Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.2
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 8.0.2 CLI Reference
    8.0.2
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security waf adaptive-learning

    config security waf adaptive-learning

    Use this command to configure an Adaptive Learning policy.

    To enable the FortiADC Adaptive Learning engine for continuous deep analysis of incoming traffic, you can configure an Adaptive Learning policy or use one of the three predefined configurations offered by FortiADC. By applying this to a WAF profile, the engine samples traffic at a defined rate based on the configured WAF policies. This traffic sampling allows the engine to dynamically learn and adapt to various web application elements, such as hostnames, URLs, query parameters, hidden fields, cookies, and file types. This advanced learning capability ensures that the WAF policies are precisely tuned to specific traffic characteristics, enhancing both security and performance.

    Note: The WAF Adaptive Learning feature requires the WAF Signature license or Application Security bundle license. If you do not already have a valid license, FortiADC offers a 30-day trial license to explore the WAF Adaptive Learning functionality.

    The Adaptive Learning feature supports the following WAF modules:

    • Web Attack Signature
    • Bot Detection
    • Input Validation (Parameter validation and Hidden field validation)
    • JSON Protection
    • XML Protection
    • Credential Stuffing Defense
    • CSRF Protection
    • HTTP Protocol Constraints
    • SQL/XSS Injection Detection

    Adaptive Learning policies are configured per VDOM, and will take effect only after it is applied to a WAF Profile. Once this WAF Profile is attached to a virtual server, the Adaptive Learning engine will begin to sample the incoming traffic to generate statistics and recommendations.

    Predefined Adaptive Learning policy configurations:

    FortiADC offers three predefined Adaptive Learning policies you can apply directly in the WAF Profile or you can clone to use as a template to define your own policy. Please note that these predefined configurations are read-only and cannot be modified directly.

    Predefined policy

    Parameter

    Setting
    Fast_Learning

    Sampling Rate

    		 100

    False Positive Threshold

    		 0

    False Positive Policy

    none

    Learning Time

    1440

    Action

    URL List

    URL List

    Host Status

    disable

    URL

    /

    URL

    Medium_Learning

    Sampling Rate

    False Positive Threshold

    0

    False Positive Policy

    none

    Learning Time

    Action

    alert

    URL List

    URL List

    Host Status

    disable

    Host Status

    URL

    /

    Slow_Learning

    Sampling Rate

    False Positive Threshold

    0

    False Positive Policy

    Learning Time

    20160

    Action

    alert

    Syntax

    config security waf adaptive-learning

    edit <name>

    set status {enable|disable}

    set sampling-rate <integer>

    set least-learning-time <integer>

    set false-positive-threshold <integer>

    set false-positive-policy <datasource>

    set action <datasource>

    config url-list

    edit <No.>

    set host-status {enable|disable}

    set host <string>

    set request-url <regex>

    next

    end

    next

    end

    status

    		 Enable to view the Adaptive Learning configuration parameters.

    sampling-rate

    Specify the percentage of received requests and their responses that will be sampled. For example, if the sampling rate is 50%, then for every 100 requests, the first 50 requests will be sampled.

    The default is 100, and the acceptable range is 1-100.

    least-learning-time

    Specify the Learning Time period in minutes. The default is 10080 minutes, and the acceptable range is 1-20160 minute(s).

    Adaptive Learning will only generate recommendations if the analysis (or "learning") results are "stable" within the specified time period. For the learning results to be stable, the Adaptive Learning engine must not detect any drastic flux in request rates, parameter lengths or types, or longer JSON/XML element names of values, among other configurable limit checks that are configurable in the policies.

    false-positive-threshold

    Specify the threshold at which triggered events should be considered a false positive.

    In scenarios when requests that trigger a WAF policy violation are received from multiple different sources within a certain time period, the False Positive Threshold can be set to allow the Adaptive Learning engine to identify these triggered events as false positives and recommend adjustments to the WAF policy.

    The default is 0, and the acceptable range is 0-100000000.

    For example:

    False Positive Threshold - 2

    Learning Time - 10

    WAF policy - WAF Signature Profile

    When requests trigger a specific WAF signature ID violation are received from 3 different clients within the 10 minute Learning Time, then Adaptive Learning will generate a recommendation to disable the specific signature ID avoid triggering false positive results.

    false-positive-policy

    Specify an existing WAF Exception object to use as the Adaptive Learning False Positive Policy. Only one policy can be applied per Adaptive Learning configuration.

    This policy specifies a WAF Exception object that will be used to automatically apply exception rules when accepting Adaptive Learning recommendations. This setting allows integration with the existing WAF exception framework to reduce false positives.

    If the target module supports exception handling, rules defined in the WAF Exception object are automatically translated and applied. If the module does not support exceptions, the policy is ignored.

