Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Does the FortiWeb WAF support Application learning positive security?

Hello to Everyone,



Does the FortiWeb WAF support Application learning (AL) / traffic learning positive security?



From the article I see that there is an ML option but I couldn't find anything about AL as every other major WAF vendor has AL and most now also have ML as it is great to combine AL with the ML learning as ML can stop or change the score of some signatures/violations after the AL is done with learning good URL/cookies/parameters/file types/http headers and methods as to clear false positives.

Community Manager
Community Manager


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Anthony-Fortinet Community Team.

Hello filiaks1,


We are still looking for an answer to your question.


We will come back to you ASAP.




Jean-Philippe - Fortinet Community Team




FortiWeb’s AI-based machine learning evaluates application requests to determine if they are normal, benign anomalies, or anomalies that are threats and this way it nearly eliminates false positive detections and hence the need to manually fine tune WAF rules. 


The anomaly detection model of machine learning feature observes the URLs, parameters, and HTTP Method of HTTP and/or HTTPS sessions passing to your web servers and builds mathematical models to detect abnormal traffic. 


Machine learning | FortiWeb 7.0.0 (


Compared to other vendor which uses positive security model to Learn known good, and fine tune policy around it, FortiWEB help you perform these tasks using its advanced AI-Based Machine learning model.

On top this, FortiWeb has "Monitor Mode" option under Server policy which will help Alert Traffic violation and not actually block them during the initial deployment or testing phase. This is to ensure that your Legitimate traffic is allowed while it still block the real attack.


Best Regards,


After some time I see that the first layer/phase where the ML (Machine Learning) model detects parameter types and urls seems like AL (Application Learning) seen in other advance WAF vendors, where parameter types and urls are auto learned after some samples are collected and statistical model is used as mentioned in and or 



The second layer/phase seems somewhat more interesting that is based on pre-build trained threat models where scores are assigned to  different violations and if there sum it too high then the traffic is blocked. The models are downloaded from the fortiguard cloud like signatures but if a critical/high signature is triggered and the model marks traffic as legitimate will the traffic be allowed or the two features work separately from one another ? If a traffic is allowed because of the ML model even when it is a attack (true positive) could a custom signature be written to block it and will the ML model disable the custom signature?


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors