We’re trying to mitigate users who employ auto‑clicker or automation tools that repeatedly send HTTP POST requests every 100 milliseconds. Our goal is to restrict each user to a maximum of 1 request per 300 milliseconds, and to return HTTP 429 (Too Many Requests) if that limit is exceeded.

We’re looking for the best way to implement this restriction within a Fortinet environment—specifically using FortiWeb or FortiGate if possible.

Can FortiWeb’s Rate Limiting or Bot Mitigation features be configured to apply per‑client‑IP or session with a millisecond‑level interval?

If not, what’s the most effective configuration to approximate a 300 ms threshold (e.g., through request‑per‑second rules, anomaly detection profiles, or custom WAF policies)?

Are there any best practices or sample configurations to handle legitimate bursts without blocking valid users?

Any guidance or example policies for achieving this kind of fine‑grained rate control would be greatly appreciated.