FortiWeb's bot detection machine learning (ML) model is fundamentally different from its anomaly detection model in its analytical scope. The bot detection model analyzes traffic from a source over a period of time, examining patterns across multiple connections to distinguish between human and automated (bot) behavior. In contrast, the anomaly detection and API protection models typically evaluate each HTTP request as a single, independent unit. They compare the individual request's parameters, structure, and values against a pre-established mathematical model of what is considered "normal" for the application.

B. Bot ML models are specifically designed to identify and classify actual threats (malicious bots), not just flag undefined anomalies.

C. While the specific properties may differ, both model types inspect a wide range of connection properties. The core difference is the analytical scope (time-series vs. single transaction), not the quantity of properties.

D. All FortiWeb machine learning models are designed to learn continuously and update periodically from new traffic data to adapt to application changes and evolving threats.

1. Fortinet FortiWeb 7.0.0 Administrator Guide

Page 39

Section: "Machine Learning".

Regarding Anomaly Detection: "FortiWeb builds a mathematical model of the normal behavior of each of your web applications... It analyzes each request..."

Regarding Bot Detection: "For bot detection

FortiWeb uses a different machine learning model... It analyzes traffic from a single source IP over a period of time to determine if the traffic is generated by a human or a bot." This directly supports the distinction made in option A.

The "System Information" widget provides a summary of the FortiWeb appliance's status. The "Firmware" section explicitly lists the "Current" version as 6.4.1, confirming that this is the active firmware. The presence of a "Previous" version (6.4.0) indicates that the device was upgraded from that version to the current one. The "Log Disk" usage shows 41% Used, meaning 59% is available, not 41%.

A. The exhibit shows that 41% of the log disk is Used, not available. The available space is 59%.

C. The exhibit clearly states the "Current" firmware version is 6.4.1, while 6.4.0 is listed as the "Previous" version.

1. FortiWeb Administration Guide 7.0

Page 53

"Dashboard > Status > System Information".

The guide describes the "System Information" widget. It specifies that the "Firmware Version" field displays the currently running firmware. It also explains that the "Firmware" section with "Current" and "Previous" partitions shows the active and inactive firmware images

confirming that the existence of a "Previous" version implies an upgrade has occurred. The "Disk Usage" section is described as showing the percentage of the hard disk that is used. This directly supports the correctness of B and D

and the incorrectness of A and C.

FortiWeb provides a dedicated PCI-DSS mode that, when selected for SSL off-loading, automatically enforces the cipher suites, key lengths, protocol versions, and logging settings mandated by PCI-DSS v3.2/3.2.1. Reverse-proxy or transparent modes can still be made secure, but they rely on manual tuning; only PCI-DSS mode ships with the pre-set hardening required for immediate, auditable compliance, making “SSL offloading with FortiWeb in PCI-DSS mode” the implementation purposely designed to meet the standard.

A. Reverse proxy mode alone does not enforce PCI-DSS-approved ciphers/protocols; weak options remain unless manually removed.

C. Transparent mode forwards traffic; it cannot terminate and re-encrypt with PCI-DSS-approved settings out-of-box.

D. Full transparent proxy similarly passes traffic in-line; it lacks the predefined compliance hardening present in PCI-DSS mode.

1. Fortinet “FortiWeb 7.0.x Administration Guide”

section “System > PCI-DSS”

pp. 274-276 – describes PCI-DSS mode enforcing TLS 1.2+

strong ciphers

audit logging.

2. Fortinet “FortiWeb 7.0.x Administration Guide”

table “Operating Modes vs Compliance”

p. 38 – notes PCI-DSS mode is recommended for card-holder-data environments.

3. PCI Security Standards Council. “Payment Card Industry Data Security Standard v3.2.1”

Req 4.1

pp. 19-21 – mandates use of strong cryptography for transmission; FortiWeb’s PCI-DSS mode maps to these requirements.

