Fortinet 357 FortiWeb 5.0 Patch 6 Administration Guide
See also
•Sequence of scans
•Bot analysis
Preventing automated requestsBecause malicious clients frequently alter their User-Agent: field in the HTTP header to mimic
harmless clients such as browser, it is not a reliable method of excluding automated tools.
You can intelligently limit the rate of HTTP requests per TCP connection per session, based
upon whether or not the client passes a test that indicates it is a web browser. If the client
exceeds the soft limit, that FortiWeb appliance will only accept additional HTTP requests if the
client can pass a test that proves it is a real person’s web browser, and not an automated tool.
Automated requests can come from several types of sources. For example:
• Hackers sometimes use automated attack tools to send overwhelming numbers of HTTP
requests to a web site, thereby overwhelming the server and slowing or preventing access
by legitimate users.
• Content thieves sometimes use automated tools to download an entire site for use on their
own web site.
• Legitimate users sometimes use automated tools, such as wget or curl, to download an
entire web site, or part of it, for offline viewing or local caching.
If you want to prevent automated tools, use this feature to limit the maximum number of HTTP
requests allowed per second, but only for clients that are not web browsers.
The FortiWeb appliance tracks requests using a session cookie. If the count exceeds the limit,
before the FortiWeb appliance decides whether to forward the request to a web server, it first
returns a web page to the client. The page includes JavaScript that validates that the client is a
web browser. The JavaScript also includes provisions to prevent hijacking by hackers. If the
client fails validation (that is, it is not a legitimate browser), FortiWeb applies your selected
enforcement action.
To configure real browser enforcement
1. If you want to add browser enforcement exceptions to your browser enforcement rule,
create the exceptions first. For details, see “Configuring browser enforcement exceptions”
on page 361.
2. Go to DoS Protection > Application > Real Browser Enforcement.
To access this part of the web UI, your administrator’s account access profile must have
Read and Write permission to items in the Web Protection Configuration category. For
details, see “Permissions” on page 47.
3. Click Create New.
A dialog appears.
The real browser test is not supported in offline protection mode. See “Supported features in
each operation mode” on page 62.