This section discusses Application Learning for WAF.

Application Learning enables the WAF feature on Avi Load Balancer to analyze a set of incoming traffic processed by the WAF Policy.

When Application Learning is enabled on a virtual service, the Service Engine collects data and sends it to the Controller for analysis. So, all learning takes place on the Controller. The traffic selection for Application Learning is based on the WAF Policy configured.

It parses all paths containing URI or BODY parameters of an HTTP request. This collection continues during a specified duration or time interval. Once the timer is hit, the Service Engine sends the data to the Avi Load Balancer Controller for analysis. These WAF configuration parameters are distributed across WAF Policies.

Learning option

To enable the Learning option:

  1. Navigate to Templates > WAF > WAF Policy.

  2. Select the policy for which Application Learning must be enabled.

The following screenshot shows the option to enable Application Learning.



Enable Application Learning for the selected WAF Policy. Once the option is enabled, the additional configuration options will be available to edit as below:

Field

Description

Additional Information

Learn from Authenticated Clients Only

Select this option to enable Application Learning for this WAF policy.

Trusted IPs

If configured, learning will only be performed on requests from client IPs within the configured IP Address Group.

Trusted Client Types

Select this option to enable learning only on requests from clients that match the configured criteria.

Learn from Authenticated Clients Only and Trusted IPs takes precedence over learning from Trusted Client Types. This option can be used if Avi’s bot management is in use.

Sampling

Percent of the requests subjected to Application learning.

Range (1 to 100%).

Enable Auto Rule Updates

Enable Application Learning-based rule updates on the WAF Profile. Rules will be programmed in a dedicated WAF learning group.

Select or deselect the check box.

Auto Promote Rules w/ Confidence

Minimum confidence label required for auto rule updates.

  • Low

  • Probable

  • High

  • Very High (99.99 -100%)

Learning Interval

Frequency with which SE publishes Application learning data to controller.

Range (1 to 60 min). Example- 30 min

Max Parameters

Maximum number of params to learn for an application.

Range (10 to 1000). Example- 100

Min Hits to Learn

Minimum number of occurrences required for a param to qualify for learning.

Range (10 to 1000). Example- 100

Per URI Learning

Learn the params per URI path.

Select or deselect the check box.

Max URI

Maximum number of URI paths to learn for an application. This value can be set higher for more complex applications.

Range (10 -10000).

Note:

If Per URI Learning is ENABLED, the learning algorithm programs the URI and param combinations when they reach the confidence score. If DISABLED, the learning algorithm programs params independently from the URI. This can be useful when URIs are generated for each session.

App Learning From Authenticated Clients Only

The option to learn only from authenticated clients is available under App learning parameters. The default value for this parameter is false. If Learn_from_authenticated_clients_only is set to true, the learning is performed only on the requests from clients who have passed the authentication process configured in the Auth profile of the virtual service. If the value is set to true and the client is not authenticated, the request learning data will not be sent.

Note:

By enabling the App learning from authenticated clients flag, you can restrict learning to clients that have passed authentication configured in the virtual service authorization policy.

Log in to the CLI and select the learning_params options to set learn_from_authenticated_clients_only to true.

[admin:ctr]: > configure wafpolicy Demo-WAF-Policy
[admin:ctr]: wafpolicy> learning_params
[admin:ctr]: wafpolicy:learning_params> learn_from_authenticated_clients_only
Overwriting the previously entered value for learn_from_authenticated_clients_only
[admin:ctr]: wafpolicy:learning_params> where
Tenant: admin
Cloud: Default-Cloud
+---------------------------------------+-----------+
| Field                                 | Value     |
+---------------------------------------+-----------+
| sampling_percent                      | 1 percent |
| update_interval                       | 30 min    |
| max_uris                              | 500       |
| max_params                            | 100       |
| enable_per_uri_learning               | True      |
| min_hits_to_learn                     | 10000     |
| learn_from_authenticated_clients_only | True      |
+---------------------------------------+-----------+

Application Learning through Trusted Client Type

If the Trusted Client Type option is enabled, WAF will only learn from clients that match the configured criteria. The settings from authenticated clients only and trusted IPs take precedence over learning from trusted client types.