4. Fortinet KB Article #FD47794 “How to enable PCI-DSS compliance on FortiWeb” (2022-06-15) – states that enabling PCI-DSS mode is the prescribed method to satisfy compliance audits.

The exhibit shows an entry from the FortiWeb attack log. The log identifies the Source IP as 192.168.1.11 and the Attack ID as 20000010 (brute force logins). The Action taken by FortiWeb is "Alert," which means the device has detected and logged traffic matching a known attack signature. This log entry is direct evidence that the source IP (192.168.1.11) is originating traffic that FortiWeb, the inspecting device, has classified as suspicious. The traffic is directed towards the protected host, www.example.com.

A. The "Alert" action signifies detection and logging only; it does not confirm whether the brute force attempt was successful or if any credentials were compromised.

B. The log clearly indicates that 192.168.1.11 is the Source IP and the protected host is the destination, meaning the suspicious traffic flows from the client to the server.

C. While the Count field indicates the signature was triggered 10 times, this is a specific metric. Option D provides a more fundamental description of the overall event represented by the log entry.

1. FortiWeb 7.4 Administration Guide

Page 519

"Viewing log messages". The guide details the columns in the Attack Log. The Source IP column is defined as "The source IP address of the traffic

" and the Attack column shows "The name of the attack." The existence of an entry in this log for a specific source IP inherently means that the source is sending traffic flagged as an attack

which is suspicious.

2. FortiWeb 7.4 Administration Guide

Page 520

"Action". The guide explains that the "Alert" action means "FortiWeb generates a log message about the traffic

but otherwise takes no action." This confirms that the log entry is for detection and does not imply the attack was successful or blocked.

FortiWeb, functioning as an Application Delivery Controller (ADC), supports Layer 7 load balancing and routing. The specific feature for this is called HTTP Content Routing. This allows FortiWeb to inspect incoming HTTP requests and route them to different back-end server pools based on the content of the request. The routing decisions can be based on various Layer 7 attributes, such as the HTTP Host header, the request URL, or cookies. This capability is essential for directing traffic in complex application environments, such as routing requests for /images to an image server pool and requests for /api to an application server pool.

A. URL policy routing: While routing based on a URL is a component of HTTP content routing, "HTTP content routing" is the official and more comprehensive feature name in FortiWeb, encompassing more than just URLs.

B. OSPF: Open Shortest Path First (OSPF) is a Layer 3 (Network Layer) dynamic routing protocol used to exchange routing information within an autonomous system, which is not a function of a Web Application Firewall.

C. BGP: Border Gateway Protocol (BGP) is a Layer 3 (Network Layer) exterior gateway protocol used for routing between different autonomous systems on the internet, not for application-level traffic distribution.

1. FortiWeb Administration Guide 7.0.0

Page 389

Section: "Configuring HTTP content routing".

The document states

"You can configure HTTP content routing to route requests to a specific server pool based on characteristics of the HTTP request

such as the host

URL

or source IP address." This directly confirms support for HTTP content routing.

2. FortiWeb Administration Guide 7.2.0

Page 434

Section: "HTTP content routing".

This guide reiterates the functionality: "HTTP content routing rules allow you to route requests to a specific server pool based on the characteristics of the HTTP request... FortiWeb evaluates the rules in order from top to bottom and applies the first rule that matches."

3. FortiWeb Administration Guide 7.0.0

Page 118

Section: "Configuring network routing".

This section details the configuration of static routes and policy routes. It makes no mention of dynamic routing protocols like OSPF or BGP

confirming that FortiWeb does not operate as a Layer 3 dynamic router.

The provided screenshot displays the Machine Learning (ML) configuration on a FortiWeb appliance. The Phase is explicitly set to Running, and the Sample Per IP parameter is set to Unlimited. This configuration instructs FortiWeb, during its operational Running phase, to continuously accept and process an unlimited number of traffic samples from any single source IP address. This allows the ML engine to perpetually refine its model of normal traffic behavior without being constrained by a sample limit per IP.

A. This is incorrect because the Sample Per IP setting is explicitly configured as Unlimited, not a fixed or "set number".

