“Blocking known attacks & data leaks” on page 387), attack signatures

meeting or exceeding this overall threshold will be disabled.

For example, if all normal HTTP requests, for whatever reason,

sometimes match an attack signature, and therefore do not represent a

genuine attack attempt, you could adjust this threshold to reflect the

percentage of normal requests that match the attack signature for the

overall protected web host. If an average of 99% of requests to the web

host match the attack signature, but are actually harmless, you could

adjust this setting to 99. If requests to this web site meet the threshold,

scanning for this attack signature would be disabled for the entire web

site.

Note: This percentage does not have to be greater than Server

Protection Exception Threshold.

Server

Protection

Exception

Threshold

Enter a percentage of detected attacks, relative to total hits, that will be

interpreted as a false positive for specific URLs.

When you use auto-learning to generate a protection profile, attack

signatures that meet or exceed this threshold on specific URLs will be

disabled.

For example, if normal HTTP requests to some URLS, for whatever

reason, match an attack signature, and therefore do not represent a

genuine attack attempt, you could adjust this threshold to reflect the

percentage of normal requests that match the attack signature for those

specific URLs. If an average of 50% of the requests to some URLs

match an attack signature, but are actually harmless, you could adjust

this setting to 50. Other URLs on the web host, where the signature is

not disabled, would still be subject to scanning by the attack signature.

Note: This percentage does not have to be less than Server Protection

Threshold.

Application

Policy

Select a URL interpreter set to use, if any.

If the web application embeds parameters in the URL or uses

non-standard parameter separators, include an auto-learning adaptor to

define how auto-learning should find parameters in the URL. For details,

see “How to adapt auto-learning to dynamic URLs &

unusual parameters” on page 151.

Setting name Description

Auto-learning is resource-intensive, and can decrease performance. If performance

becomes unacceptable, consider selecting the auto-learning profile in only a few policies at

a time.

Alternatively or in addition, briefly run a first phase of auto-learning, then disable features

which are obviously unnecessary according to auto-learning data, and begin a second, more

lightweight phase of auto-learning.