Web App Firewall

Learning

Following are some of the best practices recommended when encountered with Learning functionality issues:

Aslearn process:

  • Verify that the process aslearn is running.
  • Check top command output
  • Check output of ps command by executing the following command:

    ps -ax | grep aslearn | grep -v "grep"

    Example:

     root@ns\# ps -ax | grep aslearn | grep -v "grep"
     1439  ??  Ss     0:03.86 /netscaler/aslearn -start -f /netscaler/aslearn.conf
    
  • Identify recent configuration commands executed prior to the observed problem by verifying the ns.log file:

    /var/log/ns.log

  • Inspect aslearn logs to check for aslearn messages:

    /var/log/aslearn.log

  • Isolate the profile and security check that is effected

  • Identify the GUI and CLI command which is failing by executing the following command:

    show appfw learningdata <profileName> <securityCheck>

    Examples:

    • show learningdata test_profile starturl
    • show learningdata test_profile crosssiteScripting
    • show learningdata test_profile sqLInjection
    • show learningdata test_profile csRFtag
    • show learningdata test_profile fieldformat
    • show learningdata test_profile fieldconsistency
  • Perform integrity check of sqlite from bsd shell prompt:

    nsshell # sqlite3 /var/nslog/asl/<profile_name_in_lowercase>.db 'pragma integrity_check;

    Examples:

     root@ns# sqlite3 /var/nslog/asl/tsk0247284.db 'pragma integrity_check;'
     ok
    
  • Deploy or remove rules to start learning again:

    • If 2000 learn items (per protection) are reached, you cannot start learning any more for that protection
    • If 20 MB size is reached for the database, stop learning for all protections
    • Restart aslearn process

    */netscaler/aslearn -start -f/netscaler/aslearn.conf*

  • Check the space in the /var folder by executing the following:

    du -h /var

  • Check the learning threshold limits by executing the following command:

    show appfwlearningsettings <profile_name> <securityCheck>

  • Collect learned data by executing the following command:

    export appfwlearningdata <profile_name> <securityCheck>

  • Ascertain that learned data is uploaded in the collector.

Learning