Skip to main content
saifmp_123
saifmp_123
Visitor III
November 19, 2024
Solved

Fortiweb 7.6.0 WAF | Update should be needed for threshold based policies

  • November 19, 2024
  • 3 replies
  • 1956 views
I am using the FortiWeb 7.6.0 Web Application Firewall and have a question regarding the threshold-based profiles under the bot mitigation policy. Specifically, this pertains to features like:
 
• Vulnerability Scanning Detection
• Crawler Detection
• Slow Attack Detection
• Content Scraping Detection
 
Currently, I do not see an option to set separate thresholds for single IPs versus shared or NATed IPs. This presents a challenge, as shared IPs naturally generate higher traffic and are more likely to exceed thresholds. The WAF then monitors and blocks such IPs for a default duration (e.g., 5 minutes), which could disrupt legitimate users behind those shared IPs.
 
To address this, one solution could be increasing the thresholds to accommodate shared IP traffic. However, doing so risks giving excessive leeway to a single IP, which could be exploited by malicious users. Whitelisting shared IPs is not a viable option either, as it could lead to security risks if one of the users behind the shared IP is compromised.
 
My Questions:
1. Is there any update or roadmap from Fortinet to introduce separate threshold settings for single vs. shared IPs in future releases?
2. Are there any best practices or alternative configurations I can use to handle this scenario while maintaining strong security and minimizing disruptions?
 
Any insights or recommendations would be greatly appreciated.

 

Best answer by opetr_FTNT

Hello @saifmp_123 ,

The threshold-based profiles under the bot mitigation policy currently don't have the option to configure different settings for shared IP. You can promote this idea through your Fortinet Sales Representative.

 

Regards,

Ondrej

3 replies

Stephen_G
Moderator
Stephen_G
Moderator
November 21, 2024

Hello Sai K,

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Thanks,

Stephen_G - Fortinet Community Team
Stephen_G
Moderator
Stephen_G
Moderator
November 25, 2024

Hello Sai K,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards,

Stephen_G - Fortinet Community Team
opetr_FTNT
Staff
opetr_FTNT
Staff
December 4, 2024

Hello Sai K,

 

Please see below -

 

1. Is there any update or roadmap from Fortinet to introduce separate threshold settings for single vs. shared IPs in future releases?
I'm not aware of any such plan for future releases.
 
2. Are there any best practices or alternative configurations I can use to handle this scenario while maintaining strong security and minimizing disruptions?
The predefined thresholds are good starting point, you can adjust them if they're causing false positive matches in your environment. With regards to the share IP traffic you could try using 'Client ID Block Period' then FortiWeb will block the traffic based on client ID and not based on IP address.
 
Regards,
Ondrej
 
    saifmp_123
    saifmp_123Author
    Visitor III
    December 10, 2024

    Hi @opetr_FTNT/@Stephen_G,

     

    Thank you for your response. Let’s consider a scenario where the IP is shared. In such cases, there could be multiple users under the same IP, requiring us to increase the thresholds. This would, in turn, allow a single IP to potentially perform content scraping, which is a security concern. Instead of this approach, why not update the Fortinet WAF to have separate settings specifically for this policy?

     

    Thanks..!!

    opetr_FTNT
    Staff
    opetr_FTNTAnswer
    Staff
    December 13, 2024

    Hello @saifmp_123 ,

    The threshold-based profiles under the bot mitigation policy currently don't have the option to configure different settings for shared IP. You can promote this idea through your Fortinet Sales Representative.

     

    Regards,

    Ondrej

    Terms & ConditionsAccessibility statement