Fortinet 199 FortiWeb 5.0 Patch 6 Administration Guide
If you do not configure any settings, by default, the FortiWeb appliance will generate a profile
that allows the HTTP GET method and any other methods whose usage exceeded the
threshold, and will add the remaining methods to an allowed method exception. It will also
create start page rules and trusted IP rules for the most commonly requested URLs, and
blacklist IP addresses that commonly requested suspicious URLs. Attack signatures will be
disabled or exceptions added according to your configurations in Server Protection
Threshold and Server Protection Exception Threshold.
9. Continue with “Transitioning out of the auto-learning phase”.
Transitioning out of the auto-learning phase
As your web servers change, you may periodically want to run auto-learning for them on a
smaller scale.
For example, perhaps you will install or update a web application or web server, resulting in new
structures and different vulnerabilities.
However, for most day-today use, auto-learning should be disabled and your protection profiles
fully applied.
To transition to day-to-day use
1. To apply a profile generated by auto-learning, select it in Web Protection Profile in a server
policy (see “Configuring a server policy” on page 483).
2. If, during auto-learning, any Action in the protection profile or its auxiliary components was
set to Alert & Deny or Alert & Erase, verify that those same actions are applied in the
protection profile that you generated from auto-learning data. (Incomplete session data due
to those actions may have caused auto-learning to be unable to detect those attack types.)
3. If necessary, either:
Manually adjust the generated profile and its components to suit your security policy. For
more serious violations, instead of setting Action to Alert, use a blocking or redirecting
option such as Alert & Deny.
Run a second auto-learning phase to refine your configuration: select the newly
generated protection profile in Web Protection Profile, clear the previous phase’s
auto-learning data (see “Removing old auto-learning data”), then revisit “Running
auto-learning”.
4. Modify the policy to select your newly generated profile in Web Protection Profile.
5. To validate the configuration, test it (see “Testing your installation” on page 201.)
6. When you are done collecting auto-learning data and generating your configuration, to
improve performance, disable auto-learning by deselecting the auto-learning profile in
WAF Auto Learn Profile in all server policies.
7. Disable Monitor Mode.
See also
Configuring a protection profile for inline topologies
Configuring a protection profile for an out-of-band topology or asynchronous mode of
operation
Viewing auto-learning reports