    Modules that support this field:

    • JSON/XML Protection

    • SQL/XSS Injection Detection

    • Bot Detection (exception rules are converted to Bot Allowlist settings.

    Modules that do not support this field:

    • WAF Signature

    • Input Validation (Parameter Validation & Hidden Field)

    • HTTP Protocol Constraint

    • CSRF Protection

    • Credential Stuffing Defense

    Behavioral Notes:

    The behavior of Adaptive Learning in relation to exception rules depends on where the exception policy is configured:

    • WAF Profile Level:
      If an exception rule is configured directly in the WAF profile, any matching request will bypass Adaptive Learning entirely. No statistics will be collected, and no recommendations will be generated for that traffic.

    • Adaptive Learning Configuration (False Positive Policy):
      If a WAF Exception object is assigned as the False Positive Policy in the Adaptive Learning settings, exception rules will be automatically applied to WAF modules that support this feature when a recommendation is accepted.

    • WAF Module Level (Function Policies):
      If an exception is configured directly within a WAF module that supports False Positive Policy, Adaptive Learning will still process matching requests and may generate recommendations.

    Note: In the WAF processing flow, Adaptive Learning operates at a higher priority than module-level exception logic.

    action

    Select the action profile to apply when a bot is detected. See config security waf action.

    The default action is alert.

    config url-list

    host-status

    		 If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

    host

    The host option is available if host-status is enabled.

    Specify the HTTP Host header. If Host Status is enabled, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

    The maximum character length is 256.

    request-url

    The literal URL, such as /index.php, or a regular expression, such as ^/*.php that the HTTP request must contain in order to match the rule. Multiple URLs are supported.

    The maximum character length is 1024.

    Example

    config security waf adaptive-learning

    edit AL_Test

    set status enable

    set sampling-rate 100

    set least-learning-time 10080

    set false-positive-threshold 1

    set action deny

    config url-list

    edit 1

    set host-status enable

    set host test.demosite.com

    set request-url /api[123]/.*

    next

    edit 2

    set host-status enable

    set host test.demosite.com:8080

    set request-url /

    next

    edit 3

    set host-status enable

    set host [2001:1234::a41:74]:8443

    set request-url /abc.*

    next

    end

    next

    end

    Previous
    Next

    config security waf adaptive-learning

    config security waf adaptive-learning

    Use this command to configure an Adaptive Learning policy.

    To enable the FortiADC Adaptive Learning engine for continuous deep analysis of incoming traffic, you can configure an Adaptive Learning policy or use one of the three predefined configurations offered by FortiADC. By applying this to a WAF profile, the engine samples traffic at a defined rate based on the configured WAF policies. This traffic sampling allows the engine to dynamically learn and adapt to various web application elements, such as hostnames, URLs, query parameters, hidden fields, cookies, and file types. This advanced learning capability ensures that the WAF policies are precisely tuned to specific traffic characteristics, enhancing both security and performance.

    Note: The WAF Adaptive Learning feature requires the WAF Signature license or Application Security bundle license. If you do not already have a valid license, FortiADC offers a 30-day trial license to explore the WAF Adaptive Learning functionality.

    The Adaptive Learning feature supports the following WAF modules:

    • Web Attack Signature
    • Bot Detection
    • Input Validation (Parameter validation and Hidden field validation)
    • JSON Protection
    • XML Protection
    • Credential Stuffing Defense
    • CSRF Protection
    • HTTP Protocol Constraints
    • SQL/XSS Injection Detection

    Adaptive Learning policies are configured per VDOM, and will take effect only after it is applied to a WAF Profile. Once this WAF Profile is attached to a virtual server, the Adaptive Learning engine will begin to sample the incoming traffic to generate statistics and recommendations.

    Predefined Adaptive Learning policy configurations:

    FortiADC offers three predefined Adaptive Learning policies you can apply directly in the WAF Profile or you can clone to use as a template to define your own policy. Please note that these predefined configurations are read-only and cannot be modified directly.

    Predefined policy

    Parameter

    Setting
    Fast_Learning

    Sampling Rate

    		 100

    False Positive Threshold

    		 0

    False Positive Policy

    none

    Learning Time

    1440

    Action

    URL List

    URL List

    Host Status

    disable

    URL

    /

    URL

    Medium_Learning

    Sampling Rate

    False Positive Threshold

    0

    False Positive Policy

    none

    Learning Time

    Action

    alert

    URL List

    URL List

    Host Status

    disable

    Host Status

    URL

    /

    Slow_Learning

    Sampling Rate

    False Positive Threshold

    0

    False Positive Policy

    Learning Time

    20160

    Action

    alert

    Syntax

    config security waf adaptive-learning

    edit <name>

    set status {enable|disable}

    set sampling-rate <integer>

    set least-learning-time <integer>

    set false-positive-threshold <integer>

    set false-positive-policy <datasource>

    set action <datasource>

    config url-list

    edit <No.>

    set host-status {enable|disable}

    set host <string>

    set request-url <regex>

    next

    end

    next

    end

    status

    		 Enable to view the Adaptive Learning configuration parameters.

    sampling-rate

    Specify the percentage of received requests and their responses that will be sampled. For example, if the sampling rate is 50%, then for every 100 requests, the first 50 requests will be sampled.

