Auto-learning profiles are selected in a server policy in conjunction with an inline or offline protection profile. Auto-learning profiles gather data for the auto-learning report from any attacks and parameters that FortiWeb detects.
You cannot edit or delete Default Auto Learn Profile, the predefined auto-learning profile. If you do not want to configure your own auto-learning profile, or are not sure how to, you can use this profile. Alternatively, use it as a starting point by cloning it and then modifying the clone.
Default Auto Learn Profile assumes that you want to learn about all parameters, and allow web crawlers from the search engines Google, Yahoo!, Baidu, and MSN/Bing.
Default Auto Learn Profile uses a predefined data type group, a predefined suspicious URL pattern, and other settings that populate an auto-learning report with a complete data set. It does not use attack signatures that could cause false positives.
|
|
You can also use an auto-learning report to generate a new auto-learning profile based on existing data. For details, see Generating a profile from auto-learning data. |
1. Before you create an auto-learning profile, configure the following components:
2. Go to Auto Learn > Auto Learn Profile > Auto Learn Profile.
To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Autolearn Configuration category. For details, see Permissions.
3. Click Create New.
A dialog appears.
4. Configure these settings:
| Setting name | Description |
|---|---|
| Name | Type a unique name that can be referenced by other parts of the configuration. Do not use spaces or special characters. The maximum length is 35 characters. |
| Data Type Group |
Select the name of a data type group to use, if any. Auto-learning learns about the names, length, and required presence of these types of parameters in HTTP requests. For details, see Grouping predefined data types. |
| Suspicious URL |
Select the name of a suspicious URL pattern to use, if any. Auto-learning considers HTTP requests for these URLs as either malicious vulnerability scanning, data harvesting (a type of web scraping), or administrative login attacks. For details, see Grouping all suspicious request URLs. |
| Server Protection Threshold |
Enter a percentage of detected attacks, relative to total hits, that FortiWeb interprets as a false positive for the entire web host. When you use auto-learning to generate a protection profile (see Blocking known attacks & data leaks), FortiWeb disables attack signatures that meet or exceed this overall threshold. For example, if all normal HTTP requests, for whatever reason, sometimes match an attack signature, and therefore do not represent a genuine attack attempt, you could adjust this threshold to reflect the percentage of normal requests that match the attack signature for the overall protected web host. If an average of 99% of requests to the web host match the attack signature, but are actually harmless, you could adjust this setting to Note: This percentage does not have to be greater than Server Protection Exception Threshold. |
| Server Protection Exception Threshold |
Enter a percentage of detected attacks, relative to total hits, that FortiWeb interprets as a false positive for specific URLs. When you use auto-learning to generate a protection profile, FortiWeb disables attack signatures that meet or exceed this threshold on specific URLs. For example, if normal HTTP requests to some URLS, for whatever reason, match an attack signature, and therefore do not represent a genuine attack attempt, you could adjust this threshold to reflect the percentage of normal requests that match the attack signature for those specific URLs. If an average of 50% of the requests to some URLs match an attack signature, but are actually harmless, you could adjust this setting to Note: This percentage does not have to be less than Server Protection Threshold. |
| Application Policy |
Select a URL interpreter set to use, if any. If the web application embeds parameters in the URL or uses non-standard parameter separators, include an auto-learning adaptor to define how auto-learning should find parameters in the URL. For details, see How to adapt auto-learning to dynamic URLs & unusual parameters. |
5. Click OK.
6. In a server policy, select the auto-learning profile with its protection profile in Web Protection Profile and Auto Learn Profile (see Configuring a server policy). If you do not want to change all Action settings to Alert in each of the protection profile’s components, also enable Monitor Mode.
7. To ensure that the appliance can learn about HTTP/HTTPS requests’ usual page order and other session-related attacks and features, enable the Session Management option in the protection profile.
8. Continue with Running auto-learning.