Dell SMA 200 Administration Manual page 73

accommodates the amount of memory that could have been allocated by the backend application. For
example, for a Content Length of 65, the next power of two greater than 65 is 128. This is the limit
configured in the URL profile. If the administrator determines that this is not accurate, the value can be
modified appropriately.
• Request Parameters – This is the list of parameters that a particular URL can accept.
When an adequate amount of input has been learned, you can click End Profiling and are ready to generate the
rules from the learned input. You can set one of the following as a default action for the generated rule chains:
• Disabled – The generated rules are disabled rather than active.
• Detect Only – Content triggering the generated rule are detected and logged.
• Prevent – Content triggering the generated rule are blocked and logged.
If a rule chain has already been generated from a URL profile in the past, then the rule chain are overwritten
only when Overwrite existing Rule Chains for URL Profiles is selected. When you click Generate Rules, the
rules are generated from the URL profiles. If a URL profile has been modified, those changes are incorporated.
How Does Rate Limiting for Custom Rules Work?
The administrator can configure rate limiting when adding or editing a rule chain from the Web Application
Firewall > Rules page. When rate limiting is enabled for a rule chain, the action for the rule chain is triggered
only when the number of matches within a configured time period is above the configured threshold.
This type of protection is useful in preventing Brute Force and Dictionary attacks. An example rule chain with a
Rule Chain ID of 15002 is available in the Secure Mobile Access management interface for administrators to use
as reference.
The associated fields are exposed when Enable Hit Counters is selected at the bottom of the New Rule Chain
or Edit Rule Chain screen.
After a rule chain is matched, Web Application Firewall keeps an internal counter to track how many times the
rule chain is matched. The Max Allowed Hits field contains the number of matches that must occur before the
rule chain action is triggered. If the rule chain is not matched for the number of seconds configured in the
Reset Hit Counter Period field, then the counter is reset to zero.
Rate limiting can be enforced per remote IP address or per user session or both. Track Per Remote Address
enables rate limiting based on the attacker's remote IP address.
Track Per Session enables rate limiting based on the attacker's browser session. This method sets a cookie for
each browser session. Tracking by user session is not as effective as tracking by remote IP if the attacker
initiates a new user session for each attack.
The Track Per Remote Address option uses the remote address as seen by the SMA/SRA appliance. In the case
where the attack uses multiple clients from behind a firewall that is configured with NAT, the different clients
effectively send packets with the same source IP address and is counted together.
Dell SonicWALL Secure Mobile Access 8.5
Administration Guide
73