How Does Application Profiling Work? - SonicWALL SMA 400 Administration Manual

Tamper Protection Mode – Three modes are available:
• Prevent – Strip all the tampered cookies and log them.
• Detect only – Log the tampered cookies only.
• Inherit Global – Use the global setting for this portal.
Encrypt Server Cookies – Choose to encrypt name and value separately. This affects client-side script behavior because it makes cookie names or values
unreadable. Only server-side cookies are encrypted by these options.
Cookie Attributes – The attributes HttpOnly and Secure are appended to server-side cookies if they are enabled.
The attribute HttpOnly prevents the client-side scripts from accessing the cookies that is important in mitigating attacks such as Cross Site Scripting and
session hijacking. The attribute Secure ensures that the cookies are transported only in HTTPS connections. Both together add a strong layer of security
for the server-side cookies.
NOTE: By default, the attribute Secure is always appended to an HTTP connection even if
Cookie Tampering Protection is disabled. This behavior is a configurable option, and can be
turned off.
Allow Client Cookies – The Allow Client Cookies option is enabled by default. In Strict mode, the Allow Client Cookies option is disabled. When
disabled, client-side cookies are not allowed to be sent to the backend systems. This option does not affect server-side cookies.
Exclusion List – If the Exclusion List is enabled and contains a cookie, the cookie is passed as usual and is not protected. You can exclude server-side
cookies and client-side cookies.
Exclusion list items are case sensitive, and in the format 'CookieName@CookiePath.' Cookies with the same name and different paths are treated as
different cookies. 'CookiePath' can be left empty to represent any path.
Import Global – Application Offloading portals can import the Global exclusion list.

How Does Application Profiling Work?

The administrator can configure application profiling on the Web Application Firewall > Rules page. Application profiling is completed independently for
each portal and can profile multiple applications simultaneously.
After selecting the portal, you can select the type of application content that you want to profile. You can choose HTML/XML, JavaScript, CSS, or All
that includes all content types such as images, HTML, and CSS. HTML/XML content is the most important from a security standpoint, because it typically
covers the more sensitive Web transactions. This content type is selected by default.
Then the SMA/SRA appliance is placed in learning mode by clicking Begin Profiling (the button then changes to End Profiling). The profiling should be
done while trusted users are using applications in an appropriate way. The Secure Mobile Access records inputs and stores them as URL profiles. The
URL profiles are listed as a tree structure on the Web Application Firewall > Rules page in the Application Profiling section.
Only the URLs presented as hyperlinks are accessible URLs on the backend server. You can click on the hyperlink to edit the learned values for that URL
if the values are not accurate. You can then generate rules to use the modified URL profile.
The SMA/SRA appliance learns the following HTTP Parameters:
• Response Status Code
• Post Data Length – The Post Data Length is estimated by learning the value in the Content-Length header. The maximum size is set to the power of
two that is closest to and higher than this value. This accommodates the amount of memory that could have been allocated by the backend
application. For example, for a Content Length of 65, the next power of two greater than 65 is 128. This is the limit configured in the URL profile. If
the administrator determines that this is not accurate, the value can be modified appropriately.
• Request Parameters – This is the list of parameters that a particular URL can accept.
When an adequate amount of input has been learned, you can click End Profiling and are ready to generate the rules from the learned input. You can set
one of the following as a default action for the generated rule chains:
• Disabled – The generated rules are disabled rather than active.
• Detect Only – Content triggering the generated rule are detected and logged.
• Prevent – Content triggering the generated rule are blocked and logged.
If a rule chain has already been generated from a URL profile in the past, then the rule chain are overwritten only when Overwrite existing Rule Chains for
URL Profiles is selected. When you click Generate Rules, the rules are generated from the URL profiles. If a URL profile has been modified, those