Skip to main content
filiaks1
filiaks1
Explorer III
June 23, 2025
Solved

Does FortiWeb ML Based Bot Protection needs a javascript to be injected and false positives ?

  • June 23, 2025
  • 1 reply
  • 1007 views

Hello Everyone,

 

Does FortiWeb ML Based Bot Protection need a javascript to be injected ? I am asking if it can be used for API traffic as well 

 

Does FortiWeb ML Based Bot Protection need a javascript to be injected as from what I have read from FortiWeb Bot Protection: Machine Learning based Protection  it seems that the Biometric Based and Deception based Bot features would need this but I see no reason for ML/AI to need it.

 

Outside of that I wonder if during DOS attacks normal urls start returning 5xx (Nginx returns 503 during DOS) or does not respond will this cause false positives as FortiWeb needs to be aware which urls were returing normal 2xx or 3xx responses and not to block the user with Bot protection?

 

 

filiaks1_0-1750662971602.png

 

 

Best answer by filiaks1

Thanks will take a look the youtube videos but for my question about Custom Bot or Dos protection for a URL I discovered the answer myself after clicking around and it is Content Routing that can match the URL and assign custom Web protection profile for that url.

 

FortiWeb Content Routing - Using Scripts in Content Routing Policies

 

Screenshot 2025-06-23 162208.png

 

 

 

1 reply

atakannatak
atakannatak
Explorer
June 23, 2025

Hi @filiaks1 ,

 

1-Does the Machine-Learning (ML) Bot Protection module inject JavaScript?

 

No. FortiWeb’s ML/AI bot engine is a passive classifier: it analyses metadata that is already present in every HTTP/S transaction (URL, method, header mix, response status, request rate, cookie reuse, etc.). Only the two active bot-handling features—Biometric-Based and Deception-Based Bot Protection—insert JavaScript (or a hidden HTML tag) so the client must return a token. The ML profile does not modify the page, therefore it works just as well for:

 

  • Browser traffic
  • Pure API/JSON or mobile-app calls (no HTML to rewrite)
  • Curl / Postman tests, etc.

The machine-learning model is completely transparent to the client. Unlike Biometric or Deception–Based protection it does not inject any script.

 

https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/600188/configuring-ml-based-bot-detection-policy

 

2-Will backend 5xx errors during a DoS cause ML bot false-positives?


Backend 4xx/5xx bursts do not, by themselves, trigger blocking. The classifier learns two baselines:

 

  • Request-side features (headers, URI entropy, timing)
  • Normal response codes per URL

The ML engine scores more than thirty features (high rate, no cookies, missing Accept headers, etc.); an unexpected 503 is just one dimension. A request is blocked only if the combined score exceeds the threshold. You can even set the response-anomaly weight to 0 if you want the model to ignore status-code changes during an outage.

 

So, ML Bot Protection is safe for API endpoints, needs no JavaScript beacon, and 5 xx bursts will not automatically create false-positives unless you tighten the scoring thresholds yourself.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

    filiaks1
    filiaks1Author
    Explorer III
    June 23, 2025

    Thanks @atakannatak for confirming that I suspected about the javascript.  Also from what I got as it monitors Normal Response codes per URL it should catch when someone tries to access a url with a normal request but the backend because being overloaded returns 5xx and when someone send bad request that triggers the 5xx, so to block only the second attempt?

     

     

    Also for Bot and Layer 7 DOS can there be different ML/threeshold per URL as I mean heavy URL that needs more protection as it's response takes a lot of calculation ?

    atakannatak
    atakannatak
    Explorer
    June 23, 2025

    Hi @filiaks1 ,

     

    The ML engine scores ~30 request-/response features; HTTP status is only one of them. A sudden wave of 503s during a DoS lowers the request’s score, but the request is blocked only when several abnormal features push the total above the threshold.

     

    Inside the Bot profile you can add URL Resources with their own ML score threshold and action. That lets you tighten protection on CPU-intensive or business-critical paths while keeping a looser setting elsewhere.

     

    https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/433906/exception-policy

     

    Regardless of the topic, the video below offers practical content that broadly matches what you aim to achieve—just for your information.

     

    https://www.youtube.com/watch?v=OOt0VQQN4Tg&list=PLZky9tZj8HB0VwmtqvxbR7Csjq9y9dmG1&index=27

     

    BR.

     

    If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

     

    CCIE #68781

      Terms & ConditionsAccessibility statement