"<policy_name>"

Enter a name for the threshold based detection rule that can be referenced in bot mitigation policy.

tracking-type {client-ip | client-id}

Specifies the method FortiWeb uses to track request occurrences for each threshold-based detection module.

Options:

• client-ip — Tracks occurrences based on the source IP address.

• client-id — Tracks occurrences using cookies issued by the Client Management feature, allowing consistent client identification across sessions and IP changes.

Behavior and Requirements:

• client-id tracking mode requires Client Management to be enabled in the associated protection profile.

• When client-id is selected:

  • The Client ID Block Period action becomes available.

  • The standard Block Period option is hidden from action settings.

• When client-ip is selected:

  • Only the standard Block Period action is available.

  • Client ID Block Period option is hidden.

Note:

When a Slow Header Attack is detected, FortiWeb always falls back to IP-based tracking, even if client-id tracking is selected. This is because HTTP-layer information (such as the Client Management cookie) is not yet available during early-stage header processing. In such cases, any action configured as Client ID Block Period is automatically treated as IP-based Period Block.

Select between:

• captcha-enforcement—Requires the client to successfully fulfill a CAPTCHA request. If the client cannot successfully fulfill the request within the , or doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

• captcha-puzzle-enforcement—Presents an interactive image-based puzzle challenge to the user. This method is resistant to headless browsers and scripted bots, and is suitable for high-security scenarios where traditional challenges are easily bypassed. If the client doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action.
  When selected:
  • FortiWeb intercepts the request and serves a visual CAPTCHA that requires drag-and-drop interaction before allowing access to the backend.
  • The original backend response is cached by FortiWeb and only delivered after the user successfully completes the challenge.
  • No customization of the puzzle or replacement message is currently supported.

• real-browser-enforcement—Enable to return a JavaScript to the client to test whether it is a web browser or automated tool when it violates the access rule. If the client either fails the test or does not return results before the timeout specified by the validation-timeout <validation-timeout_int>, FortiWeb applies the specified action. If the client appears to be a web browser, FortiWeb allows the client to violate the rule.

• recaptcha-enforcement—Requires the client to successfully fulfill a reCAPTCHA request. If the client doesn't fulfill the request within the validation-timeout <validation-timeout_int>, FortiWeb applies the action and sends the CAPTCHA block page.

• recaptcha-v3-enforcement: Requires the client to successfully fulfill a reCAPTCHA v3 request. If the client cannot successfully fulfill the request within the Validation Timeout, FortiWeb applies the Action and sends the reCAPTCHA block page. For details, see "Customizing error and authentication pages (replacement messages)" in FortiWeb Administration Guide.
  You can set the threshold of the reCAPTCHA v3 score through CLI

  config system recaptcha-api

  set recaptcha-v3-score-threshold <string> *The value range is 0 to 1

  end

• disable—Not to carry out the bot verification.
  Note: When a Slow Header Attack is detected, FortiWeb automatically disables Real Browser Enforcement, regardless of this setting. Because slow header attacks involve incomplete or malformed requests, they are not compatible with browser validation.

recaptcha <recaptcha_server_name>

Enter the reCAPTCHA server you have created through user recaptcha-user

mobile-app-identification {disabled | mobile-token-validation}

• disabled—Not to carry out the mobile token verification.
  Note: When a Slow Header Attack is detected, FortiWeb automatically disables Real Browser Enforcement, regardless of this setting. Because slow header attacks involve incomplete or malformed requests, they are not compatible with browser validation.
• mobile-token-validation—Requires the client to use mobile token to verify whether the traffic is from mobile devices.
  To apply mobile token validation, you must enable mobile-app-identification in waf web-protection-profile inline-protection.

bot-confirmation {enable | disable}

Enable to confirm if the client is indeed a bot. The system sends RBE (Real Browser Enforcement) JavaScript or CAPTCHA to the client to double check if it's a bot.

validation-timeout <validation-timeout_int>

Enter the maximum amount of time (in seconds) that FortiWeb waits for results from the client.

Available only when the bot-recognition {disabled | real-browser-enforcement | captcha-enforcement | captcha-puzzle-enforcement | recaptcha-enforcement | recaptcha-v3-enforcement } is browser-enforcement, captcha-enforcement, or captcha-puzzle-enforcement.

crawler-detection {enable | disable}

Enable to detect tools that browse your web site for indexing purposes.

crawler-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period}

Select which action FortiWeb will take when it detects a crawler:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure crawler-block-period <crawler-block-period_int>.
• client-id-block-period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure crawler-block-period <crawler-block-period_int>.

crawler-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs a crawler:

• Informative
• Low
• Medium
• High

crawler-trigger <crawler-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about a crawler. For details, see "Viewing log messages" on page 1.

crawler-occurrence-num <crawler-occurrence-num_int>

Define the frequency that FortiWeb detects 403 and 404 response codes returned by the web server.

crawler-within <crawler-within_int>

Specify the time period, in seconds, during which FortiWeb detects the 403 and 404 response codes.

crawler-block-period <crawler-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects a crawler. The valid range is 1–3,600 seconds.

