Transitioning out of the auto-learning phase

How to set up your FortiWeb : Auto-learning : Transitioning out of the auto-learning phase

As your web servers change, you may periodically want to run auto-learning for them on a smaller scale.

For example, perhaps you will install or update a web application or web server, resulting in new structures and different vulnerabilities.

However, for most day-today use, auto-learning should be disabled and your protection profiles fully applied.

To transition to day-to-day use

1. To apply a profile generated by auto-learning, select it in Web Protection Profile in a server policy (see “Configuring a server policy”).

2. If, during auto-learning, any Action in the protection profile or its auxiliary components was set to Alert & Deny or Alert & Erase, verify that those same actions are applied in the protection profile that you generated from auto-learning data. (Incomplete session data due to those actions may have caused auto-learning to be unable to detect those attack types.)

3. If necessary, either:

• Manually adjust the generated profile and its components to suit your security policy. For more serious violations, instead of setting Action to Alert, use a blocking or redirecting option such as Alert & Deny.

• Run a second auto-learning phase to refine your configuration: select the newly generated protection profile in Web Protection Profile, clear the previous phase’s auto-learning data (see “Removing old auto-learning data”), then revisit “Running auto-learning”.

4. Modify the policy to select your newly generated profile in Web Protection Profile.

5. To validate the configuration, test it (see “Testing your installation”.)

6. When you are done collecting auto-learning data and generating your configuration, to improve performance, disable auto-learning by deselecting the auto-learning profile in WAF Auto Learn Profile in all server policies.

7. Disable Monitor Mode.