For best results, do not use incomplete or unrealistic traffic. To minimize performance impacts, consider running an initial phase of auto-learning while your FortiWeb is operating in offline protection mode before you transition to your final choice of operation mode. |
To quickly reduce risk of attack while auto-learning is in progress, in the protection profile and its components, for attacks and disclosures that you are sure cannot be false positives, set the Action to Alert & Deny or Alert & Erase. |
For faster results, from an external IP, connect to the web site and access all URLs that a legitimate client would. Provide valid parameters. This activity populates auto-learning data with an initial, realistic set. To improve performance during auto-learning, run it in a few phases. For example, after an initial short phase of auto-learning, generate a protection profile with the most obvious attack settings. Then delete the auto-learning data, revise the protection profile to omit auto-learning for the settings that you have already discovered, and start the next phase of auto-learning. Alternatively or additionally, you can run auto-learning on only a few policies at a time. |
Auto-learning considers URLs up to approximately 128 characters long (assuming single-byte character encoding, after FortiWeb has decoded any nested hexadecimal or other URL encoding — therefore, the limit is somewhat dynamic). If the URL is longer than that buffer size, auto-learning cannot learn it, and therefore ignores it. No event log is generated. In those cases, you must manually configure FortiWeb protection settings for the URL, rather than discovering recommended protection settings via auto-learning. However, you may be able to re-use the settings recommended for other, shorter URLs by auto-learning. For example, if auto-learning discovers an email address parameter, it probably should have the same input constraints regardless of which URL uses it. |