Fortinet white logo
Fortinet white logo

Administration Guide

Configuring client management

Client management

Tracking a client by either the recognized cookie or the source IP, FortiWeb's client management feature identifies suspected attacks based on the clients. When a client triggers a threat, FortiWeb accumulates the threat score based on the configured threat weight value. When the client's threat score reaches a certain threshold, a corresponding blocking action is performed. To identify a visiting client, FortiWeb generates a unique client ID according to the cookie value or source IP.

In inline mode, when a client accesses a web application for the first time, FortiWeb inserts a cookie into the client's browser. In the subsequent access by the client, if the client carries the cookie inserted, FortiWeb tracks the client by this cookie; otherwise, FortiWeb tracks the client by the client's source IP. While in offline mode, FortiWeb cannot insert cookies into the client. By default, three cookies ASPSESSIONID, PHPSESSID, and JSESSIONID are supported. If you want to track the client through other cookies, just configure it in Session Key of Offline Protection Profile.

See also

How client management works

The client management mechanism takes into account the following factors:

Threat weight of security violations

Each protection feature involved in the client management mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the threat score of the client that launched the event.

Threat score of a client

FortiWeb reacts to security violations launched by a client according to the configured threat score of the client. The threat score is the sum of the threat weights of all the security violations launched by the client in certain time period. Each time a client violates the security, a corresponding threat weight is added to the total threat score based on set time period. The higher the accumulated threat score of the client, the higher of the risk level of the client. A client can be trusted, suspicious, or malicious based on the configured threat score.

Risk level of a client

Risk level is used to evaluate how dangerous a client is. A client is classified as trusted, unidentified, suspicious, or malicious according to the threat score set. To identify the risk level of a client, the threat score of the risk levels must be defined. For example, a client that has a threat score between 0-120 may be considered trusted (the calculation of the traffic shall be over 5 minutes), between 121-300 suspicious, and over 301 malicious. When the client management module is disabled, or it fails to meet the status of the three risk levels, the risk level of the client can be unidentified.

Blocking action based on risk level

When client management is enabled, based on the risk levels, FortiWeb blocks a suspicious or malicious client according to the configurations in Block Settings.

Configuring threat weight

To define the threat weight of each security violation
  1. Go to Policy > Client Management.
  2. Click Threat Weight.
  3. Configure Risk Level Values.
    Six different risk levels are available to indicate how serious a security violation is: Informational, Low, Moderate, Substantial, Severe, and Critical.
  4. Assign a threat weight of 1-500 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.

  5. Define risk level of security violations.
  6. Here are the security violations that FortiWeb can detect:

Click Threat Weight and then a specific security module. Adjust the slider bar to assign a risk level to each security violation.

For Signatures and HTTP Protocol Constraints, go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks and HTTP/HTTPS protocol constraints.

  • Click Apply to save the configuration.
  • You can also click Restore Defaults to restore the configured threat weight of each security violation to the default values.
  • Configuring client management

    To define the threat score and violation actions

    1. Go to Policy > Client Management.
    2. Click Configuration.
    3. Configure these settings:

      Client session data expires after

      Set the amount of time that FortiWeb will store the tracked client information. Once the information has been stored for longer than the set amount of time, FortiWeb will remove that information.

      Statistics period

      Select the amount of time in days that FortiWeb will store the threat score data for an active client.

      For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set for thrusted/suspicious/malicious clients.

      Threat Score

      Move the two cursors of the slider bar to set the threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.

      Block Settings

      Enter the amount of time (in minutes) that FortiWeb will block a suspicious or malicious client. You can set two blocking rules for suspicious and malicious clients respectively.

      Note: Setting for suspicious clients will also work for malicious clients; while those for malicious clients will not work for suspicious clients.

      Block Method

      IP: Block a malicious user based on source IP.

      Client ID: Block a malicious user based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.

    4. Click Apply.

    Monitoring currently tracked clients

    To view the information that has been tracked to the client, or delete or restore a client's threat score, see Monitoring currently tracked clients .

    To view the information of blocked IPs if you configure Block Settings and the threat score exceeds the threshold, see Monitoring currently blocked IPs.

    In Log&Report > Log Access > Attack, you can click an attack log to check the threat score, client ID, and client risk information, and click the client ID to restore the client threat score to 0.

    In Log&Report > Log Access > Event, you can click an event log to check the client ID information, and click the client ID to restore the client threat score to 0.

    Configuring client management

    Client management

    Tracking a client by either the recognized cookie or the source IP, FortiWeb's client management feature identifies suspected attacks based on the clients. When a client triggers a threat, FortiWeb accumulates the threat score based on the configured threat weight value. When the client's threat score reaches a certain threshold, a corresponding blocking action is performed. To identify a visiting client, FortiWeb generates a unique client ID according to the cookie value or source IP.

