Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
filiaks1
Contributor II

Created on ‎06-23-2025 12:21 AM

Does FortiWeb ML Based Bot Protection needs a javascript to be injected and false positives ?

Hello Everyone,

 

Does FortiWeb ML Based Bot Protection need a javascript to be injected ? I am asking if it can be used for API traffic as well 

 

Does FortiWeb ML Based Bot Protection need a javascript to be injected as from what I have read from FortiWeb Bot Protection: Machine Learning based Protection  it seems that the Biometric Based and Deception based Bot features would need this but I see no reason for ML/AI to need it.

 

Outside of that I wonder if during DOS attacks normal urls start returning 5xx (Nginx returns 503 during DOS) or does not respond will this cause false positives as FortiWeb needs to be aware which urls were returing normal 2xx or 3xx responses and not to block the user with Bot protection?

 

 

filiaks1_0-1750662971602.png

 

 

Labels:
377
0 Kudos
2 Solutions
atakannatak
Contributor II
In response to filiaks1

Created on ‎06-23-2025 05:19 AM

Hi @filiaks1 ,

 

The ML engine scores ~30 request-/response features; HTTP status is only one of them. A sudden wave of 503s during a DoS lowers the request’s score, but the request is blocked only when several abnormal features push the total above the threshold.

 

Inside the Bot profile you can add URL Resources with their own ML score threshold and action. That lets you tighten protection on CPU-intensive or business-critical paths while keeping a looser setting elsewhere.

 

https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/433906/exception-policy

 

Regardless of the topic, the video below offers practical content that broadly matches what you aim to achieve—just for your information.

 

https://www.youtube.com/watch?v=OOt0VQQN4Tg&list=PLZky9tZj8HB0VwmtqvxbR7Csjq9y9dmG1&index=27

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak

View solution in original post

Atakan Atak
306
filiaks1
Contributor II
In response to atakannatak

Created on ‎06-23-2025 06:23 AM Edited on ‎06-23-2025 06:35 AM

Thanks will take a look the youtube videos but for my question about Custom Bot or Dos protection for a URL I discovered the answer myself after clicking around and it is Content Routing that can match the URL and assign custom Web protection profile for that url.

 

FortiWeb Content Routing - Using Scripts in Content Routing Policies

 

Screenshot 2025-06-23 162208.png

 

 

 

View solution in original post

296
0 Kudos
4 REPLIES 4
atakannatak
Contributor II

Created on ‎06-23-2025 01:40 AM

Hi @filiaks1 ,

 

1-Does the Machine-Learning (ML) Bot Protection module inject JavaScript?

 

No. FortiWeb’s ML/AI bot engine is a passive classifier: it analyses metadata that is already present in every HTTP/S transaction (URL, method, header mix, response status, request rate, cookie reuse, etc.). Only the two active bot-handling features—Biometric-Based and Deception-Based Bot Protection—insert JavaScript (or a hidden HTML tag) so the client must return a token. The ML profile does not modify the page, therefore it works just as well for:

 

  • Browser traffic
  • Pure API/JSON or mobile-app calls (no HTML to rewrite)
  • Curl / Postman tests, etc.

The machine-learning model is completely transparent to the client. Unlike Biometric or Deception–Based protection it does not inject any script.

 

https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/600188/configuring-ml-based-b...

 

2-Will backend 5xx errors during a DoS cause ML bot false-positives?


Backend 4xx/5xx bursts do not, by themselves, trigger blocking. The classifier learns two baselines:

 

  • Request-side features (headers, URI entropy, timing)
  • Normal response codes per URL

The ML engine scores more than thirty features (high rate, no cookies, missing Accept headers, etc.); an unexpected 503 is just one dimension. A request is blocked only if the combined score exceeds the threshold. You can even set the response-anomaly weight to 0 if you want the model to ignore status-code changes during an outage.

 

So, ML Bot Protection is safe for API endpoints, needs no JavaScript beacon, and 5 xx bursts will not automatically create false-positives unless you tighten the scoring thresholds yourself.

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
356
filiaks1
Contributor II
In response to atakannatak

Created on ‎06-23-2025 02:58 AM Edited on ‎06-23-2025 03:01 AM

Thanks @atakannatak for confirming that I suspected about the javascript.  Also from what I got as it monitors Normal Response codes per URL it should catch when someone tries to access a url with a normal request but the backend because being overloaded returns 5xx and when someone send bad request that triggers the 5xx, so to block only the second attempt?

 

 

Also for Bot and Layer 7 DOS can there be different ML/threeshold per URL as I mean heavy URL that needs more protection as it's response takes a lot of calculation ?

331
0 Kudos
atakannatak
Contributor II
In response to filiaks1

Created on ‎06-23-2025 05:19 AM

Hi @filiaks1 ,

 

The ML engine scores ~30 request-/response features; HTTP status is only one of them. A sudden wave of 503s during a DoS lowers the request’s score, but the request is blocked only when several abnormal features push the total above the threshold.

 

Inside the Bot profile you can add URL Resources with their own ML score threshold and action. That lets you tighten protection on CPU-intensive or business-critical paths while keeping a looser setting elsewhere.

 

https://docs.fortinet.com/document/fortiweb/7.6.4/administration-guide/433906/exception-policy

 

Regardless of the topic, the video below offers practical content that broadly matches what you aim to achieve—just for your information.

 

https://www.youtube.com/watch?v=OOt0VQQN4Tg&list=PLZky9tZj8HB0VwmtqvxbR7Csjq9y9dmG1&index=27

 

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

Atakan Atak
Atakan Atak
307
filiaks1
Contributor II
In response to atakannatak

Created on ‎06-23-2025 06:23 AM Edited on ‎06-23-2025 06:35 AM

Thanks will take a look the youtube videos but for my question about Custom Bot or Dos protection for a URL I discovered the answer myself after clicking around and it is Content Routing that can match the URL and assign custom Web protection profile for that url.

 

FortiWeb Content Routing - Using Scripts in Content Routing Policies

 

Screenshot 2025-06-23 162208.png

 

 

 

297
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.