Citrix Application Delivery Management service

WAF learning engine

September 29, 2020

Contributed by:

Citrix Web App Firewall (WAF) protects your web applications from malicious attacks such as SQL injection and cross-site scripting. To prevent data breaches and provide the right security protection, you must monitor your traffic for threats and real-time actionable data on attacks. Sometimes, the attacks reported might be false-positive and those need to be provided as an exception.

The Learning engine on Citrix ADM is a repetitive pattern filter that enables WAF to learn the behavior (the normal activities) of your web applications. Based on monitoring, the engine generates a list of suggested rules or exceptions for each security check applied on the HTTP traffic.

It is much easier to deploy relaxation rules using the Learning engine than manually deploy it as necessary relaxations.

The following image explains the high-level information on how the WAF learning in Citrix ADM works:

WAF intro

1 – Citrix ADC instances with its WAF profiles

2 – Configure a learning profile in Citrix ADM, add the WAF profiles, and select to auto deploy or manually deploy the relaxation rules

3 – Administrator can validate the relaxation rules in Citrix ADM and decide to deploy or skip

Get started

To deploy the learning feature, you must first configure a Web App Firewall profile (set of security settings) on your Citrix ADC appliance. For more information, see Creating Web App Firewall profiles.

Citrix ADM generates a list of exceptions (relaxations) for each security check. As an administrator, you can review the list of exceptions in Citrix ADM and decide to deploy or skip.

Using the WAF learning feature in Citrix ADM, you can:

Configure a learning profile with the following security checks
- Start URL
- Cookie Consistency
- Credit Card
  
  Note
  
  For the credit card security check, you must configure the doSecureCreditCardLogging in Citrix ADC instance and ensure the setting is OFF.
- Content Type
- Form Field Consistency
- Field Formats
- CSRF Form Tagging
- HTML Cross-Site Scripting
  
  Note
  
  The cross-site script limitation of location is only FormField.
- HTML SQL Injection
  
  Note
  
  For the HTML SQL Injection check, you must configure set -sqlinjectionTransformSpecialChars ON and set -sqlinjectiontype sqlspclcharorkeywordsin Citrix ADC instance.
Check the relaxation rules in Citrix ADM and decide to take necessary action (deploy or skip)
Get the notifications through email, slack, and ServiceNow
Use the Action Summary page to view relaxation details

To use the WAF learning in Citrix ADM:

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

WAF learning engine

September 29, 2020

Contributed by:

September 29, 2020

Contributed by:

WAF learning engine

Get started

In this article