Suggest Rules Wizard

Purpose

You can start this application-specific wizard on the Wizards tab when you’ve selected an application in the navigation area.

The Suggest Rules Wizard can automatically create initial security configuration rules for your specific web application.

The Suggest Rules Wizard must be run twice:

1st run: When you run it for the first time, it activates the Log Request Response Handler. This handler logs the response data of your web application and analyzes this data in regard to URIs and arguments.

2nd run: When you run the Suggest Rules Wizard again after some time, it automatically creates rules based on the collected data.

How long you should wait between the first and second run of the wizard primarily depends on the traffic, structure and complexity of your web application. About one thousand hits usually provide a solid basis. The other important thing is that it’s not always the same pages that are called up, but in fact all pages with data from all form fields. An alternative method can also running the Wizard on a test system on which all relevant pages are tested in depth.

The size of the databases that hold the collected data is limited. There is a separate database for each application and on each slave. If one of these databases grows too big, logging automatically stops on this slave for this application (but is continued on other slaves and for other applications). Within the status display of the administration interface, a corresponding message appears in the Application Status section

ATTENTION

The Suggest Rules Wizard is primarily intended to create an initial security configuration. Be cautious if you’ve already edited custom rules (handlers). The Suggest Rules Wizard may overwrite some settings of the Whitelist Handler and of the Invalid URL Handler.

If you’ve edited the Whitelist Handler or the Invalid URL Handler manually, review the following settings after running the Suggest Rules Wizard:

Whitelist Handler: protected-form-fields, allow-unknown-form-fields

Invalid URL Handler: valid-url-pattern, valid-full-url-pattern.

For more information regarding Wizards, see Using Wizards to Configure Applications.

Attributes when the wizard Is run for the first time

Attribute	Meaning
Enable Logging	Enable this option to enter into the learning phase. The Wizard then enables the Log Request Response Handlerin order to gather information on the responses of your web application. When you’ve finished the learning phase, you need to run the wizard again to create the rules based on the collected data.
Log in Detection Mode	When this option is enabled, vWAF logs request arguments not only when in protection node, but also when in detection mode (see Detection Mode, Protection Mode). This always logs request arguments, even if your web application generates a 4xx error message for this request. This can result in learning invalid requests.

Attribute

Meaning

Enable Logging

Enable this option to enter into the learning phase. The Wizard then enables the Log Request Response Handlerin order to gather information on the responses of your web application.

When you’ve finished the learning phase, you need to run the wizard again to create the rules based on the collected data.

When this option is enabled, vWAF logs request arguments not only when in protection node, but also when in detection mode (see Detection Mode, Protection Mode).

This always logs request arguments, even if your web application generates a 4xx error message for this request. This can result in learning invalid requests.

Attributes when the wizard Is run again after the initial learning period

Feature	Meaning
Reenable Logging	(This option is only available in a repeated run of the wizard after the option Disable Logging has been activated.) You should continue logging for some more time if you feel that the learning period might have been too short for vWAF to collect enough relevant data, or if you've added new functions to your web application. To do so, activate the option Reenable Logging. This skips the creation of new rules and terminates the wizard. Note that you must run the wizard again after enough data have been collected in order to create new rules. It's likely that the Invalid URL Handler was enabled when the wizard was run for the last time. Reenabling logging disables the Invalid Url Handler. If you've configured the Invalid URL Handler manually, all modifications are lost.
Log in Detection Mode	When this option is enabled, vWAF logs request arguments not only when in protection node, but also when in detection mode (see Detection Mode, Protection Mode). This always logs request arguments, even if your web application generates a 4xx error message for this request. This can result in learning invalid requests.
Disable Logging	Now, as you're running the wizard for a second time after the initial learning period, the Log Request Response Handler that was added by the wizard has already collected data. Usually, the wizard disables the Log Request Response Handler now. Request logging increases request latency and should therefore not be permanent. If you feel that the learning period might have been too short to collect enough relevant data, uncheck the option Disable Logging. Request logging then continues.
Delete collected data	When this option is enabled, vWAF deletes all data that has been previously collected for the application. We recommend doing the following: You should delete the collected data if your web application has changed significantly since you've last run the wizard. You should not delete the collected data if your web application didn't change, or if your web application has only been extended with additional functions, but the existing ones didn't change.
Allow all unknown variables	When this option is enabled, vWAF doesn't block traffic for form fields that vWAF doesn't know. By default this option is enabled. While disabling the option Allow all unknown variables gives you some extra security on the one hand, on the other hand it involves the risk that vWAF unintentionally blocks some intended traffic. This may happen if some form fields haven't been used during the learning phase of the wizard. In case you disable the option we recommend to test the full availability and operability of your web application as soon as possible.
Use Simple Configuration	Activate this option if you want vWAF to attempt to accommodate all the settings in the default path /.* . In this case, the Suggest Rules Wizard creates no additional paths underneath the application. The handlers added by the wizard are only configured once (for the default path /.* ), but as a consequence often have a relatively large number of complex rules. The option Use simple configuration is therefore particularly useful in all cases where in you want to use the proposed configuration without changes and without having to refine them individually. If the option Use simple configuration isn't active, the Suggest Rules Wizard creates a separate path for each path. In this case, a greater number of paths are generated with separate handlers configured for each individual path. However, each of these handlers has only a very manageable number of rules. The paths added by the Suggest Rules Wizard inherit all possible settings already made on the application level for these paths.
Global Handling	Here you can optionally specify a list of key-value patterns that are always valid, independent from the path. You can use Regular Expressions here.
Valid Paths	Enable this option if you want to restrict the usage of paths without arguments. If this option is enabled, vWAF adds all found paths without arguments to the URL whitelist and remove any wildcards. Finally vWAF blocks paths that weren't logged.

Handlers configured by the Suggest Rules Wizard

The Suggest Rules Wizard configures the following handler:

Log Request Response Handler various handlers, based on the facts learned from the responses.