Bot mitigation with FortiWeb — ML-driven, beyond IP reputation

Pawan Sharma Published 08 Jul 2026  ·  By Pawan Sharma  ·  Network Security  ·  14 min read

IP rate-limiting was the bot mitigation strategy of 2018. It still works against script kiddies. It fails against distributed bots running across 500K residential IPs, against credential-stuffing tools that throttle themselves below detection thresholds, against headless-browser scrapers that look like a normal Chrome session. FortiWeb's Advanced Bot Protection (Enterprise tier) combines ML, biometric tracking, behavioural analysis and threshold-based detection — catches what rate-limiting misses without imposing CAPTCHA friction on legitimate users.

ML + Biometric

Enterprise tier

Advanced Bot Protection. Beyond IP rate-limiting.

11 M/mo

4000F ceiling

Top-end bot request capacity. E-commerce scale.

No CAPTCHA

For legit users

Behavioural detection avoids imposing friction on humans.

Good bots ✓

Allowlist

Verified search-engine + monitoring bots permitted automatically.

The bot taxonomy

Credential stuffing

Bots testing leaked username/password combos against your login. Each tries once or twice from many IPs — invisible to per-IP rate-limiting.

Scraping

Bots reading content (price scrapers, content aggregators). Modern scrapers use headless browsers and rotate residential IPs.

Inventory hoarding

E-commerce bots that add limited-stock items to carts. Hostile to legitimate buyers; needs sub-second detection.

Form spam

Comment, signup, contact-form floods. Simpler bots; usually CAPTCHA-deterrable.

Account takeover (ATO)

Post-credential-stuffing — bots logging in with verified-valid creds, then siphoning data or making transactions.

API abuse

Bots calling your APIs to extract data at scale, often paired with token theft.

DDoS-adjacent

Layer-7 floods designed to look like human traffic. Hardest to distinguish.

Good bots

Search engines, monitoring services, partner-API consumers. Should be allowed through with verification.

FortiWeb's detection mechanisms

Multi-layer detection

ML + biometric + behavioural + threshold + reputation — combined

Per the FortiWeb Data Sheet: "FortiWeb protects against automated bots, web scrapers, crawlers, data harvesting, credential stuffing and other automated attacks. Combining machine learning with policies such as threshold-based detection, Bot deception and Biometrics-based detection with superior good bot identification, FortiWeb is able to block malicious bot attacks while reducing friction on legitimate users."

Five layers, all complementary:

LayerWhat it catchesTier required
IP reputation + thresholdKnown-bad IPs, simple volumetric botsStandard
Credential Stuffing DefenseDistributed login-attempt patternsAdvanced
ML behavioural analysisSession-level human-vs-bot patternsEnterprise
Biometric trackingMouse movement, keystroke timing, scroll patternsEnterprise
Bot deceptionTrap endpoints, JS challenges, fingerprint-tagged responsesEnterprise
Account Takeover protectionPost-login behavioural anomalyAdvanced+

Why ML beats rate-limiting

IP rate-limiting limits

  • Fails against distributed bots
  • Fails against residential-IP rotation
  • Fails against slow, throttled bots
  • Cannot distinguish good bots from bad
  • Tight thresholds cause false positives on burst traffic
  • Loose thresholds let determined bots through

FortiWeb ML + biometric

  • Session-level behavioural patterns
  • Mouse movement / keystroke timing
  • Headless browser detection (Puppeteer, Playwright fingerprints)
  • Distinguishes good bots from bad via reputation + verification
  • Adapts thresholds per workload
  • Continuous learning — adapts to new evasion techniques

The bot-request ceiling per FortiWeb model

Model / TierMonthly bot request ceiling
VM01200,000
VM02400,000
VM04900,000
VM081.7 M
VM162.8 M
400F850,000
600F1.25 M
1000F1.7 M
2000F3 M
3000F4 M
4000F11 M

Source: FortiWeb Ordering Guide, FWEB-OG-R25-20260318, page 2. Advanced Bot Protection requests per month per platform; varies. E-commerce workloads often need to jump a tier just for the bot ceiling — eg from 600F to 1000F.

Deployment pattern — bot protection at-scale

1

Week 1 — Monitor-only deployment

FortiWeb Advanced Bot Protection in monitor mode. ML builds behavioural baseline from real traffic. No enforcement yet.

