Technical Tip: Understanding threat weight vs. threat score in FortiWeb HTTP protocol constraints
| Description | This article clarifies the distinction between Threat Weight and Threat Score in FortiWeb HTTP Protocol Constraints. Setting the Threat Weight to the minimum value does not control threat score calculation. Threat scoring is determined by constraint enforcement and action configuration. This distinction is important when tuning Client Management to avoid unintended Suspicious or Malicious classifications. |
| Scope | FortiWeb. |
| Solution |
Threat Weight affects log severity only. It determines the severity level displayed in the Attack log (critical, severe, substantial, moderate, low, and informative). It does not influence Threat Score calculation. The screenshot below shows the Threat Weight set to the lowest, and the severity displayed as Informational.
Threat weight set to severe severity: The example below shows Threat Weight configured to a higher level and severity displayed as Severe.
If the constraint Action is configured as Alert and Deny, FortiWeb:
Threat Score increment example:
An example is shown in the screenshots below.
Conclusion: Threat Weight and Threat Score serve distinct functions in FortiWeb. Threat Weight affects only the severity displayed in logs, while Threat Score increments whenever an enabled protocol constraint is violated. Preventing a constraint from contributing to Threat Score requires disabling the constraint or applying an exception.
Related document: |
