Bot mitigation with FortiWeb — ML-driven, beyond IP reputation
IP rate-limiting was the bot mitigation strategy of 2018. It still works against script kiddies. It fails against distributed bots running across 500K residential IPs, against credential-stuffing tools that throttle themselves below detection thresholds, against headless-browser scrapers that look like a normal Chrome session. FortiWeb's Advanced Bot Protection (Enterprise tier) combines ML, biometric tracking, behavioural analysis and threshold-based detection — catches what rate-limiting misses without imposing CAPTCHA friction on legitimate users.
ML + Biometric
Enterprise tier
Advanced Bot Protection. Beyond IP rate-limiting.
11 M/mo
4000F ceiling
Top-end bot request capacity. E-commerce scale.
No CAPTCHA
For legit users
Behavioural detection avoids imposing friction on humans.
Good bots ✓
Allowlist
Verified search-engine + monitoring bots permitted automatically.
The bot taxonomy
▸ Credential stuffing
Bots testing leaked username/password combos against your login. Each tries once or twice from many IPs — invisible to per-IP rate-limiting.
▸ Scraping
Bots reading content (price scrapers, content aggregators). Modern scrapers use headless browsers and rotate residential IPs.
▸ Inventory hoarding
E-commerce bots that add limited-stock items to carts. Hostile to legitimate buyers; needs sub-second detection.
▸ Form spam
Comment, signup, contact-form floods. Simpler bots; usually CAPTCHA-deterrable.
▸ Account takeover (ATO)
Post-credential-stuffing — bots logging in with verified-valid creds, then siphoning data or making transactions.
▸ API abuse
Bots calling your APIs to extract data at scale, often paired with token theft.
▸ DDoS-adjacent
Layer-7 floods designed to look like human traffic. Hardest to distinguish.
▸ Good bots
Search engines, monitoring services, partner-API consumers. Should be allowed through with verification.
FortiWeb's detection mechanisms
Multi-layer detection
ML + biometric + behavioural + threshold + reputation — combined
Per the FortiWeb Data Sheet: "FortiWeb protects against automated bots, web scrapers, crawlers, data harvesting, credential stuffing and other automated attacks. Combining machine learning with policies such as threshold-based detection, Bot deception and Biometrics-based detection with superior good bot identification, FortiWeb is able to block malicious bot attacks while reducing friction on legitimate users."
Five layers, all complementary:
| Layer | What it catches | Tier required |
|---|---|---|
| IP reputation + threshold | Known-bad IPs, simple volumetric bots | Standard |
| Credential Stuffing Defense | Distributed login-attempt patterns | Advanced |
| ML behavioural analysis | Session-level human-vs-bot patterns | Enterprise |
| Biometric tracking | Mouse movement, keystroke timing, scroll patterns | Enterprise |
| Bot deception | Trap endpoints, JS challenges, fingerprint-tagged responses | Enterprise |
| Account Takeover protection | Post-login behavioural anomaly | Advanced+ |
Why ML beats rate-limiting
IP rate-limiting limits
- Fails against distributed bots
- Fails against residential-IP rotation
- Fails against slow, throttled bots
- Cannot distinguish good bots from bad
- Tight thresholds cause false positives on burst traffic
- Loose thresholds let determined bots through
FortiWeb ML + biometric
- Session-level behavioural patterns
- Mouse movement / keystroke timing
- Headless browser detection (Puppeteer, Playwright fingerprints)
- Distinguishes good bots from bad via reputation + verification
- Adapts thresholds per workload
- Continuous learning — adapts to new evasion techniques
The bot-request ceiling per FortiWeb model
| Model / Tier | Monthly bot request ceiling |
|---|---|
| VM01 | 200,000 |
| VM02 | 400,000 |
| VM04 | 900,000 |
| VM08 | 1.7 M |
| VM16 | 2.8 M |
| 400F | 850,000 |
| 600F | 1.25 M |
| 1000F | 1.7 M |
| 2000F | 3 M |
| 3000F | 4 M |
| 4000F | 11 M |
Source: FortiWeb Ordering Guide, FWEB-OG-R25-20260318, page 2. Advanced Bot Protection requests per month per platform; varies. E-commerce workloads often need to jump a tier just for the bot ceiling — eg from 600F to 1000F.
Deployment pattern — bot protection at-scale
Week 1 — Monitor-only deployment
FortiWeb Advanced Bot Protection in monitor mode. ML builds behavioural baseline from real traffic. No enforcement yet.
Week 2-3 — Baseline + threshold tuning
Review detection candidates. Tune threshold-based rules, allow good-bot list, configure JS challenges for suspect-but-uncertain traffic.
Week 4 — Enforce on lowest-risk endpoint
Flip enforcement on one endpoint (search? signup?). Watch false-positive rate for 7 days. Roll back if needed.
Week 5-8 — Per-endpoint cutover
Roll enforcement to remaining endpoints in waves. Login endpoint usually last (highest risk if false-positive).
Ongoing — Continuous-learning tuning
ML model adapts as bot patterns evolve. Quarterly review of false-positive trend + new bot pattern coverage.
Where FortiWeb sits relative to dedicated bot products
| Product | Mechanism | Edge-scale data | Best for |
|---|---|---|---|
| FortiWeb Advanced Bot Protection | ML + biometric + behavioural + threshold | Fortinet customer-base + FortiGuard | Layered with WAF, multi-cloud, India INR |
| Cloudflare Bot Management | ML + behavioural + edge-scale data | Vast edge-traffic-volume | Global edge, edge-first architecture |
| Akamai Bot Manager Premier | ML + behavioural + edge-scale data | Vast edge-traffic-volume | Tier-1 enterprise, Akamai-native estates |
FAQ
What's the difference between Standard, Advanced and Enterprise bot protection?
How does ML beat IP rate-limiting for bot detection?
Does FortiWeb's bot mitigation work against headless browsers?
What about good bots — search engines, monitoring?
Can FortiWeb stop bots before they hit the application?
What's the typical bot-request ceiling I need?
How does FortiWeb compare to dedicated bot products (Cloudflare Bot Management, Akamai Bot Manager Premier)?
Can I run FortiWeb bot protection in monitor mode first?
Free bot-traffic audit
See how much of your traffic is actually bot — and what you're missing
Ogma runs a 14-day bot-traffic audit against your existing logs and returns a classification breakdown (good bot / bad bot / human) + a sized FortiWeb Advanced Bot Protection recommendation.
Request the audit or explore the FortiWeb Implementation serviceSources
- FortiWeb Data Sheet — Bot Mitigation section, biometric tracking, ML mechanism
- FortiWeb Ordering Guide — Advanced Bot Protection request ceilings per platform
Related: FortiWeb API security · FortiWeb deployment models · FortiWeb Implementation service
Stay ahead of cyber threats
One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.