2

Week 2-3 — Baseline + threshold tuning

Review detection candidates. Tune threshold-based rules, allow good-bot list, configure JS challenges for suspect-but-uncertain traffic.

3

Week 4 — Enforce on lowest-risk endpoint

Flip enforcement on one endpoint (search? signup?). Watch false-positive rate for 7 days. Roll back if needed.

4

Week 5-8 — Per-endpoint cutover

Roll enforcement to remaining endpoints in waves. Login endpoint usually last (highest risk if false-positive).

5

Ongoing — Continuous-learning tuning

ML model adapts as bot patterns evolve. Quarterly review of false-positive trend + new bot pattern coverage.

Where FortiWeb sits relative to dedicated bot products

ProductMechanismEdge-scale dataBest for
FortiWeb Advanced Bot ProtectionML + biometric + behavioural + thresholdFortinet customer-base + FortiGuardLayered with WAF, multi-cloud, India INR
Cloudflare Bot ManagementML + behavioural + edge-scale dataVast edge-traffic-volumeGlobal edge, edge-first architecture
Akamai Bot Manager PremierML + behavioural + edge-scale dataVast edge-traffic-volumeTier-1 enterprise, Akamai-native estates

FAQ

What's the difference between Standard, Advanced and Enterprise bot protection?
Standard: IP-based threshold detection and basic rate-limiting. Advanced: + Credential Stuffing Defense, Account Takeover protection. Enterprise: + ML-driven Advanced Bot Protection with biometric tracking and behavioural analysis. Enterprise is the bot-focused tier — required for credential stuffing or scraping defence at scale.
How does ML beat IP rate-limiting for bot detection?
IP rate-limiting fails against distributed bots — when 1M requests come from 500K unique IPs, no individual IP triggers the threshold. ML looks at session-level behaviour (mouse movement, timing patterns, headless browser fingerprints) rather than IP. Catches what rate-limiting misses.
Does FortiWeb's bot mitigation work against headless browsers?
Yes. Biometric tracking, JS challenge insertion, and behavioural analysis detect headless Chrome / Puppeteer / Playwright patterns. The continuous-learning model adapts to new headless evasion techniques.
What about good bots — search engines, monitoring?
FortiWeb's reputation engine recognises documented good bots (Googlebot, Bingbot, monitoring services) and lets them through with appropriate verification (reverse-DNS check). Custom allowlists for your specific monitoring tools are configurable.
Can FortiWeb stop bots before they hit the application?
Yes — the WAF terminates bot requests at the WAF tier. Compute cost (CPU, DB connections) on the app server is preserved. CAPTCHA / challenge insertion happens at WAF level for suspect traffic.
What's the typical bot-request ceiling I need?
Per the Ordering Guide, monthly Advanced Bot Protection request ceilings: VM01 200K, VM02 400K, VM04 900K, VM08 1.7M, VM16 2.8M; appliance: 400F 850K, 600F 1.25M, 1000F 1.7M, 2000F 3M, 3000F 4M, 4000F 11M. E-commerce typically hits the ceiling first.
How does FortiWeb compare to dedicated bot products (Cloudflare Bot Management, Akamai Bot Manager Premier)?
Mechanism is comparable — ML + behavioural + biometric. Edge-scale providers (Cloudflare, Akamai) have a data-volume advantage on novel patterns. FortiWeb gives you more tuning control on per-app policy. For most workloads either works; for the most sophisticated novel-pattern attacks, edge-scale providers sometimes catch earlier.
Can I run FortiWeb bot protection in monitor mode first?
Yes — standard practice. Monitor mode for 2-4 weeks builds the behavioural baseline. Then flip to enforce per-app, per-policy. Rollback per policy if false-positive rate is too high.

Free bot-traffic audit

See how much of your traffic is actually bot — and what you're missing

Ogma runs a 14-day bot-traffic audit against your existing logs and returns a classification breakdown (good bot / bad bot / human) + a sized FortiWeb Advanced Bot Protection recommendation.

Request the audit or explore the FortiWeb Implementation service

Sources

Related: FortiWeb API security · FortiWeb deployment models · FortiWeb Implementation service

Stay ahead of cyber threats

One short email a week — curated Indian cybersecurity news, Fortinet releases, DPDPA updates. No fluff.


Cato Firewall as a Service
Cato ZTNA — Zero Trust Network Access
Cato SASE Solution