Fortinet 180 FortiWeb 5.0 Patch 6 Administration Guide
7. To ensure that the appliance can learn about HTTP/HTTPS requests’ usual page order and
other session-related attacks and features, enable the Session Management option in the
protection profile.
8. Continue with “Running auto-learning” on page 180.
See also
•How operation mode affects server policy behavior
•Viewing auto-learning reports
Running auto-learningOnce you have configured and applied auto-learning profiles, you can use them to collect data
that will be used to make an auto-learning report, and to suggest a configuration.
To form configuration suggestions using auto-learning
1. Enable the server policy where you have selected the auto-learning policy in WAF Auto
Learn Profile.
2. Route traffic to or through the FortiWeb appliance, depending on your operation mode.
3. Wait for the FortiWeb appliance to gather data.
Time required varies by the rate of legitimate hits for each URL, the parameters that are
included with each hit, and the percentage of hits that are attack attempts detected by
attack signatures. You can gauge traffic volumes and hits using the Policy Summary widget
(see “Real Time Monitor widget” on page 537).
You can pause auto-learning’s data gathering if necessary (see “Pausing auto-learning for a
URL” on page 181).
For best results, traffic should be realistic. Do not use incomplete or unrealistic traffic.
To minimize performance impacts, consider running an initial phase of auto-learning while
your FortiWeb is operating in offline protection mode, before transitioning to your final
choice of operation mode.
To quickly reduce risk of attack while auto-learning is in progress, in the protection profile
and its components, for attacks and disclosures that you are sure cannot be false positives,
set the Action to Alert & Deny or Alert & Erase.
For faster results, from an external IP, connect to the web site and access all URLs that a
legitimate client would. Provide valid parameters. This will populate auto-learning data with
an initial, realistic set.
To improve performance during auto-learning, you can run it in a few phases.
After an initial short phase of auto-learning, generate a protection profile with the most
obvious attack settings. Then delete the auto-learning data, revise the protection profile to
omit auto-learning for the settings that you have already discovered, and start the next
phase of auto-learning.
Alternatively or additionally, you can run auto-learning on only a few policies at a time.