    The default is 100, and the acceptable range is 1-100.

    least-learning-time

    Specify the Learning Time period in minutes. The default is 10080 minutes, and the acceptable range is 1-20160 minute(s).

    Adaptive Learning will only generate recommendations if the analysis (or "learning") results are "stable" within the specified time period. For the learning results to be stable, the Adaptive Learning engine must not detect any drastic flux in request rates, parameter lengths or types, or longer JSON/XML element names of values, among other configurable limit checks that are configurable in the policies.

    false-positive-threshold

    Specify the threshold at which triggered events should be considered a false positive.

    In scenarios when requests that trigger a WAF policy violation are received from multiple different sources within a certain time period, the False Positive Threshold can be set to allow the Adaptive Learning engine to identify these triggered events as false positives and recommend adjustments to the WAF policy.

    The default is 0, and the acceptable range is 0-100000000.

    For example:

    False Positive Threshold - 2

    Learning Time - 10

    WAF policy - WAF Signature Profile

    When requests trigger a specific WAF signature ID violation are received from 3 different clients within the 10 minute Learning Time, then Adaptive Learning will generate a recommendation to disable the specific signature ID avoid triggering false positive results.

    false-positive-policy

    Specify an existing WAF Exception object to use as the Adaptive Learning False Positive Policy. Only one policy can be applied per Adaptive Learning configuration.

    This policy specifies a WAF Exception object that will be used to automatically apply exception rules when accepting Adaptive Learning recommendations. This setting allows integration with the existing WAF exception framework to reduce false positives.

    If the target module supports exception handling, rules defined in the WAF Exception object are automatically translated and applied. If the module does not support exceptions, the policy is ignored.

    Modules that support this field:

    • JSON/XML Protection

    • SQL/XSS Injection Detection

    • Bot Detection (exception rules are converted to Bot Allowlist settings.

    Modules that do not support this field:

    • WAF Signature

    • Input Validation (Parameter Validation & Hidden Field)

    • HTTP Protocol Constraint

    • CSRF Protection

    • Credential Stuffing Defense

    Behavioral Notes:

    The behavior of Adaptive Learning in relation to exception rules depends on where the exception policy is configured:

    • WAF Profile Level:
      If an exception rule is configured directly in the WAF profile, any matching request will bypass Adaptive Learning entirely. No statistics will be collected, and no recommendations will be generated for that traffic.

    • Adaptive Learning Configuration (False Positive Policy):
      If a WAF Exception object is assigned as the False Positive Policy in the Adaptive Learning settings, exception rules will be automatically applied to WAF modules that support this feature when a recommendation is accepted.

    • WAF Module Level (Function Policies):
      If an exception is configured directly within a WAF module that supports False Positive Policy, Adaptive Learning will still process matching requests and may generate recommendations.

    Note: In the WAF processing flow, Adaptive Learning operates at a higher priority than module-level exception logic.

    action

    Select the action profile to apply when a bot is detected. See config security waf action.

    The default action is alert.

    config url-list

    host-status

    		 If enabled, require authorization only for the specified host. If disabled, ignore hostname in the HTTP request header and require authorization for requests with any Host header. Disabled by default.

    host

    The host option is available if host-status is enabled.

    Specify the HTTP Host header. If Host Status is enabled, the policy matches only if the Host header matches this value. Complete, exact matching is required. For example, www.example.com matches www.example.com but not www.example.com.hk.

    The maximum character length is 256.

    request-url

    The literal URL, such as /index.php, or a regular expression, such as ^/*.php that the HTTP request must contain in order to match the rule. Multiple URLs are supported.

    The maximum character length is 1024.

    Example

    config security waf adaptive-learning

    edit AL_Test

    set status enable

    set sampling-rate 100

    set least-learning-time 10080

    set false-positive-threshold 1

    set action deny

    config url-list

    edit 1

    set host-status enable

    set host test.demosite.com

    set request-url /api[123]/.*

    next

    edit 2

    set host-status enable

    set host test.demosite.com:8080

    set request-url /

    next

    edit 3

    set host-status enable

    set host [2001:1234::a41:74]:8443

    set request-url /abc.*

    next

    end

    next

    end

    Previous
    Next