Fortinet 5.0 Patch 6

Fortinet 627 FortiWeb 5.0 Patch 6 Administration Guide

If practical, use FortiWeb’s auto-learning to study traffic and suggest appropriate rules.

Alternatively, you can enable a feature with the Action set to Alert, then adjust the thresholds,

create exceptions, or disable signatures until you no longer receive many false positives, yet still

detect attacks. Enable extended attack signature sets gradually, checking for excessive false

positives after you enable each one. (Extended signature sets can contain signatures that are

necessary in come cases, but are known sources of false positives.)

If you have written an attack signature yourself, or used regular expressions to define large sets

of web pages where you will be applying rate limiting, be sure to use the >> (test) button with

Request URL and other similar settings to check:

• your regular expression’s syntax (see “Regular expression syntax” on page 673)

• all expected matches

• all non-matches

For recommended initial rate limit thresholds, see the documentation for each setting.

If a signature causes false positives, but disabling it would allow attacks, you can use packet

capture and analysis tools such as Wireshark to analyze the differences between your typical

traffic and attacks, then craft a custom signature (see “Defining custom data leak & attack

signatures” on page 401) targeting the attacks but excluding your normal traffic.



If you need to save time, or don’t feel comfortable doing this, you can contact Fortinet Technical

Support for professional services.

Use Alert

to monitor

for false

positives

before

switching to

Alert & Deny