Fortinet black logo

Administration Guide

Configuring Advanced Bot Protection policy

Configuring Advanced Bot Protection policy

FortiGuard Advanced Bot Protection is a SaaS (Software as a Service) solution designed to protect your online applications from malicious bots and automated attacks.

By incorporating FortiGuard Advanced Bot Protection (FortiGuard ABP) into FortiWeb's server policy, client traffic will be directed to the FortiGuard ABP service deployed on Google Cloud. It can analyze the traffic to identify any malicious bot behavior and suggest appropriate actions in response.

FortiGuard ABP builds up a machine learning model to protect against a wide range of threats, including Data harvesting, Credential stuffing attacks, Account takeover attempts, and DDoS attacks.

The Advanced Bot Protection feature is supported on the following hardware and cloud platforms:

  • Supported hardware models (platforms that support certificates signed by CA2):

    • FortiWeb 100E
    • FortiWeb 400E
    • FortiWeb 600E
    • FortiWeb 400F
    • FortiWeb 1000F
    • FortiWeb 2000F

    • FortiWeb 3000F

    • FortiWeb 4000F

  • Supported cloud platforms with BYOL (PAYG FortiWeb does not support Advanced Bot Protection feature):

    • AWS (Amazon Web Services)

    • Microsoft Azure

    • GCP (Google Cloud Platform)

    • OCI (Oracle Cloud Infrastructure)

  • Supported VM environments:

    • VMware vSphere Hypervisor ESX/ESXi 4.0/4.1/5.0/5.1/5.5/6.0/6.5/6.7/7.0/8.0.2
    • Citrix Xen Server 6.2/6.5/7.1
    • Open source Xen Project (Hypervisor) 4.9 and higher versions
    • Microsoft Hyper-V (version 6.2 or higher, running on Windows 8 or higher, or Windows Server 2012/2016/2019)
    • KVM (Linux kernel 2.6, 3.0, or 3.1)
    • OpenStack Wallaby
    • Nutanix AHV

The following sections introduce how to enable and incorporate FortiGuard ABP in FortiWeb.

The email address associated with the account for logging in to FortiWeb, Support site, and FortiGuard ABP must be the same.

Enabling FortiGuard ABP service in FortiWeb:

  1. Contact Fortinet sales team to purchase a license with the FortiGuard Advanced Bot Protection service.
  2. Register the license on Support site (https://support.fortinet.com) with your FortiWeb account's email address. For details, see the Fortinet Knowledge Base Registration FAQ: http://kb.fortinet.com/kb/documentLink.do?externalID=12071
  3. Log in to FortiGuard ABP (https://fortiabp.forticloud.com). FortiGuard ABP and the support site utilize a common account management system, allowing you to log in to FortiGuard ABP directly using your support site credentials.
    This step is to validate your FortiGuard ABP service license by logging in. It determines whether you can successfully enable FortiGuard ABP in FortiWeb
  4. Log in to FortiWeb.
  5. In the System Information Widget in Dashboard > Status, click Enable Advanced Bot Protection, then click OK in the pop-up window.
  6. Check the status of Advanced Bot Protection in the Licenses widget in Dashboard > Status. It should be displayed as Valid.

Incorporating an FortiGuard ABP policy in FortiWeb:

  1. Log in to FortiGuard ABP (https://fortiabp.forticloud.com).
  2. In Application, click Create New.
  3. In the Create Application wizard, configure the following:
    1. Enter the domain name of your application.
    2. Select the location that is close to your application servers. FortiGuard ABP is hosted in both the EU and US regions of Google Cloud. Opting for a region near your application server can significantly decrease network latency when FortiGuard ABP processes your traffic.
    3. Provide a distinctive name for your application to facilitate easy identification.
    4. Click Advanced Settings, then enter the login URLs of your application that you want FortiGuard ABP to protect.
      This setting is optional. FortiGuard ABP can automatically analyze your domain and identify the login URLs. However, if you wish to highlight the login URL for special attention by FortiGuard ABP, ensuring it is not overlooked in the Pre-Provisioning process, please go ahead and add it manually.
    5. Click Add.
  4. Go to Application. Find the application you have added, click the Settings icon in the Action column, then click Copy Application ID. You will use this ID later when configuring the FortiGuard ABP related settings in FortiWeb.
  5. Log in to FortiWeb.
  6. Go to Bot Mitigation > Advanced Bot Protection.
  7. Click Create New.
  8. Configure the following settings:

    Setting

    Description

    NameEnter a name for the Advanced Bot Protection policy. You can reference it in the Web Protection Profile.
    Application ID

    Enter the Application ID assigned to your FortiGuard ABP Application.

    The Application ID is used to bind this Advanced Bot Protection policy to the FortiGuard ABP Application.

    To obtain the ID, go to Application page of FortiGuard ABP, under the Application ID column, copy the Application ID.