To enable the Trusted Client Type option, log in to Avi Load Balancer Controller, and navigate to Templates > WAF > WAF Policy > Learning.



Select the match criteria. The following two options are available for the match criteria:

  • Is in

  • Is not in



Select the ADD option available under the Classifications option to add the learnings under various bot categories available. The following are the options available:

  • Bad Bot

  • Dangerous Bot

  • Good Bot

  • Human

  • Unknown

  • User-defined Bot



App Learning through Trusted IPs

Set trusted IP groups to an existing IP group using the trusted_ipgroup_ref option.

[admin:ctr]: wafpolicy:learning_params> trusted_ipgroup_ref Internal
[admin:ctr]: wafpolicy:learning_params> where
Tenant: admin
Cloud: Default-Cloud
+---------------------------------------+-----------+
| Field                                 | Value     |
+---------------------------------------+-----------+
| sampling_percent                      | 1 percent |
| update_interval                       | 30 min    |
| max_uris                              | 500       |
| max_params                            | 100       |
| enable_per_uri_learning               | True      |
| min_hits_to_learn                     | 10000     |
| learn_from_authenticated_clients_only | True      |
| trusted_ipgroup_ref                   | Internal  |
+---------------------------------------+-----------+

Save the configuration.

[admin:ctrl]: wafpolicy:learning_params> save
[admin:ctr]: wafpolicy> save
+-----------------------------------------+------------------------------------------------+
| Field                                   | Value                                          |
+-----------------------------------------+------------------------------------------------+
| uuid                                    | wafpolicy-e3bcd2bd-afcf-43ec-97cc-c33a978b3ebf |
| name                                    | Demo-WAF-Policy                                |
| tenant_ref                              | admin                                          |
| mode                                    | WAF_MODE_DETECTION_ONLY                        |
| waf_profile_ref                         | System-WAF-Profile                             |
| paranoia_level                          | WAF_PARANOIA_LEVEL_LOW                         |
| waf_crs_ref                             | CRS-2021-2                                     |
| failure_mode                            | WAF_FAILURE_MODE_OPEN                          |
| allow_mode_delegation                   | True                                           |
| positive_security_model                 |                                                |
|   group_refs[1]                         | Demo-WAF-Policy-PSM-Learning-Group             |
| enable_app_learning                     | True                                           |
| application_signatures                  |                                                |
|   provider_ref                          | System-WafApplicationSignatures-Trustwave      |
| learning_params                         |                                                |
|   sampling_percent                      | 1 percent                                      |
|   update_interval                       | 30 min                                         |
|   max_uris                              | 500                                            |
|   max_params                            | 100                                            |
|   enable_per_uri_learning               | True                                           |
|   min_hits_to_learn                     | 10000                                          |
|   learn_from_authenticated_clients_only | True                                           |
|   trusted_ipgroup_ref                   | Internal                                       |
| min_confidence                          | CONFIDENCE_VERY_HIGH                           |
| confidence_override                     |                                                |
|   confid_very_high_value                | 9999                                           |
|   confid_high_value                     | 9500                                           |
|   confid_probable_value                 | 9000                                           |
|   confid_low_value                      | 7500                                           |
| enable_auto_rule_updates                | True                                           |
| enable_regex_learning                   | False                                          |
| bypass_static_extensions                | True                                           |
+-----------------------------------------+------------------------------------------------+

If a Trusted IP group is configured, but the client IP address does not match the group, the request learning data will not be sent.

Note:
  • With both Authenticated Clients Only and Trusted IPs configured, learning is enabled when the value of either of these parameters is set to true.

  • If both Learn_from_authenticated_clients_only and Trusted IPs are configured, but the client is neither authenticated nor within the trusted IP group, the request learning data will not be sent.