Fortinet black logo

Handbook

Home FortiADC 7.2.0 Handbook

Configuring a Biometrics Based Detection policy

7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.1.4
7.1.3
7.1.2
7.1.1
7.1.0
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.2.0
6.1.6
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0
6.0.1
6.0.0
5.4.3
5.4.2
5.4.1
5.4.0
5.3.6
5.3.5
5.3.4
5.3.3
5.3.2
5.3.1
5.3.0
5.2.7
Copy Link
Copy Doc ID cf7fad5a-adcd-11ed-8e6d-fa163e15d75b:676299
Download PDF

Configuring a Biometrics Based Detection policy

Using Biometrics Based Detection policies, FortiADC can determine whether requests are generated by robots instead of a human by checking client events within a specified period. With JavaScript enabled on the client browser, FortiADC can collect behavioral biometrics (such as mouse movement, keyboard, screen touch, and scroll) and monitor as client events for a specified period. FortiADC can then determine whether the behavioral biometrics from the request is indicative of a bot or a human.

After you have configured Biometrics Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have Read-Write permission for Security settings.
To configure a Biometrics Based Detection policy:
  1. Go to Web Application Firewall > Biometrics Based Detection.
  2. In the Biometrics Based Detection tab, click Create New to display the configuration editor.
  3. Configure the following Biometrics Based Detection settings:

    Setting

    Description

    Name

    Specify a name for the Biometrics Based Detection rule. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    The configuration name cannot be edited once it has been saved.

    Ignore JS Check

    Enable/disable to redirect to a warning page to enable JavaScript. This is disabled by default.

    • Disable — FortiADC will check if JavaScript is enabled on the client browser. If JavaScript is not enabled, then FortiADC will redirect to a warning page to let the user enable JavaScript. If the client does not enable JavaScript within 10 seconds, the traffic may be recognized as a bad bot.
    • Enable — FortiADC will not check if JavaScript is enabled on the client browser. If JavaScript is enabled on the client browser, events can be collected normally and FortiADC can determine if it is a bot or not. But if JavaScript is disabled on the client browser, the client will be recognized as a bot after the Event Collection Time, since events cannot be collected by FortiADC.
    Monitor Client Events

    Select one or more client events to monitor:

    • Mouse Movement
    • Click
    • Keyboard
    • Screen Touch
    • Scroll

    By default, Mouse Movement, Click, and Keyboard are preselected. If the configuration is saved with no Monitor Client Events selected, it will default to the preselected client events.

    Event Collection TimeSpecify for how long the events will be collected from the client. Default: 60 Range: 10-3600 seconds.
    Bot Effective TimeSpecify the time interval before FortiADC tests and verifies a bot again, once a bot has been detected. Default: 5 Range: 1-60 minute(s).
    JS Request URLSpecify the URL to use to insert JavaScript code to the client machine. Default: /fadc_client/default_index.js.
    Action

    Specify a WAF action object to apply when a bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Severity

    Select the event severity to log when a bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is Low.

    Exception Name

    Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

  4. Click Save.
    Once the configuration is saved, the URL List becomes configurable. The Biometrics Based Detection policy will be applied to the request URLs in the URL List.
  5. Under the URL List section, click Create New to display the configuration editor.
  6. Configure the following URL List settings:

    Setting

    Description

    Host StatusIf enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.
    Host

    The Host option is available if Host Status is enabled.

    Specify the HTTP Host header. If Host Status is enabled, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

    Request URLThe literal URL, such as /index.php, or a regular expression, such as ^/*.php that the HTTP request must contain in order to match the rule. Multiple URLs are supported.
  7. Click Save.
    Once the URL List configuration is saved, you are returned to the Biometrics Based Detection configuration editor.
  8. Click Save again to apply the newly created URL List configuration to the Biometrics Based Detection configuration.
Previous
Next

Configuring a Biometrics Based Detection policy

Using Biometrics Based Detection policies, FortiADC can determine whether requests are generated by robots instead of a human by checking client events within a specified period. With JavaScript enabled on the client browser, FortiADC can collect behavioral biometrics (such as mouse movement, keyboard, screen touch, and scroll) and monitor as client events for a specified period. FortiADC can then determine whether the behavioral biometrics from the request is indicative of a bot or a human.

After you have configured Biometrics Based Detection policies, you can select them in WAF profiles.

Before you begin:
  • You must have Read-Write permission for Security settings.
To configure a Biometrics Based Detection policy:
  1. Go to Web Application Firewall > Biometrics Based Detection.
  2. In the Biometrics Based Detection tab, click Create New to display the configuration editor.
  3. Configure the following Biometrics Based Detection settings:

    Setting

    Description

    Name

    Specify a name for the Biometrics Based Detection rule. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    The configuration name cannot be edited once it has been saved.

    Ignore JS Check

    Enable/disable to redirect to a warning page to enable JavaScript. This is disabled by default.

    • Disable — FortiADC will check if JavaScript is enabled on the client browser. If JavaScript is not enabled, then FortiADC will redirect to a warning page to let the user enable JavaScript. If the client does not enable JavaScript within 10 seconds, the traffic may be recognized as a bad bot.
    • Enable — FortiADC will not check if JavaScript is enabled on the client browser. If JavaScript is enabled on the client browser, events can be collected normally and FortiADC can determine if it is a bot or not. But if JavaScript is disabled on the client browser, the client will be recognized as a bot after the Event Collection Time, since events cannot be collected by FortiADC.
    Monitor Client Events

    Select one or more client events to monitor:

    • Mouse Movement
    • Click
    • Keyboard
    • Screen Touch
    • Scroll

    By default, Mouse Movement, Click, and Keyboard are preselected. If the configuration is saved with no Monitor Client Events selected, it will default to the preselected client events.

    Event Collection TimeSpecify for how long the events will be collected from the client. Default: 60 Range: 10-3600 seconds.
    Bot Effective TimeSpecify the time interval before FortiADC tests and verifies a bot again, once a bot has been detected. Default: 5 Range: 1-60 minute(s).
    JS Request URLSpecify the URL to use to insert JavaScript code to the client machine. Default: /fadc_client/default_index.js.
    Action

    Specify a WAF action object to apply when a bot is detected. See Configuring WAF Action objects.

    The default action is alert.

    Severity

    Select the event severity to log when a bot is detected:

    • High — Log as high severity events.
    • Medium — Log as a medium severity events.
    • Low — Log as low severity events.

    The default is Low.

    Exception Name

    Select an exception configuration object. Exceptions identify specific hosts or URL patterns that are not subject to processing by this rule.

  4. Click Save.
    Once the configuration is saved, the URL List becomes configurable. The Biometrics Based Detection policy will be applied to the request URLs in the URL List.
  5. Under the URL List section, click Create New to display the configuration editor.
  6. Configure the following URL List settings:

    Setting

    Description

    Host StatusIf enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.
    Host

    The Host option is available if Host Status is enabled.

    Specify the HTTP Host header. If Host Status is enabled, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

    Request URLThe literal URL, such as /index.php, or a regular expression, such as ^/*.php that the HTTP request must contain in order to match the rule. Multiple URLs are supported.
  7. Click Save.
    Once the URL List configuration is saved, you are returned to the Biometrics Based Detection configuration editor.
  8. Click Save again to apply the newly created URL List configuration to the Biometrics Based Detection configuration.
Previous
Next