C. This is incorrect because the screenshot clearly shows the ML Phase is set to Running, not collecting.

D. This is incorrect as the Phase is Running, not collecting, and the configuration allows for Unlimited samples, not zero.

1. FortiWeb Administration Guide 7.4.1

Page 580

Section: "Configuring machine learning".

The guide details the configuration options for Machine Learning. It lists Running as a selectable Phase. It also describes the Sample Per IP setting

stating: "Select the maximum number of samples that FortiWeb collects from the same source IP address. The available options are 100

1000

10000

and Unlimited." The screenshot shows these two settings configured as Running and Unlimited

directly supporting the correct answer.

2. FortiWeb Cookbook 7.4.0

Page 113

Section: "Machine Learning for anomaly detection".

This document explains the ML process: "In the running phase

FortiWeb uses the data it has collected to build a mathematical model of your application's valid traffic. It then compares new traffic to the model to detect requests that are anomalous." The continuous learning in the running phase is governed by the sampling parameters

which in this case are set to unlimited per IP.

The scenario describes a classic brute force login attack, where an attacker uses multiple IPs to guess user credentials. The most effective and specific method to mitigate this on FortiWeb is by configuring a brute force login policy. This feature is designed to detect and block this exact behavior by monitoring the rate of failed login attempts from a source IP within a specified time frame. Once the configured threshold is exceeded, FortiWeb can automatically take action, such as temporarily blocking the offending IP, which directly stops the attack while minimizing impact on legitimate users.

A. Blocklist any suspected IPs.

This is a manual and reactive approach. For an attack using multiple and potentially changing IP addresses, manual blocklisting is inefficient and may not keep up with the attack.

C. Rate limit all connections from suspected IP addresses.

Rate limiting is a less precise control. It restricts all connections from an IP, which could inadvertently impact legitimate users sharing that IP (e.g., behind a NAT) and doesn't specifically target the malicious login-failure behavior.

D. Block the IP address at the border router.

This action is outside the scope of FortiWeb's application-layer capabilities. While a valid network security measure, it lacks the application-level intelligence to specifically identify and block based on failed login attempts.

1. FortiWeb 7.0 Administration Guide

Page 413

Section: "Defeating brute force logins".

The documentation states

"You can create a brute force signature to define the conditions of a brute force login attack. You can then create a custom brute force policy to specify the action to take when FortiWeb detects a brute force login attack." This directly supports using a dedicated policy for this threat.

2. FortiWeb 7.0 Administration Guide

Page 414

Section: "Configuring brute force login protection".

This section details the configuration steps

including setting a "Threshold" for the number of failed login attempts within a "Time Period" and defining an "Action" such as Period Block. This confirms the feature's design is to specifically counter the attack described in the question.

In an Active-Passive High Availability (HA) cluster, only one FortiWeb unit (the primary) actively processes traffic, while the other (the secondary) remains in a standby state. When a failover is triggered, the standby unit assumes the primary role. To redirect traffic to itself, the newly promoted primary unit broadcasts gratuitous Address Resolution Protocol (ARP) packets. These packets advertise that the cluster's virtual IP (VIP) address is now associated with its own MAC address, prompting neighboring switches and routers to update their ARP tables and forward traffic to the new active unit.

A. Passive-Passive: This is not a standard or valid high availability mode, as it implies no device is actively processing traffic, which defeats the purpose of HA.

C. Active-Active: While an Active-Active cluster also uses gratuitous ARP during a failover (e.g., if the primary load-balancing unit fails), its primary purpose is load distribution across all nodes, not just failover. Active-Passive is the model most defined by this specific failover mechanism.

D. Passive-Active: This is not a distinct HA mode; it is simply another way of describing the Active-Passive configuration.

1. FortiWeb 7.0 Administration Guide

Page 478

Section: "How HA works".

