Dynamic profiling

Dynamic profiling enables you to auto deploy learned data as relaxation rules. If a learned data is recorded within a user-defined threshold, the appliance sends an SNMP alert to the user. If the user does not skip the data within a grace period, the appliance auto deploys it as relaxation rule. Previously, the user had to manually deploy the data as relaxation rules.

For example, consider the HTML SQL Injection security check enabled with dynamic profiling. You can use learning for a list of IPs (called the Trusted Learning Clients list) from which the learning feature must generate recommendations. To configure a list of trusted clients, see the Learning Trusted Clients topic. If the incoming traffic has violations, it is recorded as a learned data. If the learned data is recorded in the learning engine, the appliance sends an SNMP alert to the user. If the user does not recognize it as a false positive and does not skip the learned data within a grace period, the appliance auto deploys it as a relaxation rule.

Note Currently, dynamic profiling is available only for HTML SQL injection, HTML Cross Site scripting, and Field format security checks.

After you configure dynamic profile, you must periodically review the appliance configuration for the auto-deployment of relaxation rules and save it on the appliance.

Configure dynamic profiling by using the Citrix ADC command interface

For configuring dynamic profiling, you must complete the following steps.

  1. Configure dynamic learning
  2. Configure auto deployment grace period

Configure dynamic learning

As a first step, you must configure dynamic learning on your appliance. At the command prompt, type:

set appfw profile <profile_name> dynamicLearning <security_checks>

Example

set appfw profile prof1 dynamicLearning SQLInjection set appfw profile prof1 dynamicLearning SQLInjection CrossSiteScripting fieldFormat

Configure auto deployment grace period

Once you configure the feature with specific security checks, you must configure the grace period for the auto deployment.

set appfw learningsettings dyn_lrn -crossSiteScriptingAutoDeployGracePeriod <seconds>

Example

set appfw learningsettings dyn lrn –crossSiteScriptingAutoDeployGracePeriod 30

Configuring dynamic profiling by using the Citrix ADC GUI

  1. Navigate to Security > Application Firewall > Profile.
  2. In the details pane, select a profile and click Edit.
  3. In the Citrix Web App Profile page, click Dynamic Profiling under Advanced Settings.

    Dynamic profile setting

  4. In the Dynamic Profiling section, select a security check and click Settings.

    Dynamic profiling section

  5. In the Dynamic Profiling and Learning Settings page, set the grace period for the preferred security check.

    Dynamic profiling section

  6. Click OK and Done.