config : waf web-protection-profile autolearning-profile
 
waf web-protection-profile autolearning-profile
Use this command to configure auto-learning profiles.
Auto-learning profiles are useful when you want to collect information about the HTTP sessions on your unique network in order to design inline or offline protection profiles suited for them. This reduces much of the research and guesswork about what HTTP request methods, data types, and other types of content that your web sites and web applications use when designing an appropriate defense.
Auto-learning profiles track your web servers’ response to each request, such as 401 Unauthorized or 500 Internal Server Error, to learn about whether the request is legitimate or a potential attack attempt. Such data is used for auto-learning reports, and can serve as the basis for generating inline protection or offline protection profiles.
Auto-learning profiles are designed to be used in conjunction with a protection or detection profile, which is used to detect attacks. Only if attacks are detected can the auto-learning profile accumulate auto-learning data and generate its report. As a result, auto-learning profiles require that you also select a protection or detection profile in the same policy.
 
Use auto-learning profiles with profiles whose action is alert.
If action is alert_deny, the FortiWeb appliance will reset the connection, preventing the auto-learning feature from gathering complete data on the session.
To apply auto-learning profiles, select them within a policy. For details, see “config waf web-protection-profile offline-protection”. Once applied in a policy, the FortiWeb appliance will collect data and generate a report from it. For details, see the FortiWeb Administration Guide.
Before configuring an auto-learning profile, first configure any of the following that you want to include in the profile:
a data type group (see “config server-policy pattern data-type-group”)
a suspicious URL rule group (see “config server-policy pattern suspicious-url-rule”)
a URL interpreter (see “config server-policy custom-application application-policy”)
 
Alternatively, you could generate an auto-learning profile and its required components, and then modify them. For details, see the FortiWeb Administration Guide.
You must also disable any globally whitelisted objects. (These will be exempt from scans and autolearning data.) See “config server-policy pattern custom-global-white-list-group”.
To use this command, your administrator account’s access control profile must have either w or rw permission to the learngrp area. For more information, see “Permissions”.
Syntax
config waf web-protection-profile autolearning-profile
edit <auto-learning-profile_name>
set data-type-group <data-type-group_name>
set suspicious-url-rule <suspicious-url-rule-group_name>
set attack-count-threshold <count_int>
set attack-percent-range <percent_int>
set application-policy <policy_name>
next
end
Variable
Description
Default
<auto-learning-profile_name>
Type the name of the auto-learning profile. The maximum length is 35 characters.
To display the list of existing profile, type:
edit ?
No default.
data-type-group <data-type-group_name>
Type the name of the data type group for the profile to use. See “config server-policy pattern data-type-group”. The maximum length is 35 characters.
To display the list of existing groups, type:
set data-type-group ?
The auto-learning profile will learn about the names, length, and required presence of these types of parameter inputs as described in the data type group.
No default.
suspicious-url-rule <suspicious-url-rule-group_name>
Type the name of a suspicious URL rule group to use. See “config server-policy pattern suspicious-url-rule”. The maximum length is 35 characters.
To display the list of existing groups, type:
set suspicious-url-rule ?
The auto-learning profile will learn about attempts to access URLs that are typically used for web server or web application administrator logins, such as admin.php. Requests from clients for these types of URLs are considered to be a possible attempt at either vulnerability scanning or administrative login attacks, and therefore potentially malicious.
No default.
attack-count-threshold <count_int>
Type the integer representing the threshold over which the auto-learning profile adds the attack to the server protection rules. The valid range is from 1 to 2,147,483,647.
100
attack-percent-range <percent_int>
Type the integer representing the threshold of the percentage of attacks to total hits over which the auto-learning profile adds the attack to the server protection exceptions. The valid range is from 1 to 10,000.
5
application-policy <policy_name>
Type the name of a custom application policy to use. See “config server-policy custom-application application-policy”. The maximum length is 35 characters.
To display the list of existing application policies, type:
set application-policy ?
No default.
Related topics
config server-policy pattern custom-global-white-list-group
config server-policy pattern data-type-group
config server-policy pattern suspicious-url-rule
config waf web-protection-profile inline-protection
config server-policy policy
config system settings