    In inline mode, when a client accesses a web application for the first time, FortiWeb inserts a cookie into the client's browser. In the subsequent access by the client, if the client carries the cookie inserted, FortiWeb tracks the client by this cookie; otherwise, FortiWeb tracks the client by the client's source IP. While in offline mode, FortiWeb cannot insert cookies into the client. By default, three cookies ASPSESSIONID, PHPSESSID, and JSESSIONID are supported. If you want to track the client through other cookies, just configure it in Session Key of Offline Protection Profile.

    See also

    How client management works

    The client management mechanism takes into account the following factors:

    Threat weight of security violations

    Each protection feature involved in the client management mechanism must be scored with a threat weight to indicate how serious a security violation is; this generally depends on the security concerns according to how networks and servers will be used. For example, SQL injection might be a higher risk security violation if database applications are provided on servers, though it may be a lower risk event if no database applications are provided. When a security violation is detected, the threat weight of the security violation is used to calculate the threat score of the client that launched the event.

    Threat score of a client

    FortiWeb reacts to security violations launched by a client according to the configured threat score of the client. The threat score is the sum of the threat weights of all the security violations launched by the client in certain time period. Each time a client violates the security, a corresponding threat weight is added to the total threat score based on set time period. The higher the accumulated threat score of the client, the higher of the risk level of the client. A client can be trusted, suspicious, or malicious based on the configured threat score.

    Risk level of a client

    Risk level is used to evaluate how dangerous a client is. A client is classified as trusted, unidentified, suspicious, or malicious according to the threat score set. To identify the risk level of a client, the threat score of the risk levels must be defined. For example, a client that has a threat score between 0-120 may be considered trusted (the calculation of the traffic shall be over 5 minutes), between 121-300 suspicious, and over 301 malicious. When the client management module is disabled, or it fails to meet the status of the three risk levels, the risk level of the client can be unidentified.

    Blocking action based on risk level

    When client management is enabled, based on the risk levels, FortiWeb blocks a suspicious or malicious client according to the configurations in Block Settings.

    Configuring threat weight

    To define the threat weight of each security violation
    1. Go to Policy > Client Management.
    2. Click Threat Weight.
    3. Configure Risk Level Values.
      Six different risk levels are available to indicate how serious a security violation is: Informational, Low, Moderate, Substantial, Severe, and Critical.
    4. Assign a threat weight of 1-500 to the risk levels. It is possible to initially use the default values and later adjust them according to specific security concerns.

    5. Define risk level of security violations.
    6. Here are the security violations that FortiWeb can detect:

    Click Threat Weight and then a specific security module. Adjust the slider bar to assign a risk level to each security violation.

    For Signatures and HTTP Protocol Constraints, go to Web Protection > Known Attacks > Signatures and Web Protection > Protocol > HTTP > HTTP Protocol Constraints to set the risk level of individual signatures and HTTP protocol constraints. For details, see Blocking known attacks and HTTP/HTTPS protocol constraints.

  • Click Apply to save the configuration.
  • You can also click Restore Defaults to restore the configured threat weight of each security violation to the default values.
  • Configuring client management

    To define the threat score and violation actions

    1. Go to Policy > Client Management.
    2. Click Configuration.
    3. Configure these settings:

      Client session data expires after

      Set the amount of time that FortiWeb will store the tracked client information. Once the information has been stored for longer than the set amount of time, FortiWeb will remove that information.

      Statistics period

      Select the amount of time in days that FortiWeb will store the threat score data for an active client.

      For example, when the statistics period is 3 days, and the total threat score in this period is 150. Then 150 will be taken as the score to compare with those set for thrusted/suspicious/malicious clients.

      Threat Score

      Move the two cursors of the slider bar to set the threat score for different risk levels of a client based on the threat weight sum of all the security violations launched by the client at the time of the last access.

      Block Settings

      Enter the amount of time (in minutes) that FortiWeb will block a suspicious or malicious client. You can set two blocking rules for suspicious and malicious clients respectively.

      Note: Setting for suspicious clients will also work for malicious clients; while those for malicious clients will not work for suspicious clients.

      Block Method

      IP: Block a malicious user based on source IP.

      Client ID: Block a malicious user based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing.

    4. Click Apply.

    Monitoring currently tracked clients

    To view the information that has been tracked to the client, or delete or restore a client's threat score, see Monitoring currently tracked clients .

    To view the information of blocked IPs if you configure Block Settings and the threat score exceeds the threshold, see Monitoring currently blocked IPs.

    In Log&Report > Log Access > Attack, you can click an attack log to check the threat score, client ID, and client risk information, and click the client ID to restore the client threat score to 0.

    In Log&Report > Log Access > Event, you can click an event log to check the client ID information, and click the client ID to restore the client threat score to 0.