Hello to Everyone,
Does the FortiWeb WAF support Application learning (AL) / traffic learning positive security?
From the article https://www.fortinet.com/blog/business-and-technology/fortiweb-release-6-0--ai-based-machine-learnin... I see that there is an ML option but I couldn't find anything about AL as every other major WAF vendor has AL and most now also have ML as it is great to combine AL with the ML learning as ML can stop or change the score of some signatures/violations after the AL is done with learning good URL/cookies/parameters/file types/http headers and methods as to clear false positives.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello filiaks1,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hi,
FortiWeb’s AI-based machine learning evaluates application requests to determine if they are normal, benign anomalies, or anomalies that are threats and this way it nearly eliminates false positive detections and hence the need to manually fine tune WAF rules.
The anomaly detection model of machine learning feature observes the URLs, parameters, and HTTP Method of HTTP and/or HTTPS sessions passing to your web servers and builds mathematical models to detect abnormal traffic.
Machine learning | FortiWeb 7.0.0 (fortinet.com)
Compared to other vendor which uses positive security model to Learn known good, and fine tune policy around it, FortiWEB help you perform these tasks using its advanced AI-Based Machine learning model.
On top this, FortiWeb has "Monitor Mode" option under Server policy which will help Alert Traffic violation and not actually block them during the initial deployment or testing phase. This is to ensure that your Legitimate traffic is allowed while it still block the real attack.
Best Regards,
Created on 01-21-2024 10:06 AM Edited on 01-21-2024 10:38 AM
After some time I see that the first layer/phase where the ML (Machine Learning) model detects parameter types and urls seems like AL (Application Learning) seen in other advance WAF vendors, where parameter types and urls are auto learned after some samples are collected and statistical model is used as mentioned in https://docs.fortinet.com/document/fortiweb/7.4.1/cli-reference/780221 and https://community.fortinet.com/t5/FortiWeb/Technical-Tip-Using-FortiWeb-Cloud-s-Machine-Learning-to-... or https://community.fortinet.com/t5/FortiWeb/Technical-Tip-FortiWeb-Machine-Learning-to-protect-from-C...
The second layer/phase seems somewhat more interesting that is based on pre-build trained threat models where scores are assigned to different violations and if there sum it too high then the traffic is blocked. The models are downloaded from the fortiguard cloud like signatures but if a critical/high signature is triggered and the model marks traffic as legitimate will the traffic be allowed or the two features work separately from one another ? If a traffic is allowed because of the ML model even when it is a attack (true positive) could a custom signature be written to block it and will the ML model disable the custom signature?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.