The document states: "When a failover occurs

the new primary unit (the former standby) notifies the network that it is now the owner of the virtual MAC address and the IP addresses of the HA cluster. It sends gratuitous ARP packets that contain the virtual MAC address and the IP addresses of the cluster. Network devices (routers and switches) update their forwarding tables

and traffic begins to flow to the new primary unit." This description is the fundamental mechanism of an Active-Passive failover.

The FortiWeb XSS signature being enforced (ID 000000131) uses a specific regular expression pattern to detect malicious JavaScript event handlers. The pattern is on(blur|change|click|dblclick|focus|keydown|keypress|keyup|load|reset|select|submit|unload)\s=.

The attempted attack uses the mousedown event. This specific event is not included in the list of events within the signature's regular expression. Because the incoming attack vector (onmousedown=...) does not match the signature's pattern, the signature will not be triggered. Consequently, FortiWeb will not take any action based on this rule, and the connection will be allowed.

A. Stripping content is an action ("Erase") that would only occur if the signature pattern was matched, which it is not.

B. Blocking the connection is an action ("Deny") that would only occur if the signature pattern was matched. The attack does not match the pattern.

C. Reporting to FortiGuard would only happen after an attack is detected. Since the signature pattern is not matched, no attack is detected by this rule.

1. FortiWeb 7.4 Administration Guide

Page 388

"Signatures" section.

The guide explains that FortiWeb uses signatures with specific patterns to detect known attacks. It states

"When traffic matches a signature

FortiWeb takes the configured action..." This implies that if traffic does not match the pattern

no action is taken. The attack's mousedown event does not match the signature's regular expression

so no action is taken.

2. FortiWeb 7.4 Administration Guide

Page 389

"To view and filter the predefined signature set".

This section details the components of a signature

including the "Pattern" field. The effectiveness of the signature is entirely dependent on this pattern matching the traffic. The provided scenario shows a clear mismatch between the attack vector and the signature pattern.

The screenshot displays the advanced routing settings on a FortiWeb appliance. The "Allow non-HTTP traffic" option is enabled. This feature configures the FortiWeb to function as a Layer 3 router for any traffic that is not HTTP or HTTPS. Consequently, non-web traffic passing through the appliance will be forwarded according to the routing table, not dropped.

However, this routing feature applies to transit traffic only. Traffic destined directly to a virtual server IP address is handled by the server policy. Since virtual servers are configured specifically for web protocols (HTTP/HTTPS), any non-HTTP traffic (like SSH, FTP, or ICMP) sent to the virtual server's IP will not match a configured service and will be dropped by the FortiWeb.

B. IPv6 routing is enabled.

This is incorrect. The screenshot clearly shows that the "Enable IPv6 Routing" checkbox is not selected, meaning this feature is disabled.

D. Only ICMP traffic is allowed. All other traffic is dropped.

This is incorrect. The "Allow non-HTTP traffic" setting permits all types of non-web traffic to be routed, not just ICMP. Furthermore, HTTP/HTTPS traffic to virtual servers is still processed.

1. FortiWeb 7.4 Administration Guide

Page 218

Section: "Static & dynamic routing".

The guide states: "Allow non-HTTP traffic: Enable to allow FortiWeb to forward non-HTTP/HTTPS traffic. When this option is enabled

FortiWeb acts as a layer-3 router for non-HTTP/HTTPS traffic and forwards it according to its routing table. When this option is disabled

FortiWeb drops all non-HTTP/HTTPS traffic." This directly supports answer A.

2. FortiWeb 7.4 Administration Guide

Page 218

Section: "Static & dynamic routing".

The guide also describes the "Enable IPv6 Routing" option

which is shown as disabled in the exhibit. This confirms that option B is incorrect.

3. FortiWeb 7.4 Administration Guide

Page 311

Section: "Configuring a server policy".

This section details the configuration of server policies

which includes defining virtual servers and the services they offer (e.g.

HTTP

HTTPS). It illustrates that a virtual server is bound to specific web protocols. Traffic of other protocols destined for the virtual server IP is not processed by the policy and is implicitly dropped

which supports answer C.