Configuring threat scoring

The threat scoring feature allows you to configure your signature policy to take action based on multiple signature violations by a client, instead of a single signature violation. When a client violates a signature in a threat scoring category, it contributes to a combined threat score. When the combined threat score exceeds a maximum value you specify, FortiWeb takes action.

Selecting signature categories for threat scoring

You enable Threat Scoring for a signature policy to display the threat scoring settings. Then, for each signature category, in the Threat Scoring column, select whether the signatures in the category contribute to the threat score.

When threat scoring for a signature category is ON, FortiWeb ignores the action set for the category. Instead, when traffic violates a signature in the category, FortiWeb adds the threat score for the signature to the combined threat score for the signature policy. When the combined score exceeds the maximum specified by Threat Scoring Threshold, FortiWeb takes the action specified in the threat scoring settings.

Some high-priorty signatures are configured to override the threat management settings for their category. See Signature threat scores.

You cannot enable threat scoring for the following categories:

Credit Card Detection
Information Disclosure if it is configured to erase information

Selecting the method for calculating the combined threat score (Threat Scoring Match Scope)

Threat Scoring Match Scope specifies how FortiWeb calculates the combined threat score before it compares it to Threat Scoring Threshold.

HTTP Transaction – FortiWeb compares the score for each transaction to the threshold.
TCP Session – FortiWeb compares the score for each session to the threshold. The score can include multiple transactions.
HTTP Session – FortiWeb compares the score for sessions associated with a specific client to the threshold. This option requires you to enable Session Management in the appropriate protection profile.

Example combined threat score calculations

Threat Scoring Threshold is Low (7 points).

A TCP session contains two HTTP transactions:

Transaction A violates two signatures. Each signature has a threat score of 3.
Transaction B also violates two signatures. Each signature has a threat score of 5.

If Threat Scoring Match Scope is HTTP Transaction:

The score for transaction A is 6, which does not exceed the threshold and FortiWeb takes no action.
The score for transaction B is 10, which exceeds the threshold, and FortiWeb takes the specified action.

If Threat Scoring Match Scope is TCP Session, the score for the session is 16, which exceeds the threshold and triggers the action.

Signature threat scores

The signature details settings allow you to adjust the threat score for each signature.

Some high priority signatures are configured by default to ignore the threat score settings. When traffic violates these signatures, FortiWeb takes the action specified for that signature immediately.

If you disable the override setting for these signatures, they behave like other signatures when you add their category to the threat scoring group.

Threat score in attack logs

A column and icon in the attack log indicate messages that FortiWeb generated when a combined threat score for a signature policy exceeded its threshold. The message details include more information about the score and the signatures that contributed to it.

FortiWeb aggregates threat score messages in the Aggregated Attacks page. See Coalescing similar attack log messages.