    Action

    Select which action FortiWeb will take when FortiGuard ABP suggests a request is from a bot:

    • Alert — Accept the connection and generate an alert email and/or log message.

    • Alert & Deny — Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log) — Block the request (or reset the connection).

    • Block Period — Block subsequent requests from the same IP address for a number of seconds.

    • Client ID Block Period — Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block and Client ID Block Period.

    Severity

    When request from a bot is recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use:

    • Informative

    • Low

    • Medium

    • High

    The default value is Medium.

    Trigger PolicySelect the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about FortiGuard ABP violation.
    ExceptionSelect the exception policy which specifies the elements to be exempted from the FortiGuard ABP scan.
    Bot confirmationEnable it to send clients bot verification requests.
    Verification Method
    • CAPTCHA Enforcement — Requires the client to successfully fulfill a CAPTCHA request. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.

    • reCAPTCHA Enforcement — Requires the client to successfully fulfill a reCAPTCHA request.

    reCAPTCHA serverSelect the reCAPTCHA server you have created in the reCAPTCHA Server tab in User > Remote Server.
    Max Attempt Times

    If CAPTCHA Enforcement is selected for Verification Method, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request.

    Validation Timeout

    Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

  9. Click OK.
  10. Go to Policy > Web Protection Profile.
  11. Select the Inline Protection Profile tab.
  12. Select an existing web protection profile to which you want to include the Advanced Bot Protection policy.
  13. Click Edit.
  14. For Bot Mitigation > Advanced Bot Protection, select the Advanced Bot Protection policy from the drop down list.

    Note: To view details about a selected Advanced Bot Protection policy, click the view icon next to the drop down list.

  15. Click OK.

The Advanced Bot Protection policy does not activate until the FortiGuard ABP Application is fully analyzed and Pre-Provisioned to protect the Application.

Pre-Provisioning is required to identify all URLs that should be protected in your Application domain (such as login URLs), and the locations to which JavaScript need to be inserted to collect client information. Without these resources, the system will not be able to insert the necessary JavaScript for bot detection.

Pre-Provisioning is triggered upon creating the Application, and requires 2 to 3 days to complete. During this process, your FortiGuard ABP Application will be in Pending status until Pre-Provisioning is complete. Only when the Application status is Ready, Advanced Bot Protection is actually activated to process traffic.

Configuring Advanced Bot Protection policy

FortiGuard Advanced Bot Protection is a SaaS (Software as a Service) solution designed to protect your online applications from malicious bots and automated attacks.

By incorporating FortiGuard Advanced Bot Protection (FortiGuard ABP) into FortiWeb's server policy, client traffic will be directed to the FortiGuard ABP service deployed on Google Cloud. It can analyze the traffic to identify any malicious bot behavior and suggest appropriate actions in response.

FortiGuard ABP builds up a machine learning model to protect against a wide range of threats, including Data harvesting, Credential stuffing attacks, Account takeover attempts, and DDoS attacks.

The Advanced Bot Protection feature is supported on the following hardware and cloud platforms:

  • Supported hardware models (platforms that support certificates signed by CA2):

    • FortiWeb 100E
    • FortiWeb 400E
    • FortiWeb 600E
    • FortiWeb 400F
    • FortiWeb 1000F
    • FortiWeb 2000F

    • FortiWeb 3000F

    • FortiWeb 4000F

  • Supported cloud platforms with BYOL (PAYG FortiWeb does not support Advanced Bot Protection feature):

    • AWS (Amazon Web Services)

    • Microsoft Azure

    • GCP (Google Cloud Platform)

    • OCI (Oracle Cloud Infrastructure)

  • Supported VM environments:

    • VMware vSphere Hypervisor ESX/ESXi 4.0/4.1/5.0/5.1/5.5/6.0/6.5/6.7/7.0/8.0.2
    • Citrix Xen Server 6.2/6.5/7.1
    • Open source Xen Project (Hypervisor) 4.9 and higher versions
    • Microsoft Hyper-V (version 6.2 or higher, running on Windows 8 or higher, or Windows Server 2012/2016/2019)
    • KVM (Linux kernel 2.6, 3.0, or 3.1)
    • OpenStack Wallaby
    • Nutanix AHV

The following sections introduce how to enable and incorporate FortiGuard ABP in FortiWeb.

The email address associated with the account for logging in to FortiWeb, Support site, and FortiGuard ABP must be the same.

Enabling FortiGuard ABP service in FortiWeb:

  1. Contact Fortinet sales team to purchase a license with the FortiGuard Advanced Bot Protection service.
  2. Register the license on Support site (https://support.fortinet.com) with your FortiWeb account's email address. For details, see the Fortinet Knowledge Base Registration FAQ: http://kb.fortinet.com/kb/documentLink.do?externalID=12071
  3. Log in to FortiGuard ABP (https://fortiabp.forticloud.com). FortiGuard ABP and the support site utilize a common account management system, allowing you to log in to FortiGuard ABP directly using your support site credentials.
    This step is to validate your FortiGuard ABP service license by logging in. It determines whether you can successfully enable FortiGuard ABP in FortiWeb
  4. Log in to FortiWeb.
  5. In the System Information Widget in Dashboard > Status, click Enable Advanced Bot Protection, then click OK in the pop-up window.
  6. Check the status of Advanced Bot Protection in the Licenses widget in Dashboard > Status. It should be displayed as Valid.