Available only if crawler-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period} is set to block-period or client-id-block-period.

scanner-detection {enable | disable}

Enable to detect tools that scan your web site for vulnerabilities.

scanner-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period}

Select which action FortiWeb will take when it detects attack signatures:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure scanner-block-period <scanner-block-period_int>.
• client-id-block-period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure scanner-block-period <scanner-block-period_int>.

scanner-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs attack signatures:

• Informative
• Low
• Medium
• High

scanner-trigger <scanner-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about attack signatures. For details, see "Viewing log messages" on page 1.

scanner-occurrence-num <scanner-occurrence-num_int>

Define the frequency that FortiWeb detects attack signatures.

scanner-within <scanner-within_int>

Specify the time period, in seconds, during which FortiWeb monitors the attack signatures.

scanner-block-period <scanner-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects attack signatures. The valid range is 1–3,600 seconds.

Available only if scanner-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period} is set to block-period or client-id-block-period.

slow-attack-detection {enable | disable}

Enable to detect Denial of Service tools that try to go undetected by generating a small stream of traffic.

slow-attack-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period}

Select which action FortiWeb will take when it detects slow attack activities:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure slow-attack-block-period <slow-attack-block-period_int>.
• client-id-block-period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure slow-attack-block-period <slow-attack-block-period_int>.
  When a Slow Header Attack is detected, FortiWeb automatically falls back to Client IP for occurrence tracking. If the configured action is Client ID Block Period, it will be enforced as an IP-based Period Block instead.

slow-attack-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs slow attack activities:

• Informative
• Low
• Medium
• High

slow-attack-trigger <slow-attack-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about slow attack activities. For details, see "Viewing log messages" on page 1.

slow-attack-occurrence-num <slow-attack-occurrence-num_int>

Define the frequency that FortiWeb detects slow attack activities.

slow-attack-within <slow-attack-within_int>

Specify the time period, in seconds, during which FortiWeb detects slow attack activities.

slow-attack-HTTP-transaction-timeout <slow-attack-HTTP-transaction-timeout_int>

Specify a timeout value, in seconds, for the HTTP transaction.

slow-attack-packet-interval-timeout <slow-attack-packet-interval-timeout_int>

Specify the timeout value, in seconds, for interval between packets arriving from either the client or server (request or response packets).

slow-attack-block-period <slow-attack-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects slow attack activities. The valid range is 1–3,600 seconds.

Available only if slow-attack-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period} is set to block-period or client-id-block-period.

content-scraping-detection {enable | disable}

Enable to detect bots that illegally copy contents from your web site.

content-scraping-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period}

Select which action FortiWeb will take when it detects content scraping activities:

• alert—Accept the connection and generate an alert email and/or log message.
• alert_deny—Block the request (or reset the connection) and generate an alert and/or log message.
• deny_no_log—Block the request (or reset the connection).
• block-period—Block subsequent requests from the client for a number of seconds. Also configure content-scraping-block-period <content-scraping-block-period_int>.
• client-id-block-period—Block a malicious or suspicious client based on the FortiWeb generated client ID. This is useful when the source IP of a certain client keeps changing. This option takes effect only when you enable Client Management in the Server Policy. Also configure content-scraping-block-period <content-scraping-block-period_int>.

content-scraping-severity {High | Medium | Low | Info}

When policy violations are recorded in the attack log, each log message contains a Severity Level (severity_level) field. Select which severity level FortiWeb will use when it logs content scraping activities:

• Informative
• Low
• Medium
• High

content-scraping-trigger <content-scraping-trigger-policy_name>

Select the trigger, if any, that FortiWeb will use when it logs and/or sends an alert email about content scraping activities. For details, see "Viewing log messages" on page 1.

content-scraping-occurrence-num <content-scraping-occurrence-num_int>

Define the frequency that FortiWeb detects content scraping activities.

content-scraping-within <content-scraping-within_int>

Specify the time period, in seconds, during which FortiWeb detects content scraping activities.

content-scraping-block-period <content-scraping-block-period_int>

Enter the number of seconds that you want to block subsequent requests from a client after FortiWeb detects content scraping activities. The valid range is 1–3,600 seconds.

Available only if content-scraping-action {alert | deny_no_log | alert_deny | block-period | client-id-block-period} is set to block-period or client-id-block-period.