Configuring Custom Rules and Application Profiling
The Web Application Firewall > Rules page allows you to configure custom rules and application profiling.
Application profiling allows you to generate custom rules in an automated manner based on a trusted set of inputs acceptable by an application. Other inputs are denied, providing a positive security enforcement. You can use this feature for profiling the websites accessed through SMA100 WAF and record all the selected content type to generate the WAF rules automatically.
When you place the SMA appliance in learning mode in a staging environment, it learns valid inputs for each URL accessed by the trusted users. At any point during or after the learning process, custom rules can be generated based on the “learned” profiles. Custom rules created on this page have all the same properties as the signatures that SonicWall Inc. pushes out to Web Application Firewall-enabled appliances.
To add a rule manually, you create a rule chain and then add rules within it. A rule chain is a collection of rules and includes additional attributes such as the severity rating, name, description, hit counters for rate limiting, and the action to take when the rule chain matches some traffic.
Rules in the Web Application Firewall > Rules page can be divided into pages and filtered by searching for a key word. To display only rules containing a key word in all fields or a specific field, type the key word in the Search field, select All Fields or a specific field to search, and click Search. Or, click Exclude to display only rules that do not contain the key word. Click Reset to display all rules. All matches are highlighted. The default is 50 rules per page.
Custom rules and rule chains can be used to distinguish between legitimate and illegitimate traffic as defined by a Web application that is using a certain URI or running on a certain portal. One rule in the chain is configured to match the URI or portal host name, while another rule is created that matches an undesirable value for another element of the HTTP(S) traffic. When the rule chain (both rules) matches some traffic, the configured action is done to block or log the bad traffic from that URI or portal. When the request is blocked, the user sees a custom block page.
The Web Application Firewall > Monitoring page also shows the activity in the graphs.
Rules are matched against both inbound and outbound HTTP(S) traffic. When all rules in a rule chain find a match, the action defined in the rule chain is done. You can also enable rate limiting in rule chains to trigger an action only after the number of matching attacks exceeds a threshold within a certain time. You can configure the action to block the traffic and log the match, or to simply log it. You can also set the action to Disabled to remove the rule chain from active status and stop comparing traffic against those rules.
The Custom Rules feature can be enabled or disabled using the Enable Custom Rules global setting.
Was This Article Helpful?
Help us to improve our support portal