The learning feature is a pattern filter that observes and learns activities on the back-end server. Based on the observation, the learn engine generates 2000 suggested rules or exceptions (relaxations) for each profiled security check. To automate the process and auto deploy the relaxation rules, Citrix ADC appliance uses dynamic profiling.
With dynamic profiling, the appliance records the learnt data for a pre-defined threshold and sends an SNMP alert to the user. If the user does not skip the data within a grace period, the appliance auto deploys it as relaxation rule. Previously, the user had to manually deploy the relaxation rules. Currently, dynamic profiling is available only for HTML SQL injection, HTML Cross Site scripting, Field format, and Start URL security checks.
For example, consider the HTML SQL Injection security check enabled with dynamic profiling. You can use learning for a list of IPs (called the Trusted Learning Clients list) from which the learning feature should generate recommendations. To configure a list of trusted clients, see Learning Trusted Clients topic. If the incoming traffic has violations, it is recorded as a learnt data. If the learned data is recorded in the learning engine, the appliance sends an SNMP alert to the user. If the user does not recognize a false positive and does not skip the learnt data within a grace period, the appliance auto deploys it as a relaxation rule.
Note After you configure dynamic profile, you must periodically review the appliance configuration for the auto-deployment of relaxation rules and save it on the appliance.
Configure dynamic profiling by using the Citrix ADC command interface
Dynamic profiling is available for Start URL, HTML Cross-Site Scripting, Field Format, or HTML SQL Injection security checks. To configure dynamic profiling, you must complete the following steps.
- Configure dynamic learning
- Configure auto deployment grace period
Configure dynamic learning
As a first step, you must configure dynamic learning on your appliance. At the command prompt, type:
set appfw profile <profile_name> dynamicLearning <security_checks>
set appfw profile test1 dynamicLearning SQLInjection CrossSiteScripting fieldFormat startURL
Configure auto deployment grace period
Once you enable the feature on specific security checks, you must configure the grace period for the auto deployment.
set appfw learningsettings <profile name> -crossSiteScriptingAutoDeployGracePeriod <seconds>
set appfw learningsettings <profile name> fieldFormatAutoDeploymentGracePeriod <seconds>
set appfw learningsettings <profile name> SQLInjectionAutoDeploymentGracePeriod <seconds>
set appfw learningsettings <profile name> –startURLAutoDeployGracePeriod <seconds>
set appfw learningsettings test1 –crossSiteScriptingAutoDeployGracePeriod 30
set appfw learningsettings test1 –startURLAutoDeployGracePeriod 7
set appfw learningsettings test1 –fieldFormatAutoDeploymentGracePeriod 10
set appfw learning settings test1 –SQLInjectionAutoDeploymentGracePeriod 12
Configuring dynamic profiling by using the Citrix ADC GUI
- Navigate to Security > Application Firewall > Profile.
- In the details pane, select a profile and click Edit.
In the Citrix Web App Profile page, click Dynamic Profiling under Advanced Settings.
In the Dynamic Profiling section, select a security check and click Edit.
In the Dynamic Profiling and Learning Settings page, set the grace period the security check.
- Click OK and Done.