The system-generated Recommendations of NSX Advanced Load Balancer help you ascertain and remediate false positives.

With the latest version of the NSX Advanced Load Balancer, you can do the following:

  • Apply Log Recommendation to pre-CRS and post-CRS rules.

  • Add Recommendations for request time and regex complexity transgressions.

  • Add Recommendations on REQUEST_COOKIES_NAMES and REQUEST_HEADERS_NAMES.

To view the Recommendations:

  • Navigate to Applications > Virtual Services and click a virtual service associated with WAF.

  • Navigate to the Logs tab. Click the Recommendations icon corresponding to a FLAGGED or REJECTED log entry.



The Recommendation pop-up window appears with one or more Recommendations to remediate false positives.



  • Review the proposed Recommendations. Expand the Recommendation to get more details. These details include a reasoning and a risk assessment for this change.

  • After reviewing the Recommendation, if you decide that the log entry represents a false positive, click ACCEPT RECOMMENDATION to apply the change to the system configuration.

Note:

  • The system can recommend multiple changes at the same time. In this case, clicking ACCEPT RECOMMENDATION will apply all of the Recommendations to the active configuration.

  • When system Recommendations are already applied to the configuration, the status message All Recommendations are already applied is displayed in the Recommendation page.

  • When the system is not able to generate a Recommendation, you can still use the existing Exceptions system.

Recommended Assisted Workflow

The following are the recommended workflow steps to configure Exceptions:

Note:

This workflow is the older way of using Recommendations. This is replaced by the Recommendation system discussed earlier in this topic.

  1. Using WAF Analytics and finding possible false positives.

    1. False positives can occur in large numbers and for different client IP addresses.

    2. To understand the context for false positives, consult the application owner if required.

  2. In the log, choose the WAF hit entry that you want to add the Exception for, and click + Add Exception.

    1. The modal dialog generates a set of suggested values.

    2. These values are pre-computed from the log entry and related findings. In many cases it is advised to review and if required, change (broaden) the scope of the values.

  3. Save the Exception to apply it to the policy.