This section discusses Application Learning for WAF.
Application Learning enables the WAF feature on NSX Advanced Load Balancer to analyze a set of incoming traffic processed by the WAF Policy.
When Application Learning is enabled on a virtual service, the Service Engine collects data and sends it to the Controller for analysis. So, all learning takes place on the Controller. The traffic selection for Application Learning is based on the WAF Policy configured.
It parses all paths containing URI or BODY parameters of an HTTP request. This collection continues during a specified duration or time interval. Once the timer is hit, the Service Engine sends the data to the NSX Advanced Load Balancer Controller for analysis. These WAF configuration parameters are distributed across WAF Policies.
Learning option
To enable the Learning option:
Navigate to .
Select the policy for which Application Learning must be enabled.
The following screenshot shows the option to enable Application Learning.
Enable Application Learning for the selected WAF Policy. Once the option is enabled, the additional configuration options will be available to edit as below:
Field |
Description |
Additional Information |
|---|---|---|
Learn from Authenticated Clients Only |
Select this option to enable Application Learning for this WAF policy. |
|
Trusted IPs |
If configured, learning will only be performed on requests from client IPs within the configured IP Address Group. |
|
Sampling |
Percent of the requests subjected to Application learning. |
Range (1 to 100%). |
Enable Auto Rule Updates |
Enable Application Learning based rule updates on the WAF Profile. Rules will be programmed in dedicated WAF learning group. |
Select or deselect the check box. |
Auto Promote Rules w/ Confidence |
Minimum confidence label required for auto rule updates. |
|
Learning Interval |
Frequency with which SE publishes Application learning data to controller. |
Range (1 to 60 min). Example- 30 min |
Max Parameters |
Maximum number of params to learn for an application. |
Range (10 to 1000). Example- 100 |
Min Hits to Learn |
Minimum number of occurrences required for a param to qualify for learning. |
Range (10 to 1000). Example- 100 |
Per URI Learning |
Learn the params per URI path. |
Select or deselect the check box. |
Max URI |
Maximum number of URI paths to learn for an application. This value can be set higher for more complex applications. |
Range (10 -10000). |
If Per URI Learning is ENABLED, the learning algorithm programs the URI and param combinations when they reach the confidence score. If DISABLED, the learning algorithm programs params independently from the URI. This can be useful when URIs are generated for each session.
App Learning From Authenticated Clients Only
The option to learn only from authenticated clients is available under App learning parameters. The default value for this parameter is false. If Learn_from_authenticated_clients_only is set to true, the learning is performed only on the requests from clients who have passed the authentication process configured in the Auth profile of the virtual service. If the value is set to true and the client is not authenticated, the request learning data will not be sent.
By enabling the App learning from authenticated clients flag, you can restrict learning to clients that have passed authentication configured in the virtual service authorization policy.
Login to the CLI and select the learning_params options to set learn_from_authenticated_clients_only to true.
[admin:ctr]: > configure wafpolicy Demo-WAF-Policy [admin:ctr]: wafpolicy> learning_params [admin:ctr]: wafpolicy:learning_params> learn_from_authenticated_clients_only Overwriting the previously entered value for learn_from_authenticated_clients_only [admin:ctr]: wafpolicy:learning_params> where Tenant: admin Cloud: Default-Cloud +---------------------------------------+-----------+ | Field | Value | +---------------------------------------+-----------+ | sampling_percent | 1 percent | | update_interval | 30 min | | max_uris | 500 | | max_params | 100 | | enable_per_uri_learning | True | | min_hits_to_learn | 10000 | | learn_from_authenticated_clients_only | True | +---------------------------------------+-----------+
App Learning through Trusted IPs
Set trusted IP groups to an existing IP group using the trusted_ipgroup_ref option.
[admin:ctr]: wafpolicy:learning_params> trusted_ipgroup_ref Internal [admin:ctr]: wafpolicy:learning_params> where Tenant: admin Cloud: Default-Cloud +---------------------------------------+-----------+ | Field | Value | +---------------------------------------+-----------+ | sampling_percent | 1 percent | | update_interval | 30 min | | max_uris | 500 | | max_params | 100 | | enable_per_uri_learning | True | | min_hits_to_learn | 10000 | | learn_from_authenticated_clients_only | True | | trusted_ipgroup_ref | Internal | +---------------------------------------+-----------+
Save the configuration.
[admin:ctrl]: wafpolicy:learning_params> save [admin:ctr]: wafpolicy> save +-----------------------------------------+------------------------------------------------+ | Field | Value | +-----------------------------------------+------------------------------------------------+ | uuid | wafpolicy-e3bcd2bd-afcf-43ec-97cc-c33a978b3ebf | | name | Demo-WAF-Policy | | tenant_ref | admin | | mode | WAF_MODE_DETECTION_ONLY | | waf_profile_ref | System-WAF-Profile | | paranoia_level | WAF_PARANOIA_LEVEL_LOW | | waf_crs_ref | CRS-2021-2 | | failure_mode | WAF_FAILURE_MODE_OPEN | | allow_mode_delegation | True | | positive_security_model | | | group_refs[1] | Demo-WAF-Policy-PSM-Learning-Group | | enable_app_learning | True | | application_signatures | | | provider_ref | System-WafApplicationSignatures-Trustwave | | learning_params | | | sampling_percent | 1 percent | | update_interval | 30 min | | max_uris | 500 | | max_params | 100 | | enable_per_uri_learning | True | | min_hits_to_learn | 10000 | | learn_from_authenticated_clients_only | True | | trusted_ipgroup_ref | Internal | | min_confidence | CONFIDENCE_VERY_HIGH | | confidence_override | | | confid_very_high_value | 9999 | | confid_high_value | 9500 | | confid_probable_value | 9000 | | confid_low_value | 7500 | | enable_auto_rule_updates | True | | enable_regex_learning | False | | bypass_static_extensions | True | +-----------------------------------------+------------------------------------------------+
If Trusted IP group is configured, but the client IP address does not match the group, the request learning data will not be sent.
With both Authenticated Clients Only and Trusted IPs configured, learning is enabled when the value of either of these parameters is set to
true.If both Learn_from_authenticated_clients_only and Trusted IPs are configured, but the client is neither authenticated, nor within the trusted IP group, the request learning data will not be sent.
