config security waf adaptive-learning
Use this command to configure an Adaptive Learning policy.
To enable the FortiADC Adaptive Learning engine for continuous deep analysis of incoming traffic, you can configure an Adaptive Learning policy or use one of the three predefined configurations offered by FortiADC. By applying this to a WAF profile, the engine samples traffic at a defined rate based on the configured WAF policies. This traffic sampling allows the engine to dynamically learn and adapt to various web application elements, such as hostnames, URLs, query parameters, hidden fields, cookies, and file types. This advanced learning capability ensures that the WAF policies are precisely tuned to specific traffic characteristics, enhancing both security and performance.
Note: The WAF Adaptive Learning feature requires the WAF Signature license or Application Security bundle license. If you do not already have a valid license, FortiADC offers a 30-day trial license to explore the WAF Adaptive Learning functionality. The trial license is activated automatically upon upgrading to FortiADC 7.6.0.
In FortiADC 7.6.0, the Adaptive Learning feature supports the following WAF modules:
- Web Attack Signature
- Bot Detection
- Input Validation (Parameter validation and Hidden field validation)
- JSON Protection
- XML Protection
Adaptive Learning policies are configured per VDOM, and will take effect only after it is applied to a WAF Profile. Once this WAF Profile is attached to a virtual server, the Adaptive Learning engine will begin to sample the incoming traffic to generate statistics and recommendations.
Predefined Adaptive Learning policy configurations:
FortiADC offers three predefined Adaptive Learning policies you can apply directly in the WAF Profile or you can clone to use as a template to define your own policy. Please note that these predefined configurations are read-only and cannot be modified directly.
|
Predefined policy |
Parameter |
Setting |
|---|---|---|
| Fast_Learning
|
Sampling Rate |
100 |
|
False Positive Threshold |
0 | |
|
Learning Time |
1440 |
|
|
Action |
alert |
|
|
URL List |
||
|
Host Status |
disable |
|
|
URL |
/ |
|
|
Medium_Learning |
Sampling Rate |
80 |
|
False Positive Threshold |
0 |
|
|
Learning Time |
10080 |
|
|
Action |
alert |
|
|
URL List |
||
|
Host Status |
disable |
|
|
URL |
/ |
|
|
Slow_Learning |
Sampling Rate |
50 |
|
False Positive Threshold |
0 |
|
|
Learning Time |
20160 |
|
|
Action |
alert |
|
|
URL List |
||
|
Host Status |
disable |
|
|
URL |
/ |
|
Syntax
config security waf adaptive-learning
edit <name>
set status {enable|disable}
set sampling-rate <integer>
set least-learning-time <integer>
set false-positive-threshold <integer>
set action <datasource>
config url-list
edit <No.>
set host-status {enable|disable}
set host <string>
set request-url <regex>
next
end
next
end
|
status |
Enable to view the Adaptive Learning configuration parameters. |
|
sampling-rate |
Specify the percentage of received requests and their responses that will be sampled. For example, if the sampling rate is 50%, then for every 100 requests, the first 50 requests will be sampled. The default is 100, and the acceptable range is 1-100. |
|
least-learning-time |
Specify the Learning Time period in minutes. The default is 10080 minutes, and the acceptable range is 1-20160 minute(s). Adaptive Learning will only generate recommendations if the analysis (or "learning") results are "stable" within the specified time period. For the learning results to be stable, the Adaptive Learning engine must not detect any drastic flux in request rates, parameter lengths or types, or longer JSON/XML element names of values, among other configurable limit checks that are configurable in the policies. |
|
false-positive-threshold |
Specify the threshold at which triggered events should be considered a false positive. In scenarios when requests that trigger a WAF policy violation are received from multiple different sources within a certain time period, the False Positive Threshold can be set to allow the Adaptive Learning engine to identify these triggered events as false positives and recommend adjustments to the WAF policy. The default is 0, and the acceptable range is 0-100000000. For example: False Positive Threshold - 2 Learning Time - 10 WAF policy - WAF Signature Profile When requests trigger a specific WAF signature ID violation are received from 2 different clients within the 10 minute Learning Time, then Adaptive Learning will generate a recommendation to disable the specific signature ID avoid triggering false positive results. |
|
action |
Select the action profile to apply when a bot is detected. See config security waf action. The default action is alert. |
|
config url-list |
|
|
host-status |
If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default. |
|
host |
The host option is available if host-status is enabled. Specify the HTTP Host header. If Host Status is enabled, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, The maximum character length is 256. |
|
request-url |
The literal URL, such as The maximum character length is 1024. |
Example
config security waf adaptive-learning
edit AL_Test
set status enable
set sampling-rate 100
set least-learning-time 10080
set false-positive-threshold 1
set action deny
config url-list
edit 1
set host-status enable
set host test.demosite.com
set request-url /api[123]/.*
next
edit 2
set host-status enable
set host test.demosite.com:8080
set request-url /
next
edit 3
set host-status enable
set host [2001:1234::a41:74]:8443
set request-url /abc.*
next
end
next
end