How Does Application Profiling Work - Dell SonicWall SRA 4200 Administrator's Manual

How Does Application Profiling Work?

The administrator can configure application profiling on the Web Application Firewall > Rules
page. Application profiling is performed independently for each portal and can profile multiple
applications simultaneously.
After selecting the portal, you can select the type of application content that you want to profile.
You can choose HTML/XML, Javascript, CSS, or All, which includes all content types such as
images, HTML, and CSS. HTML/XML content is the most important from a security standpoint,
because it typically covers the more sensitive Web transactions. This content type is selected
by default.
Then the SRA appliance is placed in learning mode by clicking on the Begin Profiling button
(the button then changes to End Profiling). The profiling should be done while trusted users
are using applications in an appropriate way. The SRA records inputs and stores them as URL
profiles. The URL profiles are listed as a tree structure on the Web Application Firewall > Rules
page in the Application Profiling section.
Only the URLs presented as hyperlinks are accessible URLs on the backend server. You can
click on the hyperlink to edit the learned values for that URL if the values are not accurate. You
can then generate rules to use the modified URL profile.
The SRA learns the following HTTP Parameters:
•
•
•
When an adequate amount of input has been learned, you can click the End Profiling button
and are ready to generate the rules from the learned input. You can set one of the following as
a default action for the generated rule chains:
•
•
•
70 | SRA 6.0 Administrator's Guide
Response Status Code
Post Data Length – The Post Data Length is estimated by learning the value in the Content-
Length header. The maximum size is set to the power of two that is closest to and higher
than this value. This accommodates the amount of memory that may have been allocated
by the backend application. For example, for a Content Length of 65, the next power of two
greater than 65 is 128. This is the limit configured in the URL profile. If the administrator
determines that this is not accurate, the value can be modified appropriately.
Request Parameters – This is the list of parameters that a particular URL can accept.
Disabled – The generated rules will be disabled rather than active.
Detect Only – Content triggering the generated rule will be detected and logged.
Prevent – Content triggering the generated rule will be blocked and logged.