The status will be changed to 'Confirmed' and then 'Collecting' when ML receives HTTP requests containing the parameter/argument from a minimum number of 3 (ip-expire-cnts) different source IP addresses within the given time period of 4 hours (ip-expire-intval).Failing to receive HTTP requests containing the learned parameter, in this example 'email', from 3 different IP addresses within 4 hours , the status of the parameter will remain 'Unconfirmed' and discarded by the garbage collector.
An event log gets generated 'Parameter deleted due to being unconfirmed for too long for parameter <submit> of URL </>. Parameter model changed from Running to Discarded by FortiWeb daemon'.Problematic case scenario and solution.If the fortiweb is placed in an isolated environment where it is learning HTTP requests meant for the web service protected via the server policy (where Machine Learning Anomaly Detection is turned ON) less than 3 different source IP addresses, then it is necessary to decrease the 'ip-expire-cnts' to a lower value, let’s say '1'.Denzil-ML-64 # config waf machine-learning-policyThe status will be changed to 'Confirmed' and then to 'Collecting' immediately as soon as ML sees a HTTP request with that parameter.
Denzil-ML-64 (machine-learni~g) edit 1
Denzil-ML-64 (1) set ip-expire-cnts 1
Denzil-ML-64 (1) end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.