Incorporating an FortiGuard ABP policy in FortiWeb:

  1. Log in to FortiGuard ABP (https://fortiabp.forticloud.com).
  2. In Application, click Create New.
  3. In the Create Application wizard, configure the following:
    1. Enter the domain name of your application.
    2. Select the location that is close to your application servers. FortiGuard ABP is hosted in both the EU and US regions of Google Cloud. Opting for a region near your application server can significantly decrease network latency when FortiGuard ABP processes your traffic.
    3. Provide a distinctive name for your application to facilitate easy identification.
    4. Click Advanced Settings, then enter the login URLs of your application that you want FortiGuard ABP to protect.
      This setting is optional. FortiGuard ABP can automatically analyze your domain and identify the login URLs. However, if you wish to highlight the login URL for special attention by FortiGuard ABP, ensuring it is not overlooked in the Pre-Provisioning process, please go ahead and add it manually.
    5. Click Add.
  4. Go to Application. Find the application you have added, click the Settings icon in the Action column, then click Copy Application ID. You will use this ID later when configuring the FortiGuard ABP related settings in FortiWeb.
  5. Log in to FortiWeb.
  6. Go to Bot Mitigation > Advanced Bot Protection.
  7. Click Create New.
  8. Configure the following settings:

    Setting

    Description

    NameEnter a name for the Advanced Bot Protection policy. You can reference it in the Web Protection Profile.
    Application ID

    Enter the Application ID assigned to your FortiGuard ABP Application.

    The Application ID is used to bind this Advanced Bot Protection policy to the FortiGuard ABP Application.

    To obtain the ID, go to Application page of FortiGuard ABP, under the Application ID column, copy the Application ID.

    Action

    Select which action FortiWeb will take when FortiGuard ABP suggests a request is from a bot:

    • Alert — Accept the connection and generate an alert email and/or log message.

    • Alert & Deny — Block the request (or reset the connection) and generate an alert and/or log message.

    • Deny (no log) — Block the request (or reset the connection).

    • Block Period — Block subsequent requests from the same IP address for a number of seconds.

    • Client ID Block Period — Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy.

    The default value is Alert.

    Period Block

    Enter the number of seconds that you want to block subsequent requests from a client. The valid range is 1–3,600 seconds (1 hour).

    This setting is available only if Action is set to Period Block and Client ID Block Period.

    Severity

    When request from a bot is recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use:

    • Informative

    • Low

    • Medium

    • High

    The default value is Medium.

    Trigger PolicySelect the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about FortiGuard ABP violation.
    ExceptionSelect the exception policy which specifies the elements to be exempted from the FortiGuard ABP scan.
    Bot confirmationEnable it to send clients bot verification requests.
    Verification Method
    • CAPTCHA Enforcement — Requires the client to successfully fulfill a CAPTCHA request. CAPTCHA verification will not pop out for the bot confirmation again for the same user within 10 mins timeout.

    • reCAPTCHA Enforcement — Requires the client to successfully fulfill a reCAPTCHA request.

    reCAPTCHA serverSelect the reCAPTCHA server you have created in the reCAPTCHA Server tab in User > Remote Server.
    Max Attempt Times

    If CAPTCHA Enforcement is selected for Verification Method, enter the maximum number of attempts that a client may attempt to fulfill a CAPTCHA request.

    Validation Timeout

    Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

  9. Click OK.
  10. Go to Policy > Web Protection Profile.
  11. Select the Inline Protection Profile tab.
  12. Select an existing web protection profile to which you want to include the Advanced Bot Protection policy.
  13. Click Edit.
  14. For Bot Mitigation > Advanced Bot Protection, select the Advanced Bot Protection policy from the drop down list.

    Note: To view details about a selected Advanced Bot Protection policy, click the view icon next to the drop down list.

  15. Click OK.

The Advanced Bot Protection policy does not activate until the FortiGuard ABP Application is fully analyzed and Pre-Provisioned to protect the Application.

Pre-Provisioning is required to identify all URLs that should be protected in your Application domain (such as login URLs), and the locations to which JavaScript need to be inserted to collect client information. Without these resources, the system will not be able to insert the necessary JavaScript for bot detection.

Pre-Provisioning is triggered upon creating the Application, and requires 2 to 3 days to complete. During this process, your FortiGuard ABP Application will be in Pending status until Pre-Provisioning is complete. Only when the Application status is Ready, Advanced Bot Protection is actually activated to process traffic.