Fortinet 5.0 Patch 6 Running auto-learning

Fortinet 180 FortiWeb 5.0 Patch 6 Administration Guide

7. To ensure that the appliance can learn about HTTP/HTTPS requests’ usual page order and

other session-related attacks and features, enable the Session Management option in the

protection profile.

8. Continue with “Running auto-learning” on page 180.

See also

•How operation mode affects server policy behavior

•Viewing auto-learning reports

Running auto-learning

Once you have configured and applied auto-learning profiles, you can use them to collect data

that will be used to make an auto-learning report, and to suggest a configuration.

To form configuration suggestions using auto-learning

1. Enable the server policy where you have selected the auto-learning policy in WAF Auto

Learn Profile.

2. Route traffic to or through the FortiWeb appliance, depending on your operation mode.

3. Wait for the FortiWeb appliance to gather data.

Time required varies by the rate of legitimate hits for each URL, the parameters that are

included with each hit, and the percentage of hits that are attack attempts detected by

attack signatures. You can gauge traffic volumes and hits using the Policy Summary widget

(see “Real Time Monitor widget” on page 537).

You can pause auto-learning’s data gathering if necessary (see “Pausing auto-learning for a

URL” on page 181).

For best results, traffic should be realistic. Do not use incomplete or unrealistic traffic.

To minimize performance impacts, consider running an initial phase of auto-learning while

your FortiWeb is operating in offline protection mode, before transitioning to your final

choice of operation mode.

To quickly reduce risk of attack while auto-learning is in progress, in the protection profile

and its components, for attacks and disclosures that you are sure cannot be false positives,

set the Action to Alert & Deny or Alert & Erase.

For faster results, from an external IP, connect to the web site and access all URLs that a

legitimate client would. Provide valid parameters. This will populate auto-learning data with

an initial, realistic set.

To improve performance during auto-learning, you can run it in a few phases.

After an initial short phase of auto-learning, generate a protection profile with the most

obvious attack settings. Then delete the auto-learning data, revise the protection profile to

omit auto-learning for the settings that you have already discovered, and start the next

phase of auto-learning.

Alternatively or additionally, you can run auto-learning on only a few policies at a time.