Fortinet 362 FortiWeb 5.0 Patch 6 Administration Guide
6. Configure these settings:
7. Click OK.
8. To apply an exception, include it in a Real Browser Enforcement rule (see “Preventing
automated requests” on page 357).
See also
•Bot analysis
Preventing brute force loginsFortiWeb can prevent brute force login attacks.
Brute force attackers attempt to penetrate systems by the sheer number of clients, attempts, or
computational power, rather than by intelligent insight or advance knowledge of application
logic or data.
Specifically in brute force attacks on authentication, multiple web clients may rapidly try one
user name and password combination after another in an attempt to eventually guess a correct
login and gain access to the system. In this way, behavior differs from web crawlers, which
typically do not focus on a single URL.
Brute force login attack profiles track the rate at which each source IP address makes requests
for specific URLs. If the source IP address exceeds the threshold, the FortiWeb appliance
Setting name Description
Host Select which protected hosts entry (either a web host name or IP
address) that the Host: field of the HTTP request must be in to
match the exception.
This option is available only if Host Status is enabled.
Host Status Enable to require that the Host: field of the HTTP request match a
protected hosts entry in order to match the exception. Also
configure Host.
Request URL Type the literal URL, such as /causes-false-positives.php,
that the HTTP request must contain in order to match the
exception. The URL must begin with a backslash ( / ).
Do not include the domain name, such as www.example.com,
which is configured separately in the Host drop-down list.
HTTP GET Threshold
Per Session
Type the secondary, hard limit for URLs that are an exception to the
rule.
The valid range is from 1 to 1,